Sneed-Reactivity/yara-Neo23x0/vul_cve_2021_386471_omi.yar

rule VULN_LNX_OMI_RCE_CVE_2021_386471_Sep21 {
   meta:
      description = "Detects a Linux OMI version vulnerable to CVE-2021-38647 (OMIGOD) which enables an unauthenticated RCE"
      author = "Christian Burkard"
      date = "2021-09-16"
      reference = "https://www.wiz.io/blog/secret-agent-exposes-azure-customers-to-unauthorized-code-execution"
      score = 50
      id = "ca49f0cc-ea33-559c-bd4f-306a01315fce"
   strings:
      $a1 = "/opt/omi/bin/omiagent" ascii fullword
      
      $s1 = "OMI-1.6.8-0 - " ascii
      $s2 = "OMI-1.6.6-0 - " ascii
      $s3 = "OMI-1.6.4-1 - " ascii
      $s4 = "OMI-1.6.4-0 - " ascii
      $s5 = "OMI-1.6.2-0 - " ascii
      $s6 = "OMI-1.6.1-0 - " ascii
      $s7 = "OMI-1.5.0-0 - " ascii
      $s8 = "OMI-1.4.4-0 - " ascii
      $s9 = "OMI-1.4.3-2 - " ascii
      $s10 = "OMI-1.4.3-1 - " ascii
      $s11 = "OMI-1.4.3-0 - " ascii
      $s12 = "OMI-1.4.2-5 - " ascii
      $s13 = "OMI-1.4.2-4 - " ascii
      $s14 = "OMI-1.4.2-3 - " ascii
      $s15 = "OMI-1.4.2-2 - " ascii
      $s16 = "OMI-1.4.2-1 - " ascii
      $s17 = "OMI-1.4.1-1 - " ascii
      $s18 = "OMI-1.4.1-0 - " ascii
      $s19 = "OMI-1.4.0-6 - " ascii
      // older versions are no longer supported by current openssl
      // and are from before 2018
   condition:
      uint32be(0) == 0x7f454c46
      and $a1
      and 1 of ($s*)
}
OMG ISTG PLS WORK RED PILL :red_circle: :pill: 2024-07-25 12:43:35 -05:00			`rule VULN_LNX_OMI_RCE_CVE_2021_386471_Sep21 {`
			`meta:`
			`description = "Detects a Linux OMI version vulnerable to CVE-2021-38647 (OMIGOD) which enables an unauthenticated RCE"`
			`author = "Christian Burkard"`
			`date = "2021-09-16"`
			`reference = "https://www.wiz.io/blog/secret-agent-exposes-azure-customers-to-unauthorized-code-execution"`
			`score = 50`
			`id = "ca49f0cc-ea33-559c-bd4f-306a01315fce"`
			`strings:`
			`$a1 = "/opt/omi/bin/omiagent" ascii fullword`

			`$s1 = "OMI-1.6.8-0 - " ascii`
			`$s2 = "OMI-1.6.6-0 - " ascii`
			`$s3 = "OMI-1.6.4-1 - " ascii`
			`$s4 = "OMI-1.6.4-0 - " ascii`
			`$s5 = "OMI-1.6.2-0 - " ascii`
			`$s6 = "OMI-1.6.1-0 - " ascii`
			`$s7 = "OMI-1.5.0-0 - " ascii`
			`$s8 = "OMI-1.4.4-0 - " ascii`
			`$s9 = "OMI-1.4.3-2 - " ascii`
			`$s10 = "OMI-1.4.3-1 - " ascii`
			`$s11 = "OMI-1.4.3-0 - " ascii`
			`$s12 = "OMI-1.4.2-5 - " ascii`
			`$s13 = "OMI-1.4.2-4 - " ascii`
			`$s14 = "OMI-1.4.2-3 - " ascii`
			`$s15 = "OMI-1.4.2-2 - " ascii`
			`$s16 = "OMI-1.4.2-1 - " ascii`
			`$s17 = "OMI-1.4.1-1 - " ascii`
			`$s18 = "OMI-1.4.1-0 - " ascii`
			`$s19 = "OMI-1.4.0-6 - " ascii`
			`// older versions are no longer supported by current openssl`
			`// and are from before 2018`
			`condition:`
			`uint32be(0) == 0x7f454c46`
			`and $a1`
			`and 1 of ($s*)`
			`}`