CVE-2021-38647
Published: 15 September 2021
Summary
CVE-2021-38647 is a critical-severity an unspecified weakness vulnerability in Microsoft Azure Automation State Configuration. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2021-38647 is a remote code execution vulnerability in Open Management Infrastructure (OMI), a component used in multiple Microsoft Azure services and Linux management agents. The flaw carries a CVSS 3.1 base score of 9.8, reflecting network attack vector, low attack complexity, no required privileges or user interaction, and full impact on confidentiality, integrity, and availability.
An unauthenticated attacker with network access to an exposed OMI management interface can exploit the issue to bypass authentication and execute arbitrary code on the affected system. Public exploit code referencing an authentication bypass in the OMI management interface has been published, confirming the practical attack path.
Microsoft published an advisory detailing the vulnerability and available updates, while CISA added CVE-2021-38647 to its catalog of known exploited vulnerabilities, indicating confirmed in-the-wild exploitation.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2021-25086
Vulnerability details
Open Management Infrastructure Remote Code Execution Vulnerability
- CWE(s)
- KEV Date Added
- 03 November 2021
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces authentication and authorization on the OMI management interface, blocking the unauthenticated remote code execution path described in the CVE.
Requires prompt application of vendor patches to eliminate the OMI RCE flaw before unauthenticated attackers can exploit it.
Restricts network exposure of the OMI management port to only authorized sources, reducing the attack surface for the network-based exploit.