Microsoft released patches for a remote code execution vulnerability in the Open Management Infrastructure (OMI) framework this month, and attackers are increasingly exploiting it.
This critical vulnerability, dubbed OMIGOD and tracked as CVE-2021-38647, was discovered to affect Linux virtual machines deployed on Azure. In addition to the fixes included in the September 2021 Patch Tuesday updates, Microsoft released additional mitigations for this bug and three elevations of privilege vulnerabilities affecting OMI last week.
Microsoft asserts that Azure customers with automatic updates enabled will receive the required fixes within days, whereas those without automatic updates enabled will need to manually update their installations. Other Linux distributions with installed Azure/SCOM/OMS agents are also vulnerable, according to Pwndefend.
However, security researcher Kevin Beaumont warns that Microsoft failed to apply patches to new deployments and that the tech giant’s approach to patch delivery was not as straightforward as anticipated.
Unsurprisingly, less than a week after the vulnerability was made public (Microsoft pushed fixes to the OMI source code on August 12), attacks against CVE-2021-38647 are intensifying.
This is what typically occurs when critical, highly impactful security flaws are made public, but the situation appears particularly dire in this case because exploitation is relatively simple.
Sophos explains, “Rather than guessing a valid authentication token to include in a fraudulent OMI web request, you simply omit any mention of the authentication token and you’re in.”
The good news is that there are fewer Internet-facing deployments with similar vulnerabilities than in recent years. According to Censys, there are a total of 101 potentially vulnerable exposed services in the world, including a major health entity and two major entertainment organizations.
Censys notes that the small footprint can be attributed to nuances in how the OMI service responds and that exposing OMI to the Internet is likely to require deliberate effort.
Researchers monitoring the activity surrounding OMIGOD have detected an increase in the number of exploit attempts targeting the vulnerability.
Microsoft has also observed this behavior, which it describes as ranging from host enumeration to attacks designed to install cryptocurrency miners or other forms of malware. According to reports, cybercriminals have exploited the vulnerability to install a Mirai variant.
While the majority of attackers are targeting port 5986, port 1270 is also under attack. Due to the availability of easily adaptable proof-of-concept exploits and the volume of reconnaissance-type attacks, we anticipate an increase in effects-type attacks,” the company says.