Azure OMI Vulnerability OMIGOD (CVE-2021-38647) Now Under Exploitation

Share on facebook
Share on twitter
Share on linkedin
Share on reddit
Share on email

Azure users running Linux virtual machines are at risk of compromise unless they upgrade now. A vulnerable piece of management software in the Open Management Infrastructure (OMI) framework can be remotely exploited by attackers enabling them to escalate to root privileges and remotely execute malicious code. 

Azure will automatically install the OMI agent when users set up a Linux VM and monitoring and other services are enabled. By default, OMI runs with root access – making the system extremely vulnerable and subject to compromise. It typically runs on ports 5986, 5985, and 1270; however, any port can be used.

Incredibly, OMIGOD, discovered by researchers at Wiz, is exploited by simply skipping the authentication of requests, which defaults with root access across systems.

Below our team has performed an analysis of a real-world attack we’ve observed that exploits OMIGOD.

Mirai Botnet – Quick off the Mark

There is always a race among botnets to see who can compromise hosts first. Greynoise has reported on

Read the article