Friday, September 24, 2021

Azure Monitor - OMI Vulnerabilities Rapid Check Workbook

Hi folks,

As you have heard for sure, Microsoft found, and released fixes for, serious vulnerabilities, which allow for Elevation of Privilege (EoP) and unauthenticated Remote Code Execution (RCE) attacks in the Open Management Infrastructure (OMI).

 

These vulnerabilities are deeply explained in the Microsoft Security Response Center bulletin that can be found at https://msrc-blog.microsoft.com/2021/09/16/additional-guidance-regarding-omi-vulnerabilities-within-azure-vm-management-extensions/ .

 

According to the bulletin the affected objects are the Linux-based virtual machine (Azure and non-Azure) which use OMI for monitoring and management purposes. For instance, if you’re using Azure Monitor or System Center Operations Manager (SCOM) to monitor the health and performance of your workloads running on Linux, you might be impacted since the Microsoft Monitoring Agent (MMA) uses OMI behind the scenes.

 

As reported in the bulletin, there are several methods to identify the affected virtual machines. I just want to add another one that can be immediately used by customers which have Azure Monitor in place.

 

What am I talking about here? A simple Azure Monitor Workbook. The workbook, called OMI Vulnerabilities - Rapid Check, verifies if any among the monitoring extension, monitoring agent, Linux Diagnostic extension or Desired State Configuration extension in use is vulnerable. If you’re using the Change Tracking and Inventory solution, this workbook will also check the version of the OMI software, letting you know if it is vulnerable or not.

 

Below you can see the sample screenshots taken from my lab. When consuming the workbook, all you have to do is to set the parameters (Subscription, Workspaces and TimeRange)

 

BrunoGabrielli_0-1632424442265.png

 

It is organized in 2 tabs: one tab for the Azure Virtual Machines and one tab for non-Azure Virtual Machines. Just to be clear with the term non-Azure, we refer to any on-premises physical or virtual machine and to 3rd party cloud virtual machines.

 

BrunoGabrielli_1-1632424442279.png

 

In the 1st tab you will see the status of the following:

  • Linux Azure VMs with OmsAgentForLinux extension
 

Picture1.png

 
  • Linux Azure VMs with OmsAgentForLinux agent

 

Picture2-b.png

 

  • Linux Azure VMs with LinuxDiagnostic (LAD) extension
 

Picture2.png

 

  • Linux Azure VMs with DSCForLinux (DSC) extension
 

Picture3.png

 

In the 2nd tab instead, you will get the information about the following:

  • Linux non-Azure VMs with OmsAgentForLinux agent
 

Picture4.png

 

In any tile, there is a column called Details, containing a link that opens a new blade on the right-side. This blade shows additional data which can help in further analysis like the operating system name and version:

 

Picture5.png

 

The complete workbook can be found attached to this post (rename it to .json before use). Since it uses parameters, you can import it and use it in any environment just by configuring the parameters accordingly.

 

Should you need help on how to import Azure Monitor workbooks, you can refer to a blogpost of a colleague of mine (credits to Billy York) that can be found https://www.cloudsma.com/2020/11/import-azure-monitor-workbooks/.

 

As I always recommend and stress on, don’t forget to TEST, TEST and TEST :smile:

 

Special thanks to @helderpinto fo his support and help in testing this out.

 

Disclaimer

The sample scripts are not supported under any Microsoft standard support program or service. The sample scripts are provided AS IS without warranty of any kind. Microsoft further disclaims all implied warranties including, without limitation, any implied warranties of merchantability or of fitness for a particular purpose. The entire risk arising out of the use or performance of the sample scripts and documentation remains with you. In no event shall Microsoft, its authors, or anyone else involved in the creation, production, or delivery of the scripts be liable for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) arising out of the use of or inability to use the sample scripts or documentation, even if Microsoft has been advised of the possibility of such damages.

Posted at https://sl.advdat.com/39vVp2M