© 2021 Prancer, Inc.

Blog

How Prancer protects Azure VMs from Critical “OMIGOD” vulnerabilities

Prancer
October 7, 2021

Wiz.io, a security research firm, recently found four vulnerabilities in Microsoft’s Open Management Infrastructure (OMI) framework. With these OMI vulnerabilities, hackers could use them remotely to gain root access on Linux servers running on the Azure cloud and enable them to take control of your system.

Vulnerable servers came under attack by botnets exploiting a flaw in Open Management Infrastructure (OMI) agent. Due to its severity, the vulnerability termed “OMIGOD” was quickly exploited and resulted in many malicious cyberattacks on computers worldwide, including Denial-of-Service attacks until they could be patched up.

Since then, Microsoft has released updates for their customers to mitigate this issue. However, the lack of secure Network Security Group policies on the Linux systems that expose OMI ports TCP 5985-5986 & 1270 to the internet allowed the remote code execution and privilege escalation on the Azure Linux servers.

This emphasizes the importance of policy-based cloud preventive and detective controls. Prancer’s open Policy-based rules engine and static code analyzer continuously validates the network security policies at deployment time and run time to protect its customers from OMIGOD and other vulnerabilities.

Prancer Platform Compliance database includes the vulnerability check for OMI ports for all the clouds. You can review our Cloud Compliance policies here at : https://github.com/prancer-io/prancer-compliance-test

The detail of the Security Group rule is available here to review:

default inbound_insecure_omi_port = null

azure_issue["inbound_insecure_omi_port"] {
    to_number(nsg_inbound[_]) == 5985
}

azure_issue["inbound_insecure_omi_port"] {
    to_number(nsg_inbound[_]) == 5986
}

azure_issue["inbound_insecure_omi_port"] {
    to_number(nsg_inbound[_]) == 1270
}

inbound_insecure_omi_port {
    azure_issue["inbound_insecure_omi_port"]
}

inbound_insecure_omi_port = false {
    lower(input.resources[_].type) == "azurerm_network_security_rule"
    not azure_issue["inbound_insecure_omi_port"]
}

inbound_insecure_omi_port_err = "Azure Network Security Group (NSG) currently not protecting OMIGOD attack from internet" {
    azure_issue["inbound_insecure_omi_port"]
}

inbound_insecure_omi_port_metadata := {
    "Policy Code": "PR-AZR-0100-TRF",
    "Type": "IaC",
    "Product": "AZR",
    "Language": "Terraform",
    "Policy Title": "Azure Network Security Group (NSG) should protect OMIGOD attack from internet",
    "Policy Description": "Blocking OMI port 5985, 5986, 1270 will protect vnet/subnet/vms from OMIGOD attacks from internet.",
    "Resource Type": "azurerm_network_security_rule",
    "Policy Help URL": "",
    "Resource Help URL": "https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_security_rule"
}