We research. You level up.
Protect your devices, your data, and your privacy—at home or on the go.
“Thanks to the Malwarebytes MSP program, we have this high-quality product in our stack. It’s a great addition, and I have confidence that customers’ systems are protected.”
Featured Event: RSA 2021
Activate Malwarebytes Privacy on Windows device.
Cybersecurity Month: Save 25% on EP and EDR for your business – BUY NOW
[updated] Patch now! PrintNightmare over, MSHTML fixed, a new horror appears … OMIGOD
Exploits and vulnerabilities
Posted: by
Last updated:
The September 2021 Patch Tuesday could be remembered as the final patching attempt in the PrintNightmare… nightmare. The ease with which the vulnerabilities shrugged off the August patches doesn’t look to get a rerun. So far we haven’t seen any indications that this patch is so easy to circumvent.
The total count of fixes for this Patch Tuesday tallies up to 86, including 26 for Microsoft Edge alone. Only a few of these vulnerabilities are listed as zero-days and two of them are “old friends”. There is a third, less-likely-to-be-exploited one, and then we get to introduce a whole new set of vulnerabilities nicknamed OMIGOD, for reasons that will become obvious.
Azure was the subject of five CVE’s, one of them listed as critical. The four that affect the Open Management Infrastructure (OMI) were found by researchers, grouped together and received the nickname OMIGOD.
PrintNightmare is the name of a set of vulnerabilities that allow a standard user on a Windows network to execute arbitrary code on an affected machine (including domain controllers) as SYSTEM, allowing them to elevate their privileges as far as domain admin. Users trigger the flaw by simply feeding a malicious printer driver to a vulnerable machine, and could use their new-found superpowers to install programs; view, change, or delete data; or create new accounts with full user rights.
The problem was made worse by significant confusion about whether PrintNightmare was a known, patched problem or an entirely new problem, and by repeated, at best partially-successful, attempts to patch it.
This month, Microsoft patched the remaining Print Spooler vulnerabilities under CVE-2021-36958. Fingers crossed.
This zero-day vulnerability that felt like a ghost from the past (it involved ActiveX, remember that?) was only found last week, but has attracted significant attention. It was listed as CVE-2021-40444, a Remote Code Execution (RCE) vulnerability in Microsoft MSHTML.
Threat actors were sharing PoCs, tutorials and exploits on hacking forums, so that every script kiddy and wannabe hacker was able to follow step-by-step instructions in order to launch their own attacks. Microsoft published mitigation instructions that disabled the installation of new ActiveX controls, but this turned out to be easy to work around for attackers.
Given the short window of opportunity, there was some doubt about whether a fix would be included in this Patch Tuesday, but it looks like Microsoft managed to pull it off.
This vulnerability was listed as CVE-2021-36968 and affects systems running Windows Server 2008 R2 SP1, SP2 and Windows 7 SP1. It exists due to an application that does not properly impose security restrictions in Windows DNS. The vulnerability is listed as a zero-day because it has been publicly disclosed, not because it is actively being exploited.
Microsoft says that exploitation is “less likely”, perhaps because it requires initial authentication and can only be exploited locally. If these conditions are met this bug can be used to accomplish elevation of privilege (EoP).
OMIGOD is the name for a set of four vulnerabilities in the Open Management Infrastructure (OMI) that you will find embedded in many popular Azure services. The CVEs are:
The researchers that discovered the vulnerabilities consider OMIGOD to be a result of the supply-chain risks that come with using open-source code:
Wiz’s research team recently discovered a series of alarming vulnerabilities that highlight the supply chain risk of open source code, particularly for customers of cloud computing services.
OMI runs as root (the highest privilege level) and is activated within Azure when users enable certain services, like distributed logging, or other management tools and services. It’s likely that many users aren’t even aware they have it running.
The RCE vulnerability (CVE-2021-38647) can be exploited in situations where the OMI ports are accessible to the Internet to allow for remote management. In this configuration, any user can communicate with it using a UNIX socket or via an HTTP API, and any user can abuse it to remotely execute code or escalate privileges.
A coding mistake means that any incoming request to the service without an authorization header has its privileges default to uid=0, gid=0, which is root.

OMIGOD, right?
The researchers report that the flaw can only be used to remotely takeover a target when OMI exposes the HTTPS management port externally. This is the default configuration when installed standalone and in Azure Configuration Management or System Center Operations Manager (SCOM). Other Azure services (such as Log Analytics) do not expose this port, so in those cases the scope is limited to local privilege escalation.
They advise all Azure customers to connect to their Azure VMs and run the commands below in their terminal to ensure OMI is updated to the latest version:
If OMI isn’t installed, the commands won’t return any results, and your machine isn’t vulnerable. Version 1.6.8.1 is the patched version. All earlier versions need to be patched.
After a proof-of-concept exploit was published on code hosting website GitHub, attackers we re noticed to be looking for Linux servers running on Microsoft’s Azure cloud infrastructure. These systems are vulnerable to the security flaw called OMIGOD.
According to reports from security researchers the attackers use the OMIGOD exploit, to deploy malware that ensnares the hacked server into cryptomining or DDoS botnets.
SHARE THIS ARTICLE
COMMENTS
RELATED ARTICLES
A week in security
July 1, 2019 – A roundup of cybersecurity news from June 24–30, including top malicious web campaigns, updates on the GreenFlash Sundown exploit, a Malwarebytes initiative to double down on stalkerware detection and awareness, and more.
ABOUT THE AUTHOR

Malware Intelligence Researcher
Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.
Silouette of person
Contributors

Malware
Threat Center

Book with bookmark
Glossary

Suspicious person
Scams

Pencil
Write for Labs

Want to stay informed on the latest news in cybersecurity? Sign up for our newsletter and learn how to protect your computer from threats.
Imagine a world without malware. We do.
FOR PERSONAL
FOR BUSINESS
COMPANY
ABOUT US
CAREERS
NEWS AND PRESS
MY ACCOUNT
SIGN IN
CONTACT US
GET SUPPORT
CONTACT SALES
© All Rights Reserved
Select your language
Cybersecurity basics
Your intro to everything relating to cyberthreats, and how to stop them.

source