CVE-2021-38647

What is Microsoft OMI?

Open Management Infrastructure (OMI) is Microsoft's open-source implementation of the WBEM/CIM management standard for Linux and Unix systems — conceptually a Linux equivalent of Windows Management Instrumentation (WMI). OMI is embedded in multiple Azure VM management extensions including Azure Automation, Azure Diagnostics, Log Analytics Agent, Azure Security Center, and System Center Operations Manager. The critical discovery by Wiz Research was that these extensions silently install OMI on Azure Linux VMs without customers being explicitly informed — and the installed OMI agent listens on TCP ports 5985, 5986, and 1270 with root privileges.

Overview

CVE-2021-38647 is a critical unauthenticated RCE vulnerability (dubbed OMIGOD by Wiz Research) in Microsoft's Open Management Infrastructure (OMI) agent. Sending an HTTP request to the OMI HTTPS endpoint with a NULL or missing authentication header bypasses authentication entirely and executes the requested SOAP action as root. Microsoft patched this in the September 2021 Patch Tuesday update, but the critical context is that millions of Azure Linux VMs had OMI silently installed without their owners' knowledge, and automatically opening three listening ports to the internet.

Affected Versions

Technical Details

The OMI SOAP/HTTP listener processes authentication headers in incoming requests. The authentication handler contains a bug: when the Authorization header is absent or set to NULL, the OMI server proceeds to execute the requested SOAP action without authentication:

• Root cause: Missing authentication check — when the Authorization header is absent, OMI treats the request as authenticated
• Exploit simplicity: Send an HTTP POST to port 5985/5986/1270 with a SOAP XML body requesting command execution and omit the Authorization header
• Execution context: OMI runs as root — all commands execute with root privileges on the Linux VM
• Silent installation: Azure VM management extensions install OMI without explicit customer notification, and the listening ports are not documented as a security concern
• Network exposure: Azure Network Security Group (NSG) default rules may not block these ports, potentially exposing them to the internet or cross-VM access within Azure virtual networks

Discovery

Discovered by Wiz Research (Nir Ohfeld, Shir Tamari, Ami Luttwak, Noam Weiss). Wiz simultaneously published the research and Microsoft released the patch, after coordinated disclosure.

Exploitation Context

Within days of the OMIGOD disclosure, internet-wide scanning for exposed OMI ports began, and exploitation followed quickly. Ransomware operators exploited OMIGOD to compromise Azure Linux VMs, gaining root access to cloud workloads. The vulnerability's impact was amplified by two factors: (1) millions of Azure customers had OMI installed without knowing it, and (2) Azure's network security default policies may leave these ports exposed within virtual networks.

Remediation

1. Update OMI to version 1.6.8.1 or later via apt-get or yum on affected Azure Linux VMs
2. Microsoft also updated the affected Azure VM extensions to include the patched OMI version
3. Review Azure Network Security Group (NSG) rules and block TCP ports 5985, 5986, and 1270 from untrusted sources at the network level
4. Audit Azure Linux VMs for installed management extensions that may have installed OMI: sudo /opt/omi/bin/omicli id to check if OMI is present
5. If OMI is not required, consider removing the management extensions that install it
6. Review Azure activity logs for unusual management operations during the vulnerable window