{Updated on January 25, 2022}: A proof-of-concept to exploit the unauthenticated RCE flaw (CVE-2021-38647) has been released into GitHub. We urge Azure users to ensure that their systems are up-to-date.
Thousands of Azure users and millions of endpoints are impacted by ‘OMIGOD’ zero-days,” was the initial outburst when the open-source vulnerabilities were disclosed. Many Azure customers are unwittingly putting themselves in danger.
On September 16, Microsoft released a patch for four vulnerabilities in Open Management Infrastructure (OMI), an open-source Common Information Model (CIM) management server used to manage Unix and Linux systems that allow users to manage installations and collect statistics across remote and local environments.
The identified serious vulnerabilities (CVE-2021-38647, CVE-2021-38648, CVE-2021-38645, and CVE-2021-38649) in Microsoft Open Management Infrastructure (OMI) allow an attacker to escalate privileges and run arbitrary code on the compromised machine.
Proof-of-Concept: Simple to Execute
The significant unauthenticated, remote code execution vulnerability has already produced a slew of proofs-of-concept. Most alarming is that threat actors had quickly imitated the attempts, and CVE-2021-38647 has recently been observed being extensively exploited via botnet operations. We found eight hits from a basic search of the CVE on Github.
The OMIGOD vulnerability is triggered by automated “on-by-default” Azure agent installations on Linux Virtual Machines (VMs), which brings numerous vulnerabilities into your environment. An attacker can accomplish Remote Code Execution (RCE) by creating and transmitting a packet through HTTPS to a port listening for OMI. This attack is characterized as being exceptionally simple to carry out, as an attacker simply has to eliminate the packet’s authentication header.
-
An attacker can use these vulnerabilities to get a maximum of root access to a remote system by exploiting them.
-
Merely, running port scans are used to locate devices that are vulnerable on port 5986. This is perhaps done via the open Internet or from within the Azure network, which includes linked VNETs and on-premises networks,
-
Consequently, launching an attack to exploit OMIGOD vulnerabilities.
Open Doors to Mirai Botnet
According to researchers, some of these exploitation attacks are being carried out by the Mirai botnet, targeting Azure Linux OMI endpoints vulnerable to the CVE-2021-38647 RCE vulnerability. As part of this new Mirai campaign, attackers are deploying a version of the Mirai Distributed Denial of Service botnet.
Affected Products
All versions of Microsoft Open Management Infrastructure (OMI) prior to v1.6.8.1 are vulnerable. The following is the breakdown of the affected products.
-
Azure Stack Hub
-
Azure Sentinel
-
Azure Security Center
-
Container Monitoring Solution
-
Log Analytics Agent
-
Azure Automation Update Management
-
Azure Automation State Configuration, DSC Extension
-
System Center Operations Manager (SCOM)
-
Azure Diagnostics (LAD)
-
Azure Open Management Infrastructure
Here is the mapping of vulnerable modules or extensions to associated agents –
Module/Extension |
Affected Version |
Fixed Version |
---|---|---|
OMI |
1.6.8.0 and below |
1.6.8-1 and above |
DSC Agent |
2.71.X.XX and below |
2.7.1.25 and above |
DSC Agent |
2.70.X.XX and below |
2.70.0.30 and above |
DSC Agent |
3.0.0.1 |
3.0.0.3 |
DSC Agent |
2.0.0.0 |
See above versions |
OMS Agent for Linux GA |
1.13.35 and below |
1.13.40-0 |
LAD Agent |
4.0.0 through 4.0.5 |
4.0.11 |
LAD Agent |
3.0.131 and below |
3.0.133 |
In addition, Microsoft users are suggested to update vulnerable extensions for their Cloud and On-Premises deployments with the available patches.
Vulnerability Details
CVE-2021-38647: Remote Code Execution at More Risk
Among the four OMIGOD vulnerabilities, CVE-2021-38647 is a Remote Code Execution, which is the most severe encompassing OMIGOD.
-
This vulnerability arises as a result of a simple coding error in a conditional statement, along with an uninitialized authentication struct.
-
The bug allows any request excluding an Authorization header to gain root user access.
-
If your Linux system in Azure contains externally accessible ports 5986, 5985, or 1270, you should upgrade it as soon as possible.
-
This vulnerability has a CVSS base score of 9.8 and is classified as “Critical.”
-
According to google search interest spanning from September to October, this RCE vulnerability is found to be trending with a top search in countries such as the United Kingdom, United States, Netherland, India, Japan, Spain, and China.
On September 17, 2021, Cyber Infrastructure Security Agency (CISA) issued an alert urging Azure customers to apply the necessary patches.
Privilege Escalation Capabilities
-
Three elevation of privilege vulnerabilities in OMI are CVE-2021-38645, CVE-2021-38648, and CVE-2021-38649.
-
The three privilege escalation CVEs are classified as high severity with a CVSS score of 7.8.
-
All these CVEs are categorized under CWE – 269 (Improper Privilege Management), which holds the twenty-ninth place in the 2021 CWE Top 25 Most Dangerous Software Weaknesses.
Popular scanners such as Nessus, Qualys, and Nexpose were able to discover the vulnerability and have been labelled with the plugin ID below.
CVE |
Nessus |
Qualys |
Nexpose |
---|---|---|---|
153486 153475 153474 |
730204 375860 |
microsoft-azure-omi-cve-2021-38647 |
|
153475 153474 |
375860 |
microsoft-azure-omi-cve-2021-38648 |
|
153475 153474 |
375860 |
microsoft-azure-omi-cve-2021-38645 |
|
153475 153474 |
375860 |
microsoft-azure-omi-cve-2021-38649 |
Patch Urgently and Avoid the Aftermath!
Microsoft released a patch for OMI (v1.6.8.1) to prevent these vulnerabilities from being exploited. This patch must be installed manually due to procedural issues.
We have observed a number of active exploitation attempts so far, ranging from simple host enumeration (using the uname, id, and ps commands) to attempts to install a cryptocurrency miner or file transfer. Taking this into account, we recommend applying the patches immediately and restricting OMI listening access on ports 5985, 5986, and 1270.
Worried about cyber attacks? Are you sure there are no gaps in your security?
We can help shrink your attack surface. Talk to us!