CVE-2024-21330
📋 TL;DR
CVE-2024-21330 is an elevation of privilege vulnerability in Microsoft's Open Management Infrastructure (OMI) that allows authenticated attackers to execute arbitrary code with SYSTEM privileges. This affects systems running OMI on Linux and Unix-like platforms. Attackers must have valid credentials to exploit this vulnerability.
💻 Affected Systems
- Microsoft Open Management Infrastructure (OMI)
📦 What is this software?
Azure Automation Update Management by Microsoft
View all CVEs affecting Azure Automation Update Management →
Azure Sentinel by Microsoft
Operations Management Suite Agent For Linux by Microsoft
View all CVEs affecting Operations Management Suite Agent For Linux →
System Center Operations Manager by Microsoft
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with SYSTEM/root privileges, enabling complete control over affected systems, data theft, lateral movement, and persistence establishment.
Likely Case
Privilege escalation from authenticated user to SYSTEM/root, allowing installation of malware, credential harvesting, and further network exploitation.
If Mitigated
Limited impact due to proper network segmentation, least privilege access controls, and monitoring preventing successful exploitation.
🎯 Exploit Status
Requires authenticated access but is considered low complexity once credentials are obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check Microsoft Security Update Guide for specific version
Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21330
Restart Required: Yes
Instructions:
1. Apply Microsoft security updates for affected products. 2. Update OMI package on Linux/Unix systems. 3. Restart OMI service or reboot system.
🔧 Temporary Workarounds
Network Segmentation
linuxRestrict network access to OMI endpoints (port 5985, 5986, 1270) to only trusted management systems.
iptables -A INPUT -p tcp --dport 5985 -s trusted_ip -j ACCEPT
iptables -A INPUT -p tcp --dport 5985 -j DROP
Disable OMI if Not Needed
linuxStop and disable OMI service if not required for operations.
systemctl stop omi
systemctl disable omi
🧯 If You Can't Patch
- Implement strict network access controls to limit OMI endpoint exposure
- Enforce least privilege access and monitor for suspicious authentication attempts
🔍 How to Verify
Check if Vulnerable:
Check OMI version: omicli -v or rpm -qa | grep omiCheck Version:
omicli -vVerify Fix Applied:
Verify OMI version is updated to patched version and service is running📡 Detection & Monitoring
Log Indicators:
- Unusual authentication patterns to OMI
- Process creation with SYSTEM/root privileges from OMI context
- Failed privilege escalation attempts
Network Indicators:
- Unusual connections to OMI ports (5985, 5986, 1270) from unexpected sources
SIEM Query:
source="*omi*" AND (event_type="authentication" OR event_type="process_creation")