Attacker Value
Moderate
(1 user assessed)
Exploitability
Very High
(1 user assessed)
User Interaction
None
Privileges Required
Low
Attack Vector
Local
1

CVE-2021-38648

Disclosure Date: September 15, 2021
Exploited in the Wild
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

Open Management Infrastructure Elevation of Privilege Vulnerability

Add Assessment

3
Ratings
Technical Analysis

A locally exploitable vulnerability exists within Microsoft’s OMI management server in versions prior to 1.6.8-1 that can allow a local attacker to execute operating system commands as root. Exploitation consists of sending crafted binary messages to the local UNIX socket on which the service listens. Under normal circumstances, clients (typically omicli) will send an authentication frame via this interface however the authentication frame can be omitted. In this case, the default values which are initialized to 0 are used and happen to correspond to the UID and GID of the root user and group.

The service must be running in order for this vulnerability to be exploited. The socket file is located at /var/opt/omi/run/omiserver.sock and can be connected to by anyone using a socket of the AF_UNIX family.

The strace utility can be used to view the standard exchange of authentication information:

root@3ad6908bf1bc:/opt/omi/bin# strace -v -f -xx -e trace=socket,connect,write,writev,close   /opt/omi/bin/omicli iv root/scx { SCX_OperatingSystem } ExecuteShellCommand { command 'id' timeout 0 }
...
[pid  1271] socket(AF_UNIX, SOCK_STREAM, 0) = 6
[pid  1271] connect(6, {sa_family=AF_UNIX, sun_path="\x2f\x76\x61\x72\x2f\x6f\x70\x74\x2f\x6f\x6d\x69\x2f\x72\x75\x6e\x2f\x6f\x6d\x69\x73\x65\x72\x76\x65\x72\x2e\x73\x6f\x63\x6b"}, 110) = 0
[pid  1271] writev(6, [{iov_base="\x2f\x7e\xa8\xb1\x08\x06\x01\x00\x00\x00\x00\x00\x01\x00\x00\x00\x08\xd5\x83\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., iov_len=48}, {iov_base="\xd8\xd5\x83\x01\x00\x00\x00\x00\xd0\xd8\x83\x01\x00\x00\x00\x00\xd0\xd4\x83\x01\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00"..., iov_len=248}], 2) = 296
[pid  1271] write(5, "\x00\x00\x00\x00\x00\x00\x00\x00", 8) = 8
[pid  1271] close(7)                    = 0
[pid  1272] writev(6, [{iov_base="\x2f\x7e\xa8\xb1\x08\x06\x01\x00\x00\x00\x00\x00\x05\x00\x00\x00\x88\x33\x83\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., iov_len=112}, {iov_base="\x57\x99\x2b\x46\x01\x00\x00\x00\x0f\x00\x00\x00\x5f\x4f\x4d\x49\x5f\x4f\x70\x74\x69\x6f\x6e\x53\x65\x74\x00\x00\x00\x00\x00\x00"..., iov_len=188}, {iov_base="\x60\xea\x6a\xb2\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\xa0\x0b\x61\x57\x46\x7f\x00\x00\xe8\x34\x83\x01\x00\x00\x00\x00"..., iov_len=80}, {iov_base="\x60\xea\x6a\xb2\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\xa0\x0b\x61\x57\x46\x7f\x00\x00\xe8\x34\x83\x01\x00\x00\x00\x00"..., iov_len=1360}, {iov_base="\x57\x99\x2b\x46\x02\x00\x00\x00\x14\x00\x00\x00\x53\x43\x58\x5f\x4f\x70\x65\x72\x61\x74\x69\x6e\x67\x53\x79\x73\x74\x65\x6d\x00"..., iov_len=108}, {iov_base="\xd0\x86\x83\x01\x00\x00\x00\x00\x70\x8a\x83\x01\x00\x00\x00\x00\x80\x8a\x83\x01\x00\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00"..., iov_len=1008}], 6) = 2856
[pid  1272] write(1, "\x69\x6e\x73\x74\x61\x6e\x63\x65\x20\x6f\x66\x20\x45\x78\x65\x63\x75\x74\x65\x53\x68\x65\x6c\x6c\x43\x6f\x6d\x6d\x61\x6e\x64\x0a", 32instance of ExecuteShellCommand
) = 32
[pid  1272] write(1, "\x7b\x0a", 2{
)     = 2
[pid  1272] write(1, "\x20\x20\x20\x20\x52\x65\x74\x75\x72\x6e\x56\x61\x6c\x75\x65\x3d\x74\x72\x75\x65\x0a", 21    ReturnValue=true
) = 21
[pid  1272] write(1, "\x20\x20\x20\x20\x52\x65\x74\x75\x72\x6e\x43\x6f\x64\x65\x3d\x30\x0a", 17    ReturnCode=0
) = 17
[pid  1272] write(1, "\x20\x20\x20\x20\x53\x74\x64\x4f\x75\x74\x3d\x75\x69\x64\x3d\x30\x28\x72\x6f\x6f\x74\x29\x20\x67\x69\x64\x3d\x30\x28\x72\x6f\x6f"..., 50    StdOut=uid=0(root) gid=0(root) groups=0(root)
) = 50
[pid  1272] write(1, "\x0a", 1
)         = 1
[pid  1272] write(1, "\x20\x20\x20\x20\x53\x74\x64\x45\x72\x72\x3d\x0a", 12    StdErr=
) = 12
[pid  1272] write(1, "\x7d\x0a", 2}
)     = 2
[pid  1271] write(5, "\x00\x00\x00\x00\x00\x00\x00\x00", 8) = 8
[pid  1272] close(6)                    = 0
...
+++ exited with 0 +++

By following the writev calls, the standard exchange can be viewed. The frames starting with \x2f\x7e\xa8\xb1 are header frames. All of the data sent as part of the first request can be omitted, leaving the second which contains the command to execute within the binary structure. The results of the operating system command can be read from the socket, though they must be extracted from the binary response. The commands are executed within the context of a subshell.

This vulnerability can be exploited in the default configuration and was patched in version 1.6.8-1 which was released on September 8th 2021.

CVSS V3 Severity and Metrics
Base Score:
7.8 High
Impact Score:
5.9
Exploitability Score:
1.8
Vector:
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector (AV):
Local
Attack Complexity (AC):
Low
Privileges Required (PR):
Low
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Vendors

  • microsoft

Products

  • azure automation state configuration -,
  • azure automation update management -,
  • azure diagnostics (lad) -,
  • azure open management infrastructure -,
  • azure security center -,
  • azure sentinel -,
  • azure stack hub -,
  • container monitoring solution -,
  • log analytics agent -,
  • system center operations manager -

Exploited in the Wild

Reported by:

Additional Info

Technical Analysis