OMIGOD: Azure Users Warned of Critical OMI Vulnerabilities

Security researchers share the details of four flaws in Open Management Infrastructure, which is deployed on a large number of Linux virtual machines in Azure.

Microsoft this week patched four vulnerabilities in Open Management Infrastructure (OMI), a widely used but little-known software agent embedded in many commonly used Azure services.
The Wiz Research Team discovered these flaws, which include remote code execution bug
CVE-2021-38647
and privilege escalation vulnerabilities
CVE-2021-38648
,
CVE-2021-38645
, and
CVE-2021-38649
. Most large organizations using Azure are affected by the flaws, which the team has collectively dubbed OMIGOD.
Open source OMI is the UNIX/Linux equivalent of Windows Management Instrumentation (WMI) and is deployed on many Linux virtual machines in Azure, enabling users to manage configurations across remote and local environments and collect statistics. Its extensively used in many Azure services, though organizations using OMI often dont know its there – and may not know they need to patch it now.
Users usually have no clue about OMI, says Wiz research lead Shir Tamari. When we started this research, we asked people if they were familiar with OMI … no one knows what it is.
When an organization sets up a Linux virtual machine (VM) in its cloud and enables any of these services, OMI is silently installed on its VM and runs at the highest privilege. There is no clear documentation in Azure on how OMI is deployed, monitored, and updated,
researchers note
.
These vulnerabilities affect several different services within Azure that silently use OMI, such as Azure Automation, Azure Automatic Update, Azure Operations Management Suite, Azure Log Analytics, Azure Configuration Management, and Azure Diagnostics. The team notes this is only a partial list and encourages readers to contact them if they know of more services using OMI.
We conservatively estimate that thousands of Azure customers and millions of endpoints are affected, the Wiz researchers wrote in a
blog post on their findings
. In a small sample of Azure tenants we analyzed, over 65% were unknowingly at risk.
The flaw that stands out most is CVE-2021-38647, a textbook RCE vulnerability that could allow an attacker to become root on a remote machine with a single packet by removing the authentication header. Remote takeover is possible when OMI exposes the HTTPS management port externally (5986/5985/1270). This is the default configuration when installed standalone and in Azure Configuration Management or System Center Operations Manager (SCOM).
Thanks to the combination of a simple conditional statement coding mistake and an uninitialized authentication struct, any request without an Authorization header has its privileges default to
uid
=0,
gid
=0, which is root, the research team wrote.
Tamari calls the vulnerability, which has a CVSS 3.0 score of 9.8, very simple to exploit – like, ridiculously easy to exploit, and notes the team has already seen reports across social media from people who have exploited it. He worries that vulnerable targets could be compromised within the next few days, though he notes if a user has a firewall enabled, its impossible for anyone on the Internet to connect to a vulnerable machine and communicate with the OMI.
OMI is updated through the Azure service that installed it, Wiz researchers say. They urge users to verify their environment is patched and that theyre running the latest version of OMI, 1.6.8.1. Wiz also warns that System Center deployments of OMI are at higher risk because the Linux agents have been deprecated; users may need to manually update the OMI agent.
While OMI itself has been updated, it seems the Azure services still need an update. Wiz researchers provided an update as of Sept. 15, 10 a.m. EST, noting that affected Azure services have not yet been fixed, and they still deploy vulnerable OMIs when service are enabled on new machines.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
OMIGOD: Azure Users Warned of Critical OMI Vulnerabilities