Mirai Botnet Starts Exploiting OMIGOD Flaw as Microsoft Issues More Guidance

Microsoft on Thursday published additional guidance on addressing recently disclosed vulnerabilities in the Open Management Infrastructure (OMI) framework, along with new protections to resolve the bugs within affected Azure Virtual Machine (VM) management extensions.

Microsoft’s guidance was published just as researchers noticed that one of the vulnerabilities is already being exploited in the wild. It appears that the Mirai botnet is attempting to compromise vulnerable systems and that it also closes port 5896 (OMI SSL port) to keep other attackers out.

An open-source Web-Based Enterprise Management (WBEM) implementation, OMI allows for the management of Linux and UNIX systems and is used in various Azure services and Azure Virtual Machine (VM) management extensions.

As part of the September 2021 patches, Microsoft addressed four issues in OMI, one critical bug leading to unauthenticated remote code execution and three high-severity flaws allowing an attacker to elevate privileges. The issues were identified by security researchers with Wiz, which named the RCE defect OMIGOD.

The OMIGOD vulnerability, officially tracked as CVE-2021-38647, is the one reportedly exploited by the Mirai botnet.

According to Microsoft, OMIGOD “only impacts customers using a Linux management solution (on-premises SCOM or Azure Automation State Configuration or Azure Desired State Configuration extension) that enables remote OMI management.”

Microsoft has released additional protections for the affected extensions and encourages customers to update them for both cloud and on-premises deployments. Where automatic updates are enabled, the patches should become globally available by September 18, without a reboot. Otherwise, manually updating the affected components is required.

Affected extensions include System Center Operations Manager (SCOM), Azure Automation State Configuration (DSC Extension), Azure Automation State Configuration (DSC Extension), Log Analytics Agent, Azure Diagnostics (LAD), Azure Automation Update Management, Azure Automation, Azure Security Center, and Container Monitoring Solution.

OMI as a standalone package was patched in August and customers are advised to manually update it to version 1.6.8-1 or above to remain protected.

“New VM’s in these regions will be protected from these vulnerabilities post the availability of updated extensions,” Microsoft says.

The tech giant also notes that VMs deployed within a Network Security Group (NSG) or protected by a perimeter firewall, where access to Linux systems that expose the OMI ports is restricted, should be safe from the RCE flaw.

Azure customers running Linux VMs are advised to apply the available patches as soon as possible, especially since a proof-of-concept (PoC) exploit targeting the flaws is already publicly available.

Related: Severe Vulnerabilities Could Expose Thousands of Azure Users to Attacks

Related: Patch Tuesday: Microsoft Plugs Exploited MSHTML Zero-Day Hole

view counter

Ionut Arghire is an international correspondent for SecurityWeek.

Previous Columns by Ionut Arghire:

Don't forget to share

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *