Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Mirai Botnet Starts Exploiting OMIGOD Flaw as Microsoft Issues More Guidance

Microsoft on Thursday published additional guidance on addressing recently disclosed vulnerabilities in the Open Management Infrastructure (OMI) framework, along with new protections to resolve the bugs within affected Azure Virtual Machine (VM) management extensions.

Microsoft on Thursday published additional guidance on addressing recently disclosed vulnerabilities in the Open Management Infrastructure (OMI) framework, along with new protections to resolve the bugs within affected Azure Virtual Machine (VM) management extensions.

Microsoft’s guidance was published just as researchers noticed that one of the vulnerabilities is already being exploited in the wild. It appears that the Mirai botnet is attempting to compromise vulnerable systems and that it also closes port 5896 (OMI SSL port) to keep other attackers out.

An open-source Web-Based Enterprise Management (WBEM) implementation, OMI allows for the management of Linux and UNIX systems and is used in various Azure services and Azure Virtual Machine (VM) management extensions.

As part of the September 2021 patches, Microsoft addressed four issues in OMI, one critical bug leading to unauthenticated remote code execution and three high-severity flaws allowing an attacker to elevate privileges. The issues were identified by security researchers with Wiz, which named the RCE defect OMIGOD.

The OMIGOD vulnerability, officially tracked as CVE-2021-38647, is the one reportedly exploited by the Mirai botnet.

According to Microsoft, OMIGOD “only impacts customers using a Linux management solution (on-premises SCOM or Azure Automation State Configuration or Azure Desired State Configuration extension) that enables remote OMI management.”

Microsoft has released additional protections for the affected extensions and encourages customers to update them for both cloud and on-premises deployments. Where automatic updates are enabled, the patches should become globally available by September 18, without a reboot. Otherwise, manually updating the affected components is required.

Affected extensions include System Center Operations Manager (SCOM), Azure Automation State Configuration (DSC Extension), Azure Automation State Configuration (DSC Extension), Log Analytics Agent, Azure Diagnostics (LAD), Azure Automation Update Management, Azure Automation, Azure Security Center, and Container Monitoring Solution.

OMI as a standalone package was patched in August and customers are advised to manually update it to version 1.6.8-1 or above to remain protected.

“New VM’s in these regions will be protected from these vulnerabilities post the availability of updated extensions,” Microsoft says.

The tech giant also notes that VMs deployed within a Network Security Group (NSG) or protected by a perimeter firewall, where access to Linux systems that expose the OMI ports is restricted, should be safe from the RCE flaw.

Azure customers running Linux VMs are advised to apply the available patches as soon as possible, especially since a proof-of-concept (PoC) exploit targeting the flaws is already publicly available.

Related: Severe Vulnerabilities Could Expose Thousands of Azure Users to Attacks

Related: Patch Tuesday: Microsoft Plugs Exploited MSHTML Zero-Day Hole

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Cybercrime

A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.