CVE-2021-38645
Published: 15 September 2021
Summary
CVE-2021-38645 is a high-severity an unspecified weakness vulnerability in Microsoft Azure Automation State Configuration. Its CVSS base score is 7.8 (High).
Operationally, ranked in the top 6.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Deeper analysis
CVE-2021-38645 is an elevation of privilege vulnerability affecting the Open Management Infrastructure component. It carries a CVSS 3.1 base score of 7.8 under the vector AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating that successful exploitation can fully compromise confidentiality, integrity, and availability on the affected system.
A local attacker who already possesses low-privileged access can exploit the flaw without user interaction to obtain higher privileges on the host. The vulnerability therefore allows an authenticated local user to escalate rights and perform actions that would otherwise be restricted.
The issue is tracked in Microsoft security advisories and appears in the CISA Known Exploited Vulnerabilities catalog, confirming observed in-the-wild exploitation and underscoring the need to apply the patches referenced in those advisories.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2021-25084
Vulnerability details
Open Management Infrastructure Elevation of Privilege Vulnerability
- CWE(s)
- KEV Date Added
- 03 November 2021
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces access control policies so a low-privileged local user cannot obtain unauthorized higher rights via the OMI flaw.
Limits privileges assigned to local accounts, reducing both the likelihood and impact of successful exploitation of CVE-2021-38645.
Requires timely application of vendor patches that close the OMI elevation-of-privilege vulnerability listed in CISA KEV.