© 2024 Prancer Enterprise
Blog
Share This Post
Recent Posts
automated offensive security
Offensive Security Unveiled: Navigating Vulnerability Assessments, Penetration Testing, and Red Teaming with Prancer
March 26, 2024
Application Security Training
Application Security Training: Empowering Your Cyber Defense (7 Essential Courses to Enhance Your Skills)
February 29, 2024
penetration testing jobs entry level
Penetration Testing Jobs Entry Level: Starting Your Cybersecurity Career (5 Key Steps to Break into the Field)
February 29, 2024
How Prancer protects Azure VMs from Critical “OMIGOD” vulnerabilities
Prancer
October 7, 2021
OMI vulnerabilities

Wiz.io, a security research firm, recently found four vulnerabilities in Microsoft’s Open Management Infrastructure (OMI) framework. With these OMI vulnerabilities, hackers could use them remotely to gain root access on Linux servers running on the Azure cloud and enable them to take control of your system.

Vulnerable servers came under attack by botnets exploiting a flaw in Open Management Infrastructure (OMI) agent. Due to its severity, the vulnerability termed “OMIGOD” was quickly exploited and resulted in many malicious cyberattacks on computers worldwide, including Denial-of-Service attacks until they could be patched up.

Since then, Microsoft has released updates for their customers to mitigate this issue. However, the lack of secure Network Security Group policies on the Linux systems that expose OMI ports TCP 5985-5986 & 1270 to the internet allowed the remote code execution and privilege escalation on the Azure Linux servers.

This emphasizes the importance of policy-based cloud preventive and detective controls. Prancer’s open Policy-based rules engine and static code analyzer continuously validates the network security policies at deployment time and run time to protect its customers from OMIGOD and other vulnerabilities.

Prancer Platform Compliance database includes the vulnerability check for OMI ports for all the clouds. You can review our Cloud Compliance policies here at : https://github.com/prancer-io/prancer-compliance-test

The detail of the Security Group rule is available here to review:

default inbound_insecure_omi_port = null

azure_issue["inbound_insecure_omi_port"] {
    to_number(nsg_inbound[_]) == 5985
}

azure_issue["inbound_insecure_omi_port"] {
    to_number(nsg_inbound[_]) == 5986
}

azure_issue["inbound_insecure_omi_port"] {
    to_number(nsg_inbound[_]) == 1270
}

inbound_insecure_omi_port {
    azure_issue["inbound_insecure_omi_port"]
}

inbound_insecure_omi_port = false {
    lower(input.resources[_].type) == "azurerm_network_security_rule"
    not azure_issue["inbound_insecure_omi_port"]
}

inbound_insecure_omi_port_err = "Azure Network Security Group (NSG) currently not protecting OMIGOD attack from internet" {
    azure_issue["inbound_insecure_omi_port"]
}

inbound_insecure_omi_port_metadata := {
    "Policy Code": "PR-AZR-0100-TRF",
    "Type": "IaC",
    "Product": "AZR",
    "Language": "Terraform",
    "Policy Title": "Azure Network Security Group (NSG) should protect OMIGOD attack from internet",
    "Policy Description": "Blocking OMI port 5985, 5986, 1270 will protect vnet/subnet/vms from OMIGOD attacks from internet.",
    "Resource Type": "azurerm_network_security_rule",
    "Policy Help URL": "",
    "Resource Help URL": "https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_security_rule"
}