McAfee Enterprise coverage for CVE-2021-38647 Remote Code Execution Vulnerability

技術的な記事 ID: KB94887
最終更新: 9/15/2021

環境

Linux systems running Azure's Open Management Infrastructure (OMI) Agent

概要

Recent updates to this article

Date	Update
September 15, 2021	Added EDR RTS queries. Initial publication.

To receive email notification when this article is updated, click Subscribe on the right side of the page. You must be logged on to subscribe.

McAfee Enterprise is investigating a recent vulnerability, CVE-2021-38647, reported by Microsoft as part of the September 2021 Patch Tuesday security updates. This vulnerability applies to Azure OMI. This vulnerability is rated with a CVSS(3.1) score of 9.8.

CVE-2021-38647 is considered the most critical of a collection of recent vulnerabilities released by Microsoft, collectively being referred to as the "OMIGOD" vulnerabilities. The full list of vulnerabilities is CVE-2021-38647, CVE-2021-38648, CVE-2021-38645, and CVE-2021-38649. For more information, see the official Microsoft update guide on CVE-2021-38647.

問題

This vulnerability can be leveraged to remotely gain access with root permissions on a virtual workload running a Linux-based operating system and execute code. By sending an HTTP/S request with the Authorization header removed, an attacker can use this vulnerability to gain root permissions on the victim system.

What is Azure OMI?

The OMI Agent is leveraged in many popular Azure services. Microsoft references Azure Operations Management Suite (OMS) and System Center for Linux, which can be used with on-premises Linux systems.

解決策

It’s important to note that Microsoft has released a patch in the OMI Agent, released on September 11, 2021. System owners can apply the patch to remediate the vulnerability. This patch is available directly from the Microsoft OMI Agent GitHub repository under the 1.6.8-1 release.

IMPORTANT: To be sufficiently protected by the security updates provided by Microsoft for "OMIGOD" vulnerabilities, customers must take manual action to deploy required patches. Azure OMI doesn’t apply this patch automatically.

How can McAfee Enterprise product solutions help?

McAfee Enterprise is evaluating product coverage across our portfolio. This article will be updated as product coverage is identified.

Product capabilities are available for the following components:

Endpoint Security for Linux Firewall: Block inbound connections for affected ports; block the OMI service from network communications.
MVISION EDR/McAfee Active Response: Search for connections by port and user privilege.
Real Time Search -
The following query can be used to identify systems running the OMI Agent and the respective version of the service installed:

Software and HostInfo hostname where Software displayname contains omi

The following query can be used to identify traffic coming from the omiengine service:

Processes and CurrentFlow and HostInfo hostname where Processes name equals omiengine
Application Control: Prevent the OMI service from execution.

NOTE: Common OMI ports are 5986, 5985, and 1270. But, custom configurations options for OMI ports are available. Customers should investigate internally what is being used in their environment. Additionally, as further testing is done, these steps will be outlined in more detail.

Additional product coverage is being evaluated for the following products:

Cloud Native Application Protection Platform (CNAPP)
Cloud Workload Protection Platform (CWPP)

To receive continued updates, subscribe to this article and to Support Notification Service (SNS).

影響を受ける製品

Application and Change Control 8.3.x
Application and Change Control 8.2.x
Application and Change Control 8.1.x
Application and Change Control 8.0.x
Best Practices
Endpoint Security for Linux Firewall 10.7.x
Endpoint Security for Linux Firewall 10.6.x
McAfee Active Response 2.x
MVISION EDR - All Versions
Threat Prevention and Removal
Vulnerability Response

言語:

この記事は、次の言語で表示可能です:

English United States
Japanese
Chinese Simplified

技術用語集

用語集にある用語をハイライトする

当社の技術用語集を参照してください。

Knowledge Center

McAfee Enterprise coverage for CVE-2021-38647 Remote Code Execution Vulnerability

環境

概要

問題

解決策

関連情報

影響を受ける製品

言語:

技術用語集

Title

Title

Knowledge Center

McAfee Enterprise coverage for CVE-2021-38647 Remote Code Execution Vulnerability

環境

概要

問題

解決策

関連情報

影響を受ける製品

言語:

技術用語集

地域を選択してください

Title

Title