CVE-2021-38647 (OMIGOD): Critical Flaw Leaves Azure Linux VMs Vulnerable to Remote Code Execution

Agents installed by default on Azure Linux virtual machines are vulnerable to a remote code execution flaw that can be exploited with a single request.

Background

On September 14, researchers at Wiz disclosed a set of four vulnerabilities in Microsoft’s Open Management Infrastructure (OMI), an open source Common Information Model (CIM) management server used for managing Unix and Linux systems.

*Please note: Tenable’s Vulnerability Priority Rating (VPR) scores are calculated nightly. This blog post was published on September 17 and reflects VPR at that time.

The flaws, which are collectively referred to as “OMIGOD,” are found within OMI agents that are installed on Microsoft’s Azure Linux virtual machines (VMs) by default. These agents can be found across a number of Azure-based services, including:

• Azure Automation
• Azure Automatic Update
• Azure Operations Management Suite (Azure Monitor)
• Azure Log Analytics
• Azure Configuration Management
• Azure Diagnostics
• Azure Container Insights

The researchers at Wiz note that this may not be a complete list and there may be other Azure services that utilize OMI. Because the OMI agents are installed by default, Linux VMs are at an increased risk for potential compromise, especially if they have exposed ports to the internet.

Analysis

CVE-2021-38647 is a remote code execution vulnerability in OMI. An unauthenticated, remote attacker can exploit this flaw by sending a specially crafted request to a vulnerable over a publicly accessible remote management port (ports 5986, 5985 and 1270). Successful exploitation would grant an attacker the ability to execute arbitrary code with root privileges on the vulnerable Linux VM. This particular vulnerability was assigned a CVSSv3 score of 9.8 and it is extremely simple to exploit. The specially crafted request needs to be sent without an Authorization header. As a result, this vulnerability is the most severe out of the four flaws encompassing OMIGOD.

CVE-2021-38645, CVE-2021-38648 and CVE-2021-38649 are three elevation of privilege vulnerabilities in OMI. Researchers at Wiz say that CVE-2021-38648 is “remarkably similar” to CVE-2021-38647 in that the exploitation process is nearly the same. Despite the similarities, Wiz researchers say that the root cause analysis differs from CVE-2021-38647.

For a full breakdown of the vulnerabilities, please refer to the blog post from Wiz.

Exploitation attempts for CVE-2021-38647 detected in the wild

Within just a few days of disclosure, there are reports that attackers are actively scanning for and exploiting CVE-2021-38647.

According to security researcher Kevin Beaumont, one of his test boxes was compromised and a cryptocurrency miner (coin miner) was installed by attackers.

Lol, my OMIGOD test box is now running a coin miner. It’s officially a vuln now, we should retire CVEs and go for Doge numbers.

— Kevin Beaumont (@GossiTheDog) September 16, 2021

Andrew Morris, founder and CEO of GreyNoise Intelligence, tweeted that his firm has observed around ~80 IP addresses “opportunistically exploiting” CVE-2021-38647 across the internet.

The Azure "OHMIGOD" vulnerability (CVE-2021-38647) is increasing a good bit. ~10 IPs opportunistically exploiting the vuln across the internet this morning, ~80 now. Tags available to all GN users and customers now.

GNQL:

cve:CVE-2021-38647https://t.co/sbdxJxzrEd pic.twitter.com/7dyU213Pl1

— Andrew Morris (@Andrew___Morris) September 16, 2021

Threat researcher Germán Fernández tweeted that the Mirai botnet is “launching a massive attack” attempting to exploit CVE-2021-38647.

Clarity surrounding number of publicly exposed hosts

On September 16, Derek Abdine, the chief technical officer at Censys, published a blog post about the impact of OMIGOD. There have been reports that over two million hosts may be exposed and potentially vulnerable. Abdine reports that while the number might seem daunting, the devil is in the details. Some of the ports that OMI runs on include those with Windows Remote Management (WinRM). After performing more targeted scans, Abdine reports that they’ve identified 56 publicly exposed hosts, with the majority of them residing within Azure. Censys mentions that some of the affected hosts are associated with a major health organization and two major entertainment companies.

Proof of concept

At the time this blog post was published, there were at least three GitHub repositories containing proof-of-concept exploit scripts for CVE-2021-38647.

Vendor Response

Microsoft published a blog post on September 16 providing additional guidance on the OMI vulnerabilities.

Solution

To address these vulnerabilities, Microsoft released updates to OMI on August 11. However, the flaws were not publicly disclosed until this month’s Patch Tuesday release.

Microsoft says that CVE-2021-38647 only affects those customers using “a Linux management solution” that enables the remote management of OMI, which includes:

• On-premises System Center Operations Manager (SCOM)
• Azure Automation State Configuration
• Azure Desired State Configuration Extension (DSC Extension)

The following is a mapping of vulnerable services/extensions to their associated agents:

Below is a table of affected and fixed versions for the modules/extensions as defined by Microsoft in their most recent blog post.

For the remaining agents, Microsoft says that they will provide automatic updates for cloud deployments if they are enabled. If automatic updates are disabled, users are encouraged to follow the manual update instructions in the table below. For on-premises deployments, please follow the manual update instructions once the fixed versions are available.

To manually update to the patched version of OMI, organizations and individuals are instructed to add the Microsoft repository for OMI to their system before using the local package manager to upgrade, which is dependent upon which distribution of Linux is in use.

For the Azure Container Monitoring Solution, Microsoft has released an updated Docker image with the following SHA256 ID:

12b7682d8f9a2f67752bf121029e315abcae89bc0c34a0e05f07baec72280707

If your Container Monitoring Solution Docker image has a different SHA256 ID, it is considered vulnerable.

Identifying affected systems

A local detection plugin for the Microsoft Open Management Infrastructure has been released. A list of Tenable plugins to identify these vulnerabilities will appear here as they’re released.

Tenable Research is investigating a direct check plugin as well. Once it is available, we will update this blog post.

Get more information

• Wiz Blog on OMIGOD Vulnerabilities
• Microsoft Blog on Additional Guidance for OMI Vulnerabilities
• GitHub Repository Search for CVE-2021-38647

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 30-day trial of Tenable.io Vulnerability Management.