{"id":3219,"date":"2021-09-20T10:58:58","date_gmt":"2021-09-20T10:58:58","guid":{"rendered":"https:\/\/fortgale.com\/news\/?p=3219"},"modified":"2026-06-08T23:01:40","modified_gmt":"2026-06-08T23:01:40","slug":"omigod-azure-critical-vulnerabilities","status":"publish","type":"post","link":"https:\/\/fortgale.com\/blog\/emerging-threats\/omigod-azure-critical-vulnerabilities\/","title":{"rendered":"OMIGOD: critical vulnerabilities in Azure cloud services"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\">In recent weeks, Microsoft identified four critical vulnerabilities affecting the infrastructure management tool <strong>OMI<\/strong>, deployed on machines provisioned through <strong>Azure<\/strong>. These vulnerabilities permit remote code execution with administrative privileges.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/fortgale.com\/news\/wp-content\/uploads\/sites\/2\/2021\/09\/omigod.gif\" alt=\"\" class=\"wp-image-3228\" loading=\"lazy\" \/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">OMI software and discovered vulnerabilities<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>OMI (Open Management Infrastructure)<\/strong> is an open-source project sponsored by Microsoft in collaboration with <strong>The Open Group<\/strong>. The tool, developed to run on Unix systems, implements the <strong>CIM (Common Information Model)<\/strong> standard for managing system components and associated information. OMI enables collection of statistical data and synchronization of configurations across multiple environments. For this reason, the tool is utilized by several <strong>Azure<\/strong> services, including <strong>Open Management Suite (OMS)<\/strong>, <strong>Azure Insights<\/strong>, and <strong>Azure Automation<\/strong>.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The OMI agent is deployed automatically and without user awareness during the creation of Linux virtual machines to which remote management and monitoring services are added. The services involving deployment of the tool by Azure are:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Azure Automation<\/li><li>Azure Automatic Update<\/li><li>Azure Operations Management Suite (OMS)<\/li><li>Azure Log Analytics<\/li><li>Azure Configuration Management<\/li><li>Azure Diagnostics<\/li><li>Azure Container Insights<\/li><\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">OMI can also be installed independently and is frequently present on <strong>on-premise<\/strong> systems.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The four discovered vulnerabilities were grouped by the research team at <strong>Wiz<\/strong> under the identifier <strong>OMIGOD<\/strong> and are as follows:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>CVE-2021-38647 \u2013 Unauthenticated RCE with root privileges<\/li><li>CVE-2021-38648 \u2013 Privilege Escalation<\/li><li>CVE-2021-38645 \u2013 Privilege Escalation<\/li><li>CVE-2021-38649 \u2013 Privilege Escalation<\/li><\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Remediation measures<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Microsoft has released an updated version of OMI (version <strong>1.6.8.1<\/strong>) that includes patches for the aforementioned vulnerabilities. To reduce attack surface, we recommend restricting access to ports 5985, 5986, and 1270 if exposed on the network by OMI. Organizations managing heterogeneous infrastructure should prioritize inventory and patching of OMI instances through a <a href=\"https:\/\/fortgale.com\/en\/cybersecurity-advisory\/\">Cybersecurity Advisory<\/a> process to ensure comprehensive coverage across Azure and on-premise deployments.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>OMIGOD vulnerability set in Azure Open Management Infrastructure (OMI): unauthenticated RCE, automatic agent installation and remediation guidance for Azure tenants.<\/p>\n","protected":false},"author":1,"featured_media":3232,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[1637,3267,3266,1639,1493,3268],"class_list":["post-3219","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-emerging-threats","tag-azure-it","tag-cloud-vulnerability","tag-omi","tag-omigod-it","tag-remote-command-execution-it","tag-unauthenticated-rce"],"_links":{"self":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/3219","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/comments?post=3219"}],"version-history":[{"count":2,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/3219\/revisions"}],"predecessor-version":[{"id":9895,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/3219\/revisions\/9895"}],"wp:attachment":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/media?parent=3219"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/categories?post=3219"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/tags?post=3219"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}