-
Notifications
You must be signed in to change notification settings - Fork 595
/
vul_cve_2021_386471_omi.yar
37 lines (36 loc) · 1.32 KB
/
vul_cve_2021_386471_omi.yar
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
rule VULN_LNX_OMI_RCE_CVE_2021_386471_Sep21 {
meta:
description = "Detects a Linux OMI version vulnerable to CVE-2021-38647 (OMIGOD) which enables an unauthenticated RCE"
author = "Christian Burkard"
date = "2021-09-16"
reference = "https://www.wiz.io/blog/secret-agent-exposes-azure-customers-to-unauthorized-code-execution"
score = 50
id = "ca49f0cc-ea33-559c-bd4f-306a01315fce"
strings:
$a1 = "/opt/omi/bin/omiagent" ascii fullword
$s1 = "OMI-1.6.8-0 - " ascii
$s2 = "OMI-1.6.6-0 - " ascii
$s3 = "OMI-1.6.4-1 - " ascii
$s4 = "OMI-1.6.4-0 - " ascii
$s5 = "OMI-1.6.2-0 - " ascii
$s6 = "OMI-1.6.1-0 - " ascii
$s7 = "OMI-1.5.0-0 - " ascii
$s8 = "OMI-1.4.4-0 - " ascii
$s9 = "OMI-1.4.3-2 - " ascii
$s10 = "OMI-1.4.3-1 - " ascii
$s11 = "OMI-1.4.3-0 - " ascii
$s12 = "OMI-1.4.2-5 - " ascii
$s13 = "OMI-1.4.2-4 - " ascii
$s14 = "OMI-1.4.2-3 - " ascii
$s15 = "OMI-1.4.2-2 - " ascii
$s16 = "OMI-1.4.2-1 - " ascii
$s17 = "OMI-1.4.1-1 - " ascii
$s18 = "OMI-1.4.1-0 - " ascii
$s19 = "OMI-1.4.0-6 - " ascii
// older versions are no longer supported by current openssl
// and are from before 2018
condition:
uint32be(0) == 0x7f454c46
and $a1
and 1 of ($s*)
}