CVE-2021-38647: Open Management Infrastructure Remote Code Execution Vulnerability

Overview

Severity
Critical (CVSS 9.8)
CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Category
Remote Code Execution
Exploit Status
Not Exploited
Exploitation Likelihood
Less Likely
Patch Tuesday
2021-Sep
Released
2021-09-14
Last Updated
2021-09-20
EPSS Score
94.36% (percentile: 100.0%)
CISA KEV
Listed — due 2021-11-17

FAQ

Update 9/16/2021: Where can I find more information about how to know if I'm protected and what steps can be taken to be protected? Please see Additional Guidance Regarding OMI Vulnerabilities within Azure VM Management Extensions for more information. What is OMI? Open Management Infrastructure (OMI) is an open source project to further the development of a production quality implementation of the DMTF CIM/WBEM standards. The OMI CIMOM is also designed to be portable and highly modular. In order to attain its small footprint, it is coded in C, which also makes it a much more viable CIM Object Manager for embedded systems and other infrastructure components that have memory constraints for their management processor. OMI is also designed to be inherently portable. It builds and runs today on most UNIX® systems and Linux. In addition to OMI's small footprint, it also demonstrates very high performance. Refer this link for more details : GitHub - microsoft/omi: Open Management Infrastructure How do I protect myself from this vulnerability? Please see Additional Guidance Regarding OMI Vulnerabilities within Azure VM Management Extensions for more information. The updates for this vulnerability were published on GitHub on August 11, 2021. Why is Microsoft just now releasing a CVE? The fix to address this vulnerability in open-source code was made available on August 11 to provide partners who depend on this software time to implement the updates before we released the details of the vulnerability. How does this vulnerability manifest itself? Some Azure products, such as Configuration Management, expose an HTTP/S port listening to OMI (typically port 5986 ). This configuration where the HTTP/S listener is enabled could allow remote code execution. It is important to mention that most Azure services that use OMI deploy it without exposing the HTTP/S port. How can an attacker exploit the vulnerability? An attacker could send a specially crafted message via HTTPS to por

Known Exploits (8)

  • Microsoft Open Management Infrastructure (OMI) Remote Code Execution Vulnerability — added 2021-09-26T18:06:00Z
  • Microsoft Open Management Infrastructure (OMI) Remote Code Execution Vulnerability — added 2021-09-24T10:53:52Z
  • Microsoft Open Management Infrastructure (OMI) Remote Code Execution Vulnerability — added 2021-09-20T16:29:48Z
  • Microsoft Open Management Infrastructure (OMI) Remote Code Execution Vulnerability — added 2021-09-19T15:43:32Z
  • Microsoft Open Management Infrastructure (OMI) Remote Code Execution Vulnerability — added 2021-09-18T15:25:18Z
  • Microsoft Open Management Infrastructure (OMI) Remote Code Execution Vulnerability — added 2021-09-16T08:33:02Z
  • Microsoft Open Management Infrastructure (OMI) Remote Code Execution Vulnerability — added 2021-09-16T02:11:36Z
  • Microsoft Open Management Infrastructure (OMI) Remote Code Execution Vulnerability — added 2021-09-15T21:44:30Z

Detection & Weaponization (5 sources)

Maturity: Detection

  • Metasploit modules: Microsoft OMI Management Interface Authentication Bypass
  • Nuclei templates: Microsoft Open Management Infrastructure - Remote Code Execution
  • Sigma rules: OMIGOD HTTP No Authentication RCE - CVE-2021-38647
  • YARA rules: SIGNATURE_BASE_VULN_LNX_OMI_RCE_CVE_2021_386471_Sep21
  • GitHub PoC: 12 repositories

Affected Products (10)

Azure

  • Open Management Infrastructure
  • Azure Automation State Configuration, DSC Extension
  • Azure Automation Update Management
  • Log Analytics Agent
  • Azure Diagnostics (LAD)
  • Container Monitoring Solution
  • Azure Security Center
  • Azure Sentinel
  • Azure Stack Hub

System Center

  • System Center Operations Manager (SCOM)

Security Updates (1)

Acknowledgments

<a href="https://twitter.com/shirtamari">Shir Tamari</a> with <a href="https://wiz.io">Wiz.io</a>, <a href="https://twitter.com/nirohfeld">Nir Ohfeld</a> with <a href="https://wiz.io">Wiz.io</a>

Revision History

  • 2021-09-14: Information published.
  • 2021-09-16: The following revisions have been made: 1) Additional affected products added to the Security Updates table. 2) FAQ updated to provide link to more information about protecting resources. See Additional Guidance Regarding OMI Vulnerabilities within Azure VM Management Extensions for more information.
  • 2021-09-17: The following revisions have been made: 1) In the Security Updates table, additional affected products have been added. 2) Additional Guidance Regarding OMI Vulnerabilities within Azure VM Management Extensions has been updated with further information about identifying VMs that are affected by this vulnerability.
  • 2021-09-20: The following revisions have been made in the Security Updates table: 1) Updated version number of Azure Diagnostics (LAD) 2) Added information for new updates available for Azure Stack Hub.