October Vuln of the Month: CVE-2021-38647

Oct 13, 2021
Jerry Gamblin
Director of Security Research at Kenna Security

Share with Your Network

CVE-2021-38647 is October’s Vuln of the Month, a remote code execution (RCE) vulnerability in an open-source tool sitting inside Linux systems running on Microsoft Azure. We’re focusing on it this month because many Azure customers running Linux machines likely don’t even know it is often installed and enabled by default.   

CVE-2021-38647 impacts Linux systems running the Open Management Infrastructure agent. Our research shows that CVE-2021-38647 meets many of the criteria we look for to be exploited, including:

  • Access complexity: Low 
  • Potential attack surface: Limited 
  • Exploitable remotely: Yes 
  • Authentication/privilege requirements: None 
  • Potential impact on availability: Significant 
  • Exploit code published: Yes 
  • Active exploits observed: Yes

The Kenna Risk Score for CVE-2021-38647 is 83. Just 1.1% of the more than 156,000 CVEs scored by Kenna have earned a higher risk score

The Kenna Risk Score for CVE-2021-38647 is 83. Just 1.1% of the more than 156,000 CVEs scored by Kenna have earned a higher risk score. That is certainly critical in our book, and CVSS 3.1’s scoring regimen agrees, assigning a “Critical” score of 9.8 to this vuln. Organizations still relying on CVSS 2.0 will find this vulnerability earns only a “High” score of 7.5–which belies its criticality. (Anyone still using CVSS of any kind should immediately look into switching out simple vulnerability scores for true risk scores.) 

Why CVE-2021-38647 matters

While CVE-2021-38647 lacks the massive attack surface of a Windows or Adobe Acrobat vuln, it earned its place as our October Vuln of the Month because of its ghostly characteristics: This vuln exists in an open source management tool called Open Management Infrastructure, or OMI, that is automatically and silently installed on their Virtual Machine when they run any of several popular Azure services. Once installed, the OMI agent runs as root with the highest privileges. (This CVE is one of four OMI vulnerabilities collectively tracked as OMIGOD.) Microsoft supports OMI, and recently posted that “all OMI versions below v1.6.8-1 are vulnerable.”  

So CVE-2021-38647 makes thousands of Linux-on-Azure instances potentially vulnerable to remotely executed code, yet many users probably have no idea it even exists because they don’t know their servers are running OMI. And it’s often the software you don’t know you’re running that leaves you especially vulnerable. Talk about ghostly. 

What’s more, this vulnerability has been the target of multiple exploits observed in the wild.   

Bottom line

If you’re running Linux on Azure and use any number of Azure services, there’s a good chance you have OMI installed and may be vulnerable to RCE attacks. These attacks require no user interaction and no privileges, and exploits have already been observed. CVE-2021-38647 is worth fixing sooner rather than later. 

Mitigation status

On Sept. 16, 2021, Microsoft published tips that describe how to determine if your virtual machines are impacted by CVE-2021-38647, and how to mitigate them if they are.  

Watch this space for regular Vuln of the Month spotlights, which appear on Exploit Wednesday, the day following Microsoft’s monthly Patch Tuesday patch release. Meanwhile, if you find yourself chasing new and emerging vulns but never quite catching up, learn more about how Kenna Security can help you focus on your highest-risk vulnerabilities, rather than headlines, thanks in part to our vulnerability intelligence powered by machine learning.  

Read the Latest Content

Threat Intelligence

18+ Threat Intel Feeds Power Modern Vulnerability Management

You need lots of threat intelligence feeds to cover all of the threat and vulnerability data categories in the world. Learn about the threat intel feeds...
Trending Vulns

August Vuln of the Month: CVE-2021-30551

CVE-2021-30551, a zero day Type Confusion vulnerability in Chrome meets many of the criteria we look for to be widely exploited.
Trending Vulns

April Vuln of the Month: CVE-2021-21972

CVE-2021-21972 addresses a remote code execution vuln in a plugin. Learn how Kenna is dealing with this threat and how you can protect yourself too.

© 2022 Kenna Security. All Rights Reserved. Privacy Policy.