What is Microsoft Open Management Infrastructure (OMI)?
Open Management Infrastructure (OMI) is Microsoft's open-source implementation of the DMTF CIM/WBEM standard for systems management on Linux and Unix — essentially the Linux equivalent of Windows Management Instrumentation (WMI). OMI is used by Microsoft to provide management capabilities in Azure VM management extensions, including System Center Operations Manager (SCOM), Azure Log Analytics (OMS agent), Azure Automation State Configuration, and Azure Diagnostics. Critically, Microsoft silently installs OMI as a hidden dependency of these extensions — Azure Linux VM administrators enabling monitoring frequently receive OMI without being told, creating an unexpected attack surface. OMI runs as root and exposes local UNIX sockets for management communication.
Overview
CVE-2021-38648 is a local privilege escalation vulnerability in Microsoft's OMI agent — the second of three local privilege escalation variants in the OMIGOD cluster (alongside CVE-2021-38645 and CVE-2021-38649). All three were patched in September 2021 Patch Tuesday along with the critical unauthenticated remote code execution variant CVE-2021-38647 (CVSS 9.8). Discovered by the Wiz security research team, the OMIGOD cluster revealed that a significant portion of Azure Linux VMs had a vulnerable, root-running management agent silently installed without customer knowledge. CVE-2021-38648 enables a local user with low privileges to escalate to root on affected Azure Linux VMs.
Affected Versions
| Product | Vulnerable | Fixed |
|---|---|---|
| OMI before 1.6.8-1 | Yes | OMI 1.6.8-1 |
| Azure VMs with vulnerable management extensions | Yes | Extensions auto-updated by Microsoft in most configurations |
Technical Details
- Root cause: A second authorization/authentication bypass variant in OMI's local management interfaces — while CVE-2021-38645 affects one OMI component/code path, CVE-2021-38648 exploits a different vulnerability condition in the same OMI agent that also allows unauthenticated local privilege escalation to root
- Attack vector: Local (AV:L) with low privileges (PR:L) — requires a shell on the Azure Linux VM as a standard non-root user before leveraging OMI to escalate
- Root escalation: OMI runs as root; the vulnerability allows a low-privileged user to send crafted messages to OMI's UNIX socket and trigger root-privilege operations, achieving full root access on the VM
- OMIGOD cluster: The four OMIGOD CVEs collectively span local privilege escalation (CVE-2021-38645, CVE-2021-38648, CVE-2021-38649) and remote unauthenticated code execution (CVE-2021-38647). CVE-2021-38648 represents an alternative code path for local root escalation that must be patched independently from CVE-2021-38645
- Silent installation: The attack surface exists only because Microsoft silently deploys OMI — Azure VM operators who enabled OMS Log Analytics, SCOM, or Azure Diagnostics extensions received OMI without explicit consent or notification
Discovery
Discovered by the Wiz research team (Nir Ohfeld, Shir Tamari) alongside the other OMIGOD CVEs, published September 14, 2021. Wiz estimated tens of thousands of Azure customers had vulnerable OMI instances across their Linux VM fleets.
Exploitation Context
CVE-2021-38648 was added to CISA KEV on the same date as CVE-2021-38645, confirming that both local privilege escalation variants were actively exploited in Azure environments after the Wiz OMIGOD disclosure triggered mass scanning for vulnerable OMI installations. In post-initial-access scenarios (e.g., after exploiting a web application vulnerability to get a low-privileged shell on an Azure Linux VM), CVE-2021-38648 provides a path to root that enables full VM takeover, credential theft from the VM, and lateral movement within the Azure environment. The existence of multiple independent LPE paths (CVE-2021-38645 and CVE-2021-38648) means that patching one alone leaves the other exploitable.
Remediation
- Update OMI to version 1.6.8-1 or later — check installed version:
dpkg -l omi(Debian/Ubuntu) orrpm -qa omi(RHEL/CentOS) - Both CVE-2021-38645 and CVE-2021-38648 must be patched (fixed in the same OMI 1.6.8-1 release) — update OMI once to address all local privilege escalation variants
- Update all Azure management extensions (OMS agent, SCOM, Azure Automation) to versions bundling OMI 1.6.8-1+
- If management extensions are not required, remove them from Azure VMs: this eliminates the OMI attack surface entirely
- Restrict OMI UNIX socket access via filesystem permissions to prevent low-privileged users from interacting with OMI if the extension must remain installed
- For network-exposed OMI (CVE-2021-38647): ensure ports 5985/5986/1270 are blocked at Azure NSG (Network Security Group) rules for all VMs that don't specifically require them
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2021-38648 |
| Vendor / Product | Microsoft — Open Management Infrastructure (OMI) |
| NVD Published | 2021-09-15 |
| NVD Last Modified | 2025-10-30 |
| CVSS 3.1 Score | 7.8 |
| CVSS 3.1 Vector | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
| Severity | HIGH |
| CISA KEV Added | 2021-11-03 |
| CISA KEV Deadline | 2021-11-17 |
| Known Ransomware Use | No |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2021-09-14 | Microsoft patches CVE-2021-38648 and other OMIGOD CVEs in September 2021 Patch Tuesday; Wiz publishes OMIGOD research |
| 2021-09-15 | CVE published |
| 2021-11-03 | Added to CISA Known Exploited Vulnerabilities catalog alongside CVE-2021-38645 |
| 2021-11-17 | CISA BOD 22-01 remediation deadline |
References
| Resource | Type |
|---|---|
| Microsoft Security Response Center — CVE-2021-38648 | Vendor Advisory |
| Wiz Research — OMIGOD: Critical Vulnerabilities in OMI | Security Research |
| NVD — CVE-2021-38648 | Vulnerability Database |
| CISA KEV Catalog Entry | US Government |