October Vuln of the Month: CVE-2021-38647
Share with Your Network
CVE-2021-38647 is October’s Vuln of the Month, a remote code execution (RCE) vulnerability in an open-source tool sitting inside Linux systems running on Microsoft Azure. We’re focusing on it this month because many Azure customers running Linux machines likely don’t even know it is often installed and enabled by default.
CVE-2021-38647 impacts Linux systems running the Open Management Infrastructure agent. Our research shows that CVE-2021-38647 meets many of the criteria we look for to be exploited, including:
- Access complexity: Low
- Potential attack surface: Limited
- Exploitable remotely: Yes
- Authentication/privilege requirements: None
- Potential impact on availability: Significant
- Exploit code published: Yes
- Active exploits observed: Yes
The Kenna Risk Score for CVE-2021-38647 is 83. Just 1.1% of the more than 156,000 CVEs scored by Kenna have earned a higher risk score. That is certainly critical in our book, and CVSS 3.1’s scoring regimen agrees, assigning a “Critical” score of 9.8 to this vuln. Organizations still relying on CVSS 2.0 will find this vulnerability earns only a “High” score of 7.5–which belies its criticality. (Anyone still using CVSS of any kind should immediately look into switching out simple vulnerability scores for true risk scores.)
Why CVE-2021-38647 matters
While CVE-2021-38647 lacks the massive attack surface of a Windows or Adobe Acrobat vuln, it earned its place as our October Vuln of the Month because of its ghostly characteristics: This vuln exists in an open source management tool called Open Management Infrastructure, or OMI, that is automatically and silently installed on their Virtual Machine when they run any of several popular Azure services. Once installed, the OMI agent runs as root with the highest privileges. (This CVE is one of four OMI vulnerabilities collectively tracked as OMIGOD.) Microsoft supports OMI, and recently posted that “all OMI versions below v1.6.8-1 are vulnerable.”
So CVE-2021-38647 makes thousands of Linux-on-Azure instances potentially vulnerable to remotely executed code, yet many users probably have no idea it even exists because they don’t know their servers are running OMI. And it’s often the software you don’t know you’re running that leaves you especially vulnerable. Talk about ghostly.
What’s more, this vulnerability has been the target of multiple exploits observed in the wild.
Bottom line
If you’re running Linux on Azure and use any number of Azure services, there’s a good chance you have OMI installed and may be vulnerable to RCE attacks. These attacks require no user interaction and no privileges, and exploits have already been observed. CVE-2021-38647 is worth fixing sooner rather than later.
Mitigation status
On Sept. 16, 2021, Microsoft published tips that describe how to determine if your virtual machines are impacted by CVE-2021-38647, and how to mitigate them if they are.
Watch this space for regular Vuln of the Month spotlights, which appear on Exploit Wednesday, the day following Microsoft’s monthly Patch Tuesday patch release. Meanwhile, if you find yourself chasing new and emerging vulns but never quite catching up, learn more about how Kenna Security can help you focus on your highest-risk vulnerabilities, rather than headlines, thanks in part to our vulnerability intelligence powered by machine learning.
