Azure OMI - Remote Code Execution (CVE-2021-38647)

Name: Azure OMI - Remote Code Execution (CVE-2021-38647)
Published: 2021-09-21T00:00:00.000Z

Severity
CVE: CVE-2021-38647
CVSSv3 Score: 9.8
Exploitable with Sniper: Yes
Vulnerability description: Azure server is affected by a Remote Code Execution in the Open Management Infrastructure (OMI) software agent that is preconfigured in the Linux VM deployed on Azure. The root cause of this vulnerability consists in a conditional statement coding mistake and an uninitialized authentication struct, so that any request made without the Authorization header will have administrative privileges. This allows an unauthenticated malicious attacker to execute arbitrary code on the server.
Exploit capabilities: Sniper can gain unauthenticated Remote Code Execution on the target system and extract multiple artefacts as evidence.
Risk description: The risk exists that a remote unauthenticated attacker can fully compromise the Azure Server in order to steal confidential information, install ransomware or pivot to the internal network.
Recommendation: Upgrade the OMI package to a version equal or higher than 1.6.8-1.
References: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-38647
https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure
Detectable with: Network Scanner
Vuln date: Sep 2021
Published at: Sep 2021
Updated at: Sep 2021
Software Type: Azure
Vendor: Microsoft
Product: Open Management Interface (OMI)
Codename: OMIGOD