What is Microsoft Open Management Infrastructure (OMI)?
Open Management Infrastructure (OMI) is Microsoft's open-source implementation of the DMTF CIM/WBEM standard for systems management on Linux and Unix — essentially the Linux equivalent of Windows Management Instrumentation (WMI). OMI is used by Microsoft to provide management capabilities in Azure VM management extensions, including System Center Operations Manager (SCOM), Azure Log Analytics (OMS agent), Azure Automation State Configuration, and Azure Diagnostics. Critically, Microsoft silently installs OMI as a hidden dependency of these extensions — Azure Linux VM administrators enabling monitoring frequently receive OMI without being told, creating an unexpected root-running management agent. The OMIGOD cluster (four CVEs) revealed this blind spot to the security community in September 2021.
Overview
CVE-2021-38649 is the third local privilege escalation variant in the OMIGOD cluster of OMI vulnerabilities (alongside CVE-2021-38645 and CVE-2021-38648 for local privilege escalation, and CVE-2021-38647 CVSS 9.8 for unauthenticated remote code execution). CVE-2021-38649 differs from its sibling LPE CVEs by having Attack Complexity: High (AC:H), indicating that exploitation requires meeting specific conditions or timing constraints beyond simply having local access. Like the other OMIGOD LPE variants, a local user with low privileges on an Azure Linux VM can exploit a flaw in the OMI management interface to escalate to root. All four OMIGOD CVEs were patched in September 2021 Patch Tuesday and fixed in OMI 1.6.8-1.
Affected Versions
| Product | Vulnerable | Fixed |
|---|---|---|
| OMI before 1.6.8-1 | Yes | OMI 1.6.8-1 |
| Azure VMs with vulnerable management extensions | Yes | Extensions auto-updated by Microsoft in most configurations |
Technical Details
- Root cause: A privilege escalation vulnerability in OMI's local management interface — CVE-2021-38649 involves a harder-to-exploit condition (AC:H) compared to the other two OMIGOD LPE variants (AC:L), requiring specific conditions to be met for successful escalation
- Attack vector: Local (AV:L) with low privileges (PR:L) and High complexity (AC:H) — the attacker needs a local shell, standard user privileges, and must meet specific exploitation conditions (timing, race condition, or specific configuration state)
- Root escalation: Despite higher complexity, successful exploitation still achieves full root access on the Azure Linux VM via OMI's root-running management socket
- OMIGOD cluster completeness: All three LPE variants (CVE-2021-38645, CVE-2021-38648, CVE-2021-38649) must be patched — the OMI 1.6.8-1 release addresses all three simultaneously. An attacker with a local shell can attempt each variant until one succeeds
- Silent installation: OMI remains silently installed on Azure VMs with common management extensions, meaning most Azure Linux VM operators are unaware of its presence and need to check actively
Discovery
Discovered by the Wiz research team (Nir Ohfeld, Shir Tamari) as part of the OMIGOD cluster investigation. All four CVEs were responsibly disclosed to Microsoft and patched in the same September 2021 Patch Tuesday release.
Exploitation Context
While CVE-2021-38649 has higher complexity than its sibling OMIGOD LPE CVEs, it was still added to CISA KEV in November 2021 alongside CVE-2021-38645 and CVE-2021-38648, confirming active exploitation. Attackers who gain initial foothold on Azure Linux VMs (e.g., via exploitation of web applications or RCE vulnerabilities) can attempt all three OMIGOD LPE variants; the AC:H variant is a fallback when AC:L variants have been patched or require conditions not available in the target environment.
Remediation
- Update OMI to version 1.6.8-1 or later — this single update addresses all three OMIGOD LPE variants (CVE-2021-38645, CVE-2021-38648, and CVE-2021-38649)
- Check installed OMI version:
dpkg -l omi(Debian/Ubuntu) orrpm -qa omi(RHEL/CentOS) - Update all Azure management extensions (OMS agent, SCOM, Azure Automation) to versions bundling OMI 1.6.8-1+
- If management extensions are not required, remove them from Azure VMs to eliminate the OMI attack surface
- For the critical RCE variant (CVE-2021-38647): ensure OMI network ports 5985/5986/1270 are blocked at Azure Network Security Group (NSG) rules
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2021-38649 |
| Vendor / Product | Microsoft — Open Management Infrastructure (OMI) |
| NVD Published | 2021-09-15 |
| NVD Last Modified | 2025-10-30 |
| CVSS 3.1 Score | 7 |
| CVSS 3.1 Vector | CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H |
| Severity | HIGH |
| CISA KEV Added | 2021-11-03 |
| CISA KEV Deadline | 2021-11-17 |
| Known Ransomware Use | No |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2021-09-14 | Microsoft patches all four OMIGOD CVEs in September 2021 Patch Tuesday; Wiz publishes OMIGOD research |
| 2021-09-15 | CVE published |
| 2021-11-03 | Added to CISA Known Exploited Vulnerabilities catalog alongside CVE-2021-38645 and CVE-2021-38648 |
| 2021-11-17 | CISA BOD 22-01 remediation deadline |
References
| Resource | Type |
|---|---|
| Microsoft Security Response Center — CVE-2021-38649 | Vendor Advisory |
| Wiz Research — OMIGOD: Critical Vulnerabilities in OMI | Security Research |
| NVD — CVE-2021-38649 | Vulnerability Database |
| CISA KEV Catalog Entry | US Government |