Full Report
Wiz Research recently discovered a series of alarming vulnerabilities that highlight the supply chain risk of open source code, particularly for customers of cloud computing services.
Analysis Summary
# Vulnerability: OMIGOD (Multiple Vulnerabilities in Open Management Infrastructure - OMI)
## CVE Details
- CVE ID: CVE-2021-38647, CVE-2021-38648, CVE-2021-38645, CVE-2021-38649
- CVSS Score: 9.8 (CVE-2021-38647), 7.8 (CVE-2021-38648), 7.8 (CVE-2021-38645), 7.0 (CVE-2021-38649) (Critical for RCE, High for PLE)
- CWE: Not explicitly listed, but relates to improper privileged access/execution.
## Affected Systems
- Products: Open Management Infrastructure (OMI) agent, particularly when deployed via specific Azure services on Linux VMs. Also affects System Center for Linux deployments.
- Versions: OMI versions prior to 1.6.8.1.
- Configurations: Azure Linux VMs using services such as Azure Automation, Azure Automatic Update, Azure Operations Management Suite (OMS), Azure Log Analytics, Azure Configuration Management, Azure Diagnostics, Azure HDInsight, and Azure Container Insights. On-premises OMI installations are also affected.
## Vulnerability Description
The "OMIGOD" vulnerabilities consist of a quartet of zero-day flaws in the ubiquitous Open Management Infrastructure (OMI) agent, which is silently deployed on Linux VMs when certain Azure services are enabled. These flaws allow an unauthenticated remote attacker to potentially escalate privileges to root (for CVE-2021-38647) or escalate privileges generally (the other CVEs), leading to remote code execution (RCE). OMI functions as WMI for UNIX/Linux systems, managing configuration and gathering statistics.
## Exploitation
- Status: Exploited in the wild (Actively targeted by DDoS botnets like Mirai and cryptominers as of September 17). PoC information likely exists internally or is being used actively.
- Complexity: Low (Implied by unauthenticated RCE listed for CVE-2021-38647).
- Attack Vector: Network (Remote presence of OMI service listening on ports).
## Impact
- Confidentiality: High (Root access allows full system compromise)
- Integrity: High (Root access allows system modification, including ransomware deployment)
- Availability: High (Root access allows system denial of service or destruction)
## Remediation
### Patches
- The patched version of OMI is **Version 1.6.8.1**.
- Microsoft began rolling out automatic updates for OMI agents installed via Azure services, aiming for completion by September 22, 2021.
- Manual updates are still required for standalone/on-premises installations and potentially for some existing machines onboarded to impacted services where auto-update may not have applied.
### Workarounds
1. **Network Restriction (Immediate Mitigation):** Limit network access to OMI listening ports: **5985, 5986, and 1270**. This specifically protects against the RCE vulnerability (CVE-2021-38647).
2. **Verification:** Customers are urged to follow Microsoft guidance for manual updates if auto-update cannot be confirmed or if OMI is not managed by the standard overlapping Azure services.
## Detection
- Detection methods focus on identifying the presence and version of the OMI package.
- **Verification Commands (Linux Terminal):**
- Debian systems (e.g., Ubuntu): `dpkg -l omi`
- RedHat based systems (e.g., Fedora, CentOS, RHEL): `rpm -qa omi`
- **Indicator of Compromise:** If results are returned, check the version. Any version less than 1.6.8.1 is vulnerable. If OMI is not installed, no results will return, and the machine is not vulnerable to OMIGOD.
- Wiz customers can use the Threat Center to view findings of vulnerable VM instances.
## References
- Vendor Advisories: Microsoft MSRC Update Guide (For specific CVEs mentioned).
- Relevant links - defanged:
- MSRC Remediation Guidance: hxxps://msrc.microsoft.com/update-guide/
- Microsoft Additional Guidance on OMI: hxxps://msrc-blog.microsoft.com/2021/09/16/additional-guidance-regarding-omi-vulnerabilities-within-azure-vm-management-extensions/
- Wiz Technical Deep Dive: hxxps://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure
- Remediation Checklist: hxxps://www.wiz.io/lp/omigod-checklist