Skip to the content.

DIVD-2021-00026 - Omigod: Microsoft Open Management Interface RCE

Our reference DIVD-2021-00026
Case lead Frank Breedijk
Author Célistine Oosting
Researcher(s)
CVE(s)
Product Microsoft Open Management Infrastructure (OMI)
Versions <1.13.40-0
Recommendation Upgrade to OMI version 1.13.40-0 or later and disable the OMI service
Patch status patch available
Status Closed
Last modified 12 Aug 2022 11:21 CEST

Summary

Microsoft’s Open Management Interface (OMI) for Linux servers can be installed standalone but is mostly shipped, installed, and activated with Azure services such as LogAnalytics, Microsoft SystemCenter and potentially with more software and services. OMI had a critical vulnerability that made it possible to bypass authentication and thus execute code remotely. We have tried to scan for this vulnerability. However, the amount of internet-facing OMI instances is relatively low and none of them seemed vulnerable to OMIGOD.

What you can do

We recommend you to update your Linux servers running Microsoft Open Management Interface (OMI) to version 1.13.40-0 or later as the specific vulnerability was patched in this version, additionally we recommend that you disable the OMI service if you yourself are not actively using it.

What we are doing

We have tried scanning for vulnerable servers running Microsoft Open Management Interface (OMI). We found that:

We have discussed and confirmed these conclusions with the researchers from Wiz; nonetheless, we still think that OMIGOD is a significant security risk. It offers attackers substantial opportunity to move laterally and escalate privileges once they have compromised a host in the network. Also, companies may be running this service without their explicit knowledge, because it’s installed by default when using certain Azure services even on hosts not running inside the Azure cloud platform. Though, due to the limited internet exposure of OMI servers, we cannot work on this case any longer.

Timeline

Date Description
14 Sep 2021 CVE-2021-38647 Reported by researchers from Wiz.
15 Sep 2021 DIVD CSIRT starts scanning for OMIGOD
16 Sep 2021 CVE-2021-38647 patched by Microsoft
24 Nov 2021 Casefile written and case closed
gantt title DIVD-2021-00026 - Omigod: Microsoft Open Management Interface RCE dateFormat YYYY-MM-DD axisFormat %e %b %Y section Case DIVD-2021-00026 - Omigod Microsoft Open Management Interface RCE (70 days) :2021-09-15, 2021-11-24 section Events CVE-2021-38647 Reported by researchers from Wiz. : milestone, 2021-09-14, 0d DIVD CSIRT starts scanning for OMIGOD : milestone, 2021-09-15, 0d CVE-2021-38647 patched by Microsoft : milestone, 2021-09-16, 0d Casefile written and case closed : milestone, 2021-11-24, 0d

More information