{"id":7489,"date":"2021-11-12T19:18:45","date_gmt":"2021-11-13T02:18:45","guid":{"rendered":"https:\/\/webdev.securin.xyz\/?p=7489"},"modified":"2023-04-05T12:37:36","modified_gmt":"2023-04-05T19:37:36","slug":"patch-urgently-microsoft-omigod-vulnerabilities-are-under-active-exploitation","status":"publish","type":"post","link":"https:\/\/10.42.32.162\/articles\/patch-urgently-microsoft-omigod-vulnerabilities-are-under-active-exploitation\/","title":{"rendered":"Patch Urgently – Microsoft OMIGOD Vulnerabilities Are Under Active Exploitation!"},"content":{"rendered":"

{Updated on January 25, 2022}: <\/strong>A proof-of-concept to exploit the unauthenticated RCE flaw (CVE-2021-38647<\/a>) has been released into GitHub<\/a>. We urge Azure users to ensure that their systems are up-to-date.<\/p>\n

\n

Thousands of Azure users and millions of endpoints are impacted by \u2018OMIGOD\u2019 zero-days,\u201d was the initial outburst when the open-source vulnerabilities were disclosed. Many Azure customers are unwittingly putting themselves in danger.<\/p>\n<\/blockquote>\n

 <\/p>\n

On September 16, Microsoft released a patch for four vulnerabilities in Open Management Infrastructure (OMI)<\/a>, an open-source Common Information Model (CIM) management server used to manage Unix and Linux systems that allow users to manage installations and collect statistics across remote and local environments.<\/p>\n

 <\/p>\n

The identified serious vulnerabilities (CVE-2021-38647<\/a>, CVE-2021-38648<\/a>, CVE-2021-38645<\/a>, and CVE-2021-38649<\/a>) in Microsoft Open Management Infrastructure (OMI) allow an attacker to escalate privileges and run arbitrary code on the compromised machine.<\/p>\n

\"\"<\/p>\n

Proof-of-Concept: Simple to Execute<\/h2>\n

The significant unauthenticated, remote code execution vulnerability has already produced a slew of proofs-of-concept. Most alarming is that threat actors had quickly imitated the attempts, and CVE-2021-38647 has recently been observed being extensively exploited via botnet operations. We found eight hits from a basic search of the CVE on Github.<\/p>\n

<\/p>\n

The OMIGOD vulnerability is triggered by automated “on-by-default” Azure agent installations on Linux Virtual Machines (VMs), which brings numerous vulnerabilities into your environment. An attacker can accomplish Remote Code Execution (RCE) by creating and transmitting a packet through HTTPS to a port listening for OMI. This attack is characterized as being exceptionally simple to carry out, as an attacker simply has to eliminate the packet’s authentication header.<\/p>\n

 <\/p>\n