Background
On 14 September 2021, Microsoft released a patch advisory for CVE-2021-38647, a remote code execution (RCE) vulnerability affecting Open Management Infrastructure (OMI), an open-source Linux management agent. The OMI agent is automatically installed on Azure Linux servers that have specific services/tools enabled, such as Azure Automation State Configuration or Azure Desired State Configuration extension. Linux servers that use Microsoft’s on-premises System Center Operations Manager (SCOM) agent also have the OMI agent installed by default.
CVE ID |
CVSS Score V3 |
CVSS Criticality |
Type |
Description |
CVE-2021-28647 |
9.8 |
Critical |
Remote Code Execution |
Azure Open Management Infrastructure Remote Code Execution Vulnerability |
Analysis
CVE-2021- 28647
CVE-2021-38647 is a remote code execution vulnerability in Open Management Infrastructure (OMI). Remote unauthenticated attacker can exploit this flaw by sending a specially crafted request to a vulnerable over a publicly accessible remote management port (ports 5986, 5985 and 1270). Successful exploitation would give an attacker the ability to execute arbitrary code with root privileges on the vulnerable Linux Virtual Machines.
According to cloud security company Wiz, Azure Linux Servers using any of the following services/tools will have the OMI agent installed and therefore may be at risk of CVE-2021-38647 exploitation:
- Azure Automation
- Azure Automatic Update
- Azure Operations Management Suite (OMS)
- Azure Log Analytics
- Azure Configuration Management
- Azure Diagnostics
- Azure Container Insights
Microsoft has stated that Linux servers that make use of System Center Operations Manager (SCOM) for remote management will also have the OMI agent installed by default. SCOM is a cross-platform data center monitoring system for operating systems and hypervisors. It uses a single interface that shows state, health and performance information of computer systems.
Solutions and Recommendations
To fully remediate CVE-2021-38647, we strongly recommend upgrading the OMI agents on each affected Linux server. For a full listing of the patches available and instructions for applying them, see Microsoft’s advisory here: https://msrc-blog.microsoft.com/2021/09/16/additional-guidance-regarding-omi-vulnerabilities-within-azure-vm-management-extensions/
References
- Microsoft Advisory on CVE-2021-38647
- Microsoft Advisory on OMI Vulnerabilities in Azure
- Wiz Research Blog on OMI Vulnerabilities
Learn more about Arctic Wolf’s Managed Risk solution or request a demo today.