Application Security , Governance & Risk Management , Incident & Breach Response

Mirai Botnet Actively Exploiting OMIGOD Flaw

Researchers Say OMIGOD Vulnerability Can Give Attackers Root Privileges
Mirai Botnet Actively Exploiting OMIGOD Flaw

The Mirai botnet is actively exploiting the known critical vulnerability CVE-2021-38647, which is part of a quarter of vulnerabilities dubbed OMIGOD, in Microsoft's Azure Linux Open Management Infrastructure framework, according to Kevin Beaumont, head of the security operations center for Arcadia Group.

"Mirai botnet is exploiting #OMIGOD - they drop a version of Mirai DDoS botnet and then close 5896 (OMI SSL port) from the internet to stop other people exploiting the same box," Beaumont tweeted Friday.

See Also: Is Cyberstorage the New Paradigm for Data Security?

Microsoft patched CVE-2021-38647 on Tuesday, but Beaumont notes there are 15,700 Azure servers vulnerable.

"Shodan search to find these (they always use port + cloudapp certificate)," he tweeted. "There are 15,700 online with no auth RCE including with US Gov and such in hostnames, this looks like a big problem waiting as you land behind vNets."

Microsoft issued additional guidance on this vulnerability on Thursday and recommends the patch be applied immediately.

The Mirai botnet gained notoriety in 2016 when the malware was used to disrupt domain name server provider Dyn and attack closed-circuit TV cameras primarily in Vietnam, Brazil the United States, China and Mexico (see: Botnet Army of 'Up to 100,000' IoT Devices Disrupted).

The Danger

The ubiquitous but little-known software agent called Open Management Infrastructure (OMI) is automatically deployed - without the customers’ knowledge - when they set up a Linux virtual machine in the cloud and enable certain Azure services, researchers at cloud security company Wiz report.

Unless a patch is applied, attackers can easily exploit the four OMIGOD vulnerabilities to escalate to root privileges and remotely execute malicious code, such as encrypting files for ransom, the researchers say.

The U.S. Cybersecurity and Infrastructure Security Agency issued an alert on Thursday reiterating Microsoft's security advisory on Tuesday that, “Customers must update vulnerable extensions for their Cloud and On-Premises deployments as the updates become available" for the remote code execution vulnerability CVE-2021-38647 that affects the Azure Linux OMI framework.

The other three vulnerabilities that comprise OMIGOD are CVE-2021-38645, CVE-2021-38649 and CVE-2021-38648.

The Wiz researchers describe the flaw as a "textbook RCE vulnerability" that one would expect to see in the 1990s, noting it is very unusual to have one crop up in 2021.

"With a single packet, an attacker can become root on a remote machine by simply removing the authentication header. Any request without an Authorization header has its privileges default to uid=0, gid=0, which is root," they say.

How Urgent Is Patching?

At least 15,000 Azure servers remain exploitable, according to Horizon3.a1, a security firm established in 2019 by veterans of the U.S. defense forces, which has published a proof-of-concept exploit for CVE-2021-38647 on GitHub.

Microsoft confirms that all Azure Linux OMI versions below v1.6.8-1 are vulnerable to this RCE vulnerability, but ranks CVE-2021-38647 as "less likely" to be exploited.

Researchers say the vulnerability is easy to exploit as certain Azure products expose an HTTP/S port - typically port 5986/5985/1270 - listening to OMI, which the Wiz researchers confirm is a default when installed as a stand-alone and in Azure Configuration Management or System Center Operations Manager.

Silent Installation

OMI is a Windows Management Infrastructure for UNIX and Linux systems, Wiz researchers say. They add that one of the most notable benefits of OMI is the ease it provides for effortlessly syncing configurations and gathering statistics across the entire environment.

But Wiz researchers suggest that this is the Achilles' heel of Azure OMI. It is used extensively in Azure products but is installed silently on the VMs that have enabled the above services without any "consent or knowledge" of the users, they add. Its existence has taken some online security sector commenters by surprise, as seen in the GitMemory forum discussion.

Arcadia's Beaumont tweeted before Mirai became active: "They [Microsoft] silently rolled out an agent allowed no authentication remote code execution as root, and then the fix is buried in the random CVE."


To check whether VM management extensions are affected by CVE-2021-38647, Microsoft suggests customers use the Azure Portal or CLI or check the affected versions list in the MSRC blog where the updated extensions are available for manual download.

Currently, updates are only available for DSC and SCOM, but the others will be available on Saturday, Microsoft says.

As a second layer of protection, Microsoft advises its customers to restrict access to Linux systems that expose the OMI ports - TCP 5985, 5986 and 1207 - and ensure "VMs are deployed within a Network Security Group or behind a perimeter firewall." It clarifies that ports 5985 and 5986 are also used for PowerShell Remoting on Windows but are not affected by these vulnerabilities.

'Spectacular Cloud Security Issue'

Microsoft, Wiz researchers and CISA have all advised users to implement these remedial measures. But in a tweet, Beaumont, says Microsoft has "failed to update their own systems in Azure to install the patched version on new VM deployments,” adding, “It’s honestly jaw dropping."

The ripple effects of the vulnerability are already visible, Beaumont adds in another tweet, calling the vulnerabilities a "spectacular cloud security issue."

Third Incident in Three Weeks

This is the third instance of a security vulnerability in the popular Azure product from Microsoft in as many weeks. In August, Microsoft disclosed an Azure Cosmos DB takeover vulnerability that it said affected 30% of the Azure customers (see: Azure Database Service Flaw Could Affect Thousands of Firms).

In early September, the tech giant disclosed details of an Azurescape vulnerability that affects Azure Container Instances and potentially allows a user to access other customers' information in the ACI service (see: Microsoft Alert: Serious Flaw in Azure Container Instances).

News Editor Doug Olenick contributed to this story.

About the Author

Mihir Bagwe

Mihir Bagwe

Principal Correspondent, Global News Desk, ISMG

Bagwe previously worked at CISO magazine, reporting the latest cybersecurity news and trends and interviewing cybersecurity subject matter experts.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.