cbcvebase.
CVE-2021-38649
published 2021-09-15

CVE-2021-38649: Open Management Infrastructure Elevation of Privilege Vulnerability

PriorityP180high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2021-11-17
Exploited in the wild
EPSS
1.90%
77.0th percentile
Open Management Infrastructure Elevation of Privilege Vulnerability

Affected

20 ranges
VendorProductVersion rangeFixed in
microsoftazure_automation_update_management>= 1.0.0 < OMS Agent for Linux GA v1.13.40-0OMS Agent for Linux GA v1.13.40-0
microsoftazure_diagnostics>= 3.0.0 < LAD v4.0.13 and LAD v3.0.135LAD v4.0.13 and LAD v3.0.135
microsoftazure_security_center>= 1.0.0 < OMS Agent for Linux GA v1.13.40-0OMS Agent for Linux GA v1.13.40-0
microsoftazure_sentinel>= 1.0.0 < OMS Agent for Linux GA v1.13.40-0OMS Agent for Linux GA v1.13.40-0
microsoftazure_stack_hub>= 1.0.0 < Monitor, Update and Config Mgmnt 1.14.01Monitor, Update and Config Mgmnt 1.14.01
microsoftazure_stack_hub>= 1.0.0 < 3.1.1353.1.135
microsoftcontainer_monitoring_solution>= 1.0.0 < publicationpublication
microsoftlog_analytics_agent>= 1.0.0 < OMS Agent for Linux GA v1.13.40-0OMS Agent for Linux GA v1.13.40-0
microsoftopen_management_infrastructure>= 16.0 < OMI Version 1.6.8-1OMI Version 1.6.8-1
microsoftsystem_center_operations_manager>= 1.0.0 < OMI version: 1.6.8-1OMI version: 1.6.8-1
msrcazure_automation_state_configuration_dsc_extension
msrcazure_automation_update_management
msrcazure_diagnostics
msrcazure_security_center
msrcazure_sentinel
msrcazure_stack_hub
msrccontainer_monitoring_solution
msrclog_analytics_agent
msrcopen_management_infrastructure
msrcsystem_center_operations_manager

Detection & IOCsextracted from sources · hover to see the quote

port5986
port5985
port1270
processomiserver
processomiengine
path/opt/omi/bin/omicli
snort
SID 58169
  • CVE-2021-38649 is a local privilege escalation in OMI exploited by intercepting omicli-to-omiengine UNIX socket communication, omitting the authentication handshake, and reissuing a command execution request — the command executes as root (uid=0, gid=0) due to an uninitialized AuthInfo struct.
  • Alert on OMI processes (omiserver, omiengine) spawning unexpected child processes as uid=0/gid=0, especially when initiated by low-privileged users — this is the hallmark of OMIGOD privilege escalation exploitation.
  • Monitor for active exploitation of OMIGOD by DDoS botnets (Mirai) and cryptominers targeting Azure Linux VMs; coin miner installation is a confirmed post-exploitation indicator.
  • Use Talos Snort SID 58169 to detect exploitation attempts against the OMIGOD vulnerability set including CVE-2021-38649.
  • ·CVE-2021-38649 is a local privilege escalation only; remote exploitation requires ports 5986/5985/1270 to be exposed, which is NOT the default for most Azure services using OMI (e.g. Log Analytics). The LPE path is via the local UNIX socket.
  • ·Affected OMI versions are 1.6.8.0 and below; fixed version is 1.6.8-1 and above. Patching occurs through the parent Azure service that installed OMI, not directly — customers must verify their environment is running the patched version.
  • ·Microsoft's initial remediation guidance was ineffective — Azure Linux machines were not configured to the repository where the fixed OMI version was located. Customers should verify the fix was actually applied.
  • ·The vulnerability patch commit was silently pushed to the public OMI GitHub repo on August 12, 2021 — over a month before official disclosure — meaning threat actors could have developed exploits from the patch diff before customers had any notification.

CVSS provenance

nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.04.6MEDIUMAV:L/AC:L/Au:N/C:P/I:P/A:P
vulncheck7.0HIGH
cisa7.8HIGH
vendor_msrc7.0HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.