What Expert Says On The Latest OMI Vulnerability In Azure

BACKGROUND:

It has been reported that the cloud security vendor Wiz—which recently made news by discovering a massive vulnerability in Microsoft Azure’s CosmosDB-managed database service—has found another hole in Azure. This vulnerability will impact the Linux virtual machines and in OMI service which is installed as part of the byproduct of enabling any of several logging reporting and/or management options in Azure’s UI.

Experts Comments

September 15, 2021
Dr. George Papamargaritis
MSS Director
Obrela Security Industries

This is related to a typical input validation vulnerability, i.e. the system does not validate or incorrectly validates the input data so that to use it safely to backend applications and workflows. This may occur due to weak architectural design or fail of any tests to realize the issue at implementation phase.

As a result any exploitation may cause consequences to the availability of the service, confidentiality or the integrity. Nevertheless the likelihood at this stage is low considering

.....Read More

This is related to a typical input validation vulnerability, i.e. the system does not validate or incorrectly validates the input data so that to use it safely to backend applications and workflows. This may occur due to weak architectural design or fail of any tests to realize the issue at implementation phase.

As a result any exploitation may cause consequences to the availability of the service, confidentiality or the integrity. Nevertheless the likelihood at this stage is low considering that Azure's on-by-default, outside-the-VM firewall will limit it to most customers' internal networks only.

Potential mitigation actions:

  • Enforce secure code tactics to architecture design especially to open source projects
  • Stronger QA on implementation especially if "open source" components are reused
  • Frequent vulnerability assessments (web / database scanning, source code reviews)
  • Application of Detection methods"
  Read Less
September 15, 2021
Trevor Morgan
Product Manager
comforte AG

The report that Wiz has discovered a vulnerability in Azure, which in the worst-case scenario has the potential to execute root-level code but is mostly mitigated by Azure’s on-by-default outside-the-VM firewall, should encourage every organization to confront a simple fact about cloud security: you need to go far beyond basic perimeter-based security when pushing workflows and more importantly sensitive data into your public cloud environments. Vulnerabilities are always hiding somewhere

.....Read More

The report that Wiz has discovered a vulnerability in Azure, which in the worst-case scenario has the potential to execute root-level code but is mostly mitigated by Azure’s on-by-default outside-the-VM firewall, should encourage every organization to confront a simple fact about cloud security: you need to go far beyond basic perimeter-based security when pushing workflows and more importantly sensitive data into your public cloud environments. Vulnerabilities are always hiding somewhere in the perimeters around cloud-based data, just waiting to be discovered and exploited, so your defensive posture should focus on protecting the data itself. Data-centric security such as tokenization and format-preserving encryption can replace sensitive data elements with benign representational tokens, so even if perimeter breaches or vulnerabilities lead to the wrong people getting hands on your enterprise data in the cloud, sensitive information still remains fully protected and cannot be leveraged for financial gain by threat actors. Remember that the regulators won’t hold your cloud provider responsible in the instance that peoples’ sensitive data is exposed. They will be looking toward you and your organization to answer for it.

  Read Less

Submit Your Expert Comments

What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.

Write Your Expert Comments *
Your Registered Email *
Notification Email (If different from your registered email)
* By using this form you agree with the storage and handling of your data by this web site.