Cloud security vendor Wiz, who also found a massive vulnerability in Microsoft Azure’s CosmosDB-managed database service recently, has found another security vulnerability in Azure that impacts Linux virtual machines. Users could end up with a little-known service called OMI installed as a byproduct of enabling any of several logging reporting and/or management options in Azure’s UI.
In the worst case scenario, the vulnerability in OMI could be used for remote root code execution— though in many cases, Azure’s on-by-default, outside-the-VM firewall will limit it to most customers’ internal networks only.
We asked security experts to comment on the vulnerability and provide advice:
Trevor Morgan, product manager at comforte AG said:
“The report that Wiz has discovered a vulnerability in Azure, which in the worst-case scenario has the potential to execute root-level code but is mostly mitigated by Azure’s on-by-default outside-the-VM firewall, should encourage every organisation to confront a simple fact about cloud security: you need to go far beyond basic perimeter-based security when pushing workflows and more importantly sensitive data into your public cloud environments. Vulnerabilities are always hiding somewhere in the perimeters around cloud-based data, just waiting to be discovered and exploited, so your defensive posture should focus on protecting the data itself. Data-centric security such as tokenisation and format-preserving encryption can replace sensitive data elements with benign representational tokens, so even if perimeter breaches or vulnerabilities lead to the wrong people getting hands on your enterprise data in the cloud, sensitive information still remains fully protected and cannot be leveraged for financial gain by threat actors. Remember that the regulators won’t hold your cloud provider responsible in the instance that peoples’ sensitive data is exposed. They will be looking toward you and your organisation to answer for it.”
While Tim Mackey, principal security strategist at the Synopsys Cybersecurity Research Centre added:
“Management agents like OMI are part of the overall attack surface for a deployed system and as such need to be accounted for within the threat models associated with the application. Put another way, when constructing a threat model for an application, it’s not sufficient to look solely at how an application behaves in isolation, but rather the impact of deployment decisions need to be accounted for. That’s because attackers defined the rules of their attack, and a decision to restrict security reviews based upon an arbitrary “in-bound” designation won’t be something they consider when executing an attack. This extends to cloud services which often include management software used by the cloud provider, but which if vulnerable or deployed in a weakened state poses risks to any deployed application.”
Finally, George Papamargaritis, MSS Director, Obrela Security Industries gave the following remediation advice:
“This is related to a typical input validation vulnerability, i.e. the system does not validate or incorrectly validates the input data so that to use it safely to back-end applications and workflows. This may occur due to weak architectural design or fail of any tests to realize the issue at implementation phase.
“As a result any exploitation may cause consequences to the availability of the service, confidentiality or the integrity. Nevertheless the likelihood at this stage is low considering that Azure’s on-by-default, outside-the-VM firewall will limit it to most customers’ internal networks only.
“Potential mitigation actions:
- Enforce secure code tactics to architecture design especially to open source projects
- Stronger QA on implementation especially if “open source” components are reused
- Frequent vulnerability assessments (web / database scanning, source code reviews)
- Application of Detection methods”