Home

Awesome

omigood (OM I GOOD?)

This repository contains a free scanner to detect VMs vulnerable to one of the "OMIGOD" vulnerabilities discovered by Wiz's threat research team, specifically CVE-2021-38647.

Original blog post from Wiz: https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure

Overview

The scanner requires Azure credentials to connect to Azure APIs and, given a subscription and a resource group (or by default it will scan all the available ones), retrieves the list of Linux VMs and reports whether the machine might be vulnerable.

Also make sure to check out Microsoft's own tool for this purpose: https://github.com/microsoft/OMS-Agent-for-Linux/tree/master/tools/OMIcheck

Authentication

To authenticate against Azure APIs, both azure cli (default) and Interactive Browser authentication are supported, check the --auth command line parameter.

Performed checks

There isn't a straightforward way to determine whether your machines are vulnerable to OMI without running commands on the Linux machine itself, which is supported through Azure APIs using the RunShellScript command through an extension. Microsoft's own tool (https://github.com/microsoft/OMS-Agent-for-Linux/tree/master/tools/OMIcheck) uses this approach as well.

It's worth noting that, even if the VM is vulnerable, it might not be exposing the OMI server via HTTP/HTTPS (which is the default) and, even if it does, those ports might be blocked by Azure's Network Security Groups, hence not reachable. This is not a reason to avoid patching but, if you have a lot of vulnerable Linux VMs, it might be useful to know which ones are more exposed and prioritize your efforts.

omigood follows this more comprehensive approach and will produce a JSON output with a number of checks that you can trigger through command line options in order to determine your attack surface.

These are the checks performed by omigood:

Output

The generated JSON output file contains all the information on the scanned VMs: IDs, operating system, network security groups, power state, etc.

The flags ('YES'/'NO') that are relevant for the checks are:

Usage

usage: omigood_scanner.py [-h] [-v] [--auth {azurecli,interactivebrowser}] [-r] [-a] [-e] [-s SUBSCRIPTIONS]
                          [-g RESOURCEGROUPS] [-m VMS] -o OUTPUT

OMIGood scanner for CVE-2021-38647

optional arguments:
  -h, --help            show this help message and exit
  -v, --verbose         [OPTIONAL] Verbose mode: Displays additional debug details.
  --auth {azurecli,interactivebrowser}
                        Authentication mode. Default: azurecli.
  -r, --runscript       [OPTIONAL] Run Script. Runs bash script on target VMs to check for OMI server, agent and
                        version. Disabled by default. Use at your own risk.
  -a, --attack          [OPTIONAL] Try to attack the host. Disabled by default. Use at your own risk.
  -e, --effective       [OPTIONAL] Check Effective Security Rules. Disabled by default. Requires higher permissions on
                        Azure.
  -s SUBSCRIPTIONS, --subscriptions SUBSCRIPTIONS
                        [OPTIONAL] Comma separate list of subscriptions IDs. If not specified, it will try all.
  -g RESOURCEGROUPS, --resourcegroups RESOURCEGROUPS
                        [OPTIONAL] Comma separated list of Resource Group names. If not specified, it will try all. If
                        specified, it will work only with a single subscription provided.
  -m VMS, --vms VMS     [OPTIONAL] Comma separated list of VM names. If not specified, it will try all. If specified,
                        it will work only with a single subscription and a single resource group provided.
  -o OUTPUT, --output OUTPUT
                        JSON output file with results.

Contributors

DISCLAIMER

The Software and code samples available on this repository are provided "as is" without warranty of any kind, either express or implied. Use at your own risk.