What is Microsoft Open Management Infrastructure (OMI)?
Open Management Infrastructure (OMI) is Microsoft's open-source implementation of the DMTF CIM/WBEM standard for systems management on Linux and Unix — essentially the Linux equivalent of Windows Management Instrumentation (WMI). OMI is used by Microsoft to provide management capabilities in Azure VM management extensions, including: System Center Operations Manager (SCOM), Azure Log Analytics (OMS agent), Azure Automation State Configuration, and Azure Diagnostics. The critical issue: Microsoft silently installs OMI as a dependency of these management extensions — Linux VM administrators who enable monitoring or management extensions in Azure get OMI installed without explicit notification or documentation of the security implications. OMI runs as root and listens on local UNIX sockets and, in some configurations, network ports.
Overview
CVE-2021-38645 is a local privilege escalation vulnerability in Microsoft's OMI agent, part of the OMIGOD cluster of four CVEs (CVE-2021-38647, CVE-2021-38645, CVE-2021-38648, CVE-2021-38649) discovered by Wiz security research team in September 2021. Wiz researchers found that OMI was silently installed on a large proportion of Azure Linux VMs. A low-privileged local user on an Azure Linux VM with OMI installed can exploit a vulnerability in OMI's UNIX socket handler to escalate to root privileges without authentication. CISA added this to KEV in November 2021, confirming active exploitation.
The remote code execution variant, CVE-2021-38647 (CVSS 9.8), is even more severe — allowing unauthenticated RCE when OMI's management ports are exposed to the network.
Affected Versions
| Product | Vulnerable | Fixed |
|---|---|---|
| OMI before 1.6.8-1 | Yes | OMI 1.6.8-1 |
| Azure VMs with vulnerable management extensions | Yes | Extensions auto-updated by Microsoft in most configurations |
Technical Details
- Root cause: An authorization/authentication bypass in OMI's local UNIX socket handler — a low-privileged local user can send specially crafted messages to the OMI management socket and trigger privileged operations without proper authentication
- Attack vector: Local (AV:L) with low privileges (PR:L) — the attacker needs a shell on the Azure Linux VM (as any non-root user) to exploit the OMI UNIX socket
- Root escalation: OMI runs as root; exploiting the UNIX socket allows a low-privileged user to execute arbitrary commands in the OMI root context, achieving full root access on the VM
- Silent installation: Azure VM administrators are often unaware that OMI is installed because it is a hidden dependency of common management extensions — this "phantom" attack surface is what made OMIGOD particularly impactful
- OMIGOD cluster: The four OMIGOD CVEs range from local privilege escalation (CVE-2021-38645, CVE-2021-38648, CVE-2021-38649) to remote code execution (CVE-2021-38647, CVSS 9.8) — all in the same OMI agent
- Azure scope: Primarily affects Azure Linux VMs with management extensions enabled; non-Azure OMI deployments may also be affected
Discovery
Discovered by Nir Ohfeld, Shir Tamari, and the Wiz research team, who published the OMIGOD research simultaneously with Microsoft's September 2021 Patch Tuesday fixes. Wiz estimated that thousands of Azure customers had OMI silently installed across their Linux VM fleets, with many unaware of its presence.
Exploitation Context
The OMIGOD disclosure was significant both for the technical severity and the policy implications — Microsoft was silently installing a root-running management agent without adequate customer disclosure. Following the disclosure, Microsoft patched OMI and updated extension distribution to include the fixed version. However, Azure customers who did not have automatic extension updates enabled remained vulnerable until manually updated. CISA's KEV addition confirms active exploitation in Azure environments, likely by threat actors scanning Azure for vulnerable OMI deployments.
Remediation
- Update OMI to version 1.6.8-1 or later — Microsoft pushed automatic updates to many Azure management extensions, but verify:
dpkg -l omiorrpm -qa omito check the installed version - For Azure VMs: check the installed version of all management extensions (OMS agent, SCOM, Azure Automation) and update to versions that bundle OMI 1.6.8-1+
- Restrict the OMI UNIX socket permissions to limit local user access if the management extension is required
- For the network-accessible OMIGOD variant (CVE-2021-38647): ensure OMI ports 5985/5986/1270 are not exposed to untrusted networks via NSG (Network Security Group) rules
- If management extensions are not required, disable or remove them from Azure VMs to eliminate the OMI attack surface entirely
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2021-38645 |
| Vendor / Product | Microsoft — Open Management Infrastructure (OMI) |
| NVD Published | 2021-09-15 |
| NVD Last Modified | 2025-10-30 |
| CVSS 3.1 Score | 7.8 |
| CVSS 3.1 Vector | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
| Severity | HIGH |
| CISA KEV Added | 2021-11-03 |
| CISA KEV Deadline | 2021-11-17 |
| Known Ransomware Use | No |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2021-09-14 | Microsoft patches CVE-2021-38645 and other OMIGOD CVEs in September 2021 Patch Tuesday; Wiz publishes OMIGOD research |
| 2021-09-15 | CVE published |
| 2021-11-03 | Added to CISA Known Exploited Vulnerabilities catalog |
| 2021-11-17 | CISA BOD 22-01 remediation deadline |
References
| Resource | Type |
|---|---|
| Microsoft Security Response Center — CVE-2021-38645 | Vendor Advisory |
| Wiz Research — OMIGOD: Critical Vulnerabilities in OMI | Security Research |
| NVD — CVE-2021-38645 | Vulnerability Database |
| CISA KEV Catalog Entry | US Government |