Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Mirai Botnet Starts Exploiting OMIGOD Flaw as Microsoft Issues More Guidance

Microsoft on Thursday published additional guidance on addressing recently disclosed vulnerabilities in the Open Management Infrastructure (OMI) framework, along with new protections to resolve the bugs within affected Azure Virtual Machine (VM) management extensions.

Microsoft on Thursday published additional guidance on addressing recently disclosed vulnerabilities in the Open Management Infrastructure (OMI) framework, along with new protections to resolve the bugs within affected Azure Virtual Machine (VM) management extensions.

Microsoft’s guidance was published just as researchers noticed that one of the vulnerabilities is already being exploited in the wild. It appears that the Mirai botnet is attempting to compromise vulnerable systems and that it also closes port 5896 (OMI SSL port) to keep other attackers out.

An open-source Web-Based Enterprise Management (WBEM) implementation, OMI allows for the management of Linux and UNIX systems and is used in various Azure services and Azure Virtual Machine (VM) management extensions.

As part of the September 2021 patches, Microsoft addressed four issues in OMI, one critical bug leading to unauthenticated remote code execution and three high-severity flaws allowing an attacker to elevate privileges. The issues were identified by security researchers with Wiz, which named the RCE defect OMIGOD.

The OMIGOD vulnerability, officially tracked as CVE-2021-38647, is the one reportedly exploited by the Mirai botnet.

According to Microsoft, OMIGOD “only impacts customers using a Linux management solution (on-premises SCOM or Azure Automation State Configuration or Azure Desired State Configuration extension) that enables remote OMI management.”

Microsoft has released additional protections for the affected extensions and encourages customers to update them for both cloud and on-premises deployments. Where automatic updates are enabled, the patches should become globally available by September 18, without a reboot. Otherwise, manually updating the affected components is required.

Affected extensions include System Center Operations Manager (SCOM), Azure Automation State Configuration (DSC Extension), Azure Automation State Configuration (DSC Extension), Log Analytics Agent, Azure Diagnostics (LAD), Azure Automation Update Management, Azure Automation, Azure Security Center, and Container Monitoring Solution.

Advertisement. Scroll to continue reading.

OMI as a standalone package was patched in August and customers are advised to manually update it to version 1.6.8-1 or above to remain protected.

“New VM’s in these regions will be protected from these vulnerabilities post the availability of updated extensions,” Microsoft says.

The tech giant also notes that VMs deployed within a Network Security Group (NSG) or protected by a perimeter firewall, where access to Linux systems that expose the OMI ports is restricted, should be safe from the RCE flaw.

Azure customers running Linux VMs are advised to apply the available patches as soon as possible, especially since a proof-of-concept (PoC) exploit targeting the flaws is already publicly available.

Related: Severe Vulnerabilities Could Expose Thousands of Azure Users to Attacks

Related: Patch Tuesday: Microsoft Plugs Exploited MSHTML Zero-Day Hole

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...