Wednesday, September 29, 2021

Detecting and updating Agents using the OMI vulnerability

Following the September 14th, 2021 release of three Elevation of Privilege (EoP) vulnerabilities (CVE-2021-38645CVE-2021-38649CVE-2021-38648) and one unauthenticated Remote Code Execution (RCE) vulnerability (CVE-2021-38647) in the Open Management Infrastructure (OMI) Framework, analysts in the Microsoft Threat Intelligence Center (MSTIC) have been monitoring for signs of exploitation and investigating detections to further protect customers. The official MSRC post is here.

 

This article is only meant for troubleshooting Agents related to Azure Monitor. The focus of this post is help you detect if any of your machines are/were currently vulnerable and how to update. Microsoft has patched all agents installed via extensions (cloud environments). Instances where the Agent was installed as shell bundles, on-prem or physical hardware you manage, your IT organization will have to manually update the agents.

 

Agents in scope:

  • Log Analytics Agent [OmsAgentForLinux]
  • Azure Diagnostic Agent [LinuxDiagnostic] (LAD)

Detection:

In a cloud environment, to check and see if your VM has the OMI vulnerability, you can run this script here,

 

OMS-Agent-for-Linux/tools/OMIcheck at master · microsoft/OMS-Agent-for-Linux · GitHub 

Note:  Make sure guest agent is working properly, otherwise this script cannot be executed successfully 

 

On-prem/Physical Hardware run the commands below and see if your omi is below 1.6.8-1. If so, see the updating section for patching.

 

Debian based: dpkg -l | grep omi 

Redhat based: rpm -qa | grep omi 

 

Updating:

For cloud machines your agent has most likely been patched. To see for yourself, run the script: OMS-Agent-for-Linux/tools/OMIcheck at master · microsoft/OMS-Agent-for-Linux · GitHub 

 

This will also provide an option to update your agent extensions. As always, we recommend customers to be using the latest version of all our agents.

 

For on-prem and physical hardware, only the OmsAgentForLinux is available. You can manually update with the following command,

 

wget https://raw.githubusercontent.com/Microsoft/OMS-Agent-for-Linux/master/installer/scripts/onboard_agent.sh && sh onboard_agent.sh 

 

How to directly update OMI (only if approaches above fail & still vulnerable): 

  1. SSH to the VM. 
  2. Find distro from cat /etc/os-releae. The distro is either RPM or DPKG based. 
  3. Find out openssl version. 

                         $ openssl version 

  1. Download respective OMI from github. For example, Ubuntu 18.04 has ssl v1.1.1: 

$ wget https://github.com/microsoft/omi/releases/download/v1.6.8-1/omi-1.6.8-1.ssl_110.ulinux.x64.deb 

  1. Install the package: 

                          $ sudo dpkg -i omi-1.6.8-1.ssl_110.ulinux.x64.deb 

  1. Verify the version is installed: 

                         

$ dpkg -l | grep omi                                    (Or rpm -qa | grep omi)

                             ii  omi                                    1.6.8.1  ...

 

                          $ /opt/omi/bin/omiserver -v

                              /opt/omi/bin/omiserver: OMI-1.6.8-1 - Wed Aug 11 20:52:52 PDT 2021

 

Azure Monitoring Agent

The newly GA’d Azure Monitoring Agent (AMA) does not use OMI. The OMS Agent is in process of being deprecated and will no longer be supported by Microsoft as of August 2024. We recommend all customers to migrate to AMA as soon as possible. Check this guide to see if your scenarios are currently covered.

Posted at https://sl.advdat.com/3F3tLbV