Azure OMI - Remote Code Execution (OMIGOD - CVE-2021-38647) (CVE-2021-38647)
- Severity
- CVSSv3 Score
- 9.8
- Vulnerability description
Azure server is affected by a Remote Code Execution in the Open Management Infrastructure (OMI) software agent that is preconfigured in the Linux VM deployed on Azure. The root cause of this vulnerability consists in a conditional statement coding mistake and an uninitialized authentication struct, so that any request made without the Authorization header will have administrative privileges. This allows an unauthenticated malicious attacker to execute arbitrary code on the server.
- Risk description
The risk exists that a remote unauthenticated attacker can fully compromise the Azure Server in order to steal confidential information, install ransomware or pivot to the internal network.
- Exploit capabilities
Sniper can gain unauthenticated Remote Code Execution on the target system and extract multiple artefacts as evidence.
- Recommendation
Upgrade the OMI package to a version equal or higher than 1.6.8-1.
- References
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-38647
https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure- Codename
- OMIGOD
- Detectable with
- Network Scanner
- Exploitable with Sniper
- Yes
- Vuln date
- Sep 2021
- Published at
- Updated at
- Software Type
- Azure
- Vendor
- Microsoft
- Product
- Open Management Interface (OMI)