A Linux Servers with OMI Agent Actively Targeted in Campaign Exploiting CVE-2021-38647 RCE

Share :

Background

On 14 September 2021, Microsoft released a patch advisory for CVE-2021-38647, a remote code execution (RCE) vulnerability affecting Open Management Infrastructure (OMI), an open-source Linux management agent. The OMI agent is automatically installed on Azure Linux servers that have specific services/tools enabled, such as Azure Automation State Configuration or Azure Desired State Configuration extension. Linux servers that use Microsoft’s on-premises System Center Operations Manager (SCOM) agent also have the OMI agent installed by default.

CVE ID

CVSS Score V3

CVSS Criticality

Type

Description

CVE-2021-28647

9.8

Critical

Remote Code Execution

Azure Open Management Infrastructure Remote Code Execution Vulnerability

Analysis

CVE-2021- 28647

CVE-2021-38647 is a remote code execution vulnerability in Open Management Infrastructure (OMI). Remote unauthenticated attacker can exploit this flaw by sending a specially crafted request to a vulnerable over a publicly accessible remote management port (ports 5986, 5985 and 1270). Successful exploitation would give an attacker the ability to execute arbitrary code with root privileges on the vulnerable Linux Virtual Machines.

According to cloud security company Wiz, Azure Linux Servers using any of the following services/tools will have the OMI agent installed and therefore may be at risk of CVE-2021-38647 exploitation:

  • Azure Automation
  • Azure Automatic Update
  • Azure Operations Management Suite (OMS)
  • Azure Log Analytics
  • Azure Configuration Management
  • Azure Diagnostics
  • Azure Container Insights

Microsoft has stated that Linux servers that make use of System Center Operations Manager (SCOM) for remote management will also have the OMI agent installed by default. SCOM is a cross-platform data center monitoring system for operating systems and hypervisors. It uses a single interface that shows state, health and performance information of computer systems.

Solutions and Recommendations

To fully remediate CVE-2021-38647, we strongly recommend upgrading the OMI agents on each affected Linux server. For a full listing of the patches available and instructions for applying them, see Microsoft’s advisory here: https://msrc-blog.microsoft.com/2021/09/16/additional-guidance-regarding-omi-vulnerabilities-within-azure-vm-management-extensions/

References

Learn more about Arctic Wolf’s Managed Risk solution or request a demo today.

Adrian Korn

Adrian Korn

Adrian Korn is a seasoned cyber security professional with 7+ years' experience in cyber threat intelligence, threat detection, and security operations. He currently serves as the Manager of Threat Intelligence Research at Arctic Wolf Labs. Adrian has been a guest speaker on intelligence related topics at numerous conferences around the world, including DEF CON's Recon Village, Hackfest, and the Australian OSINT Symposium.
Share :
Table of Contents
Categories