Blog Post

Core Infrastructure and Security Blog
3 MIN READ

Azure Monitor - OMI Vulnerabilities Rapid Check Workbook

BrunoGabrielli's avatar
Sep 24, 2021

Hi folks,

As you have heard for sure, Microsoft found, and released fixes for, serious vulnerabilities, which allow for Elevation of Privilege (EoP) and unauthenticated Remote Code Execution (RCE) attacks in the Open Management Infrastructure (OMI).

 

These vulnerabilities are deeply explained in the Microsoft Security Response Center bulletin that can be found at https://msrc-blog.microsoft.com/2021/09/16/additional-guidance-regarding-omi-vulnerabilities-within-azure-vm-management-extensions/ .

 

According to the bulletin the affected objects are the Linux-based virtual machine (Azure and non-Azure) which use OMI for monitoring and management purposes. For instance, if you’re using Azure Monitor or System Center Operations Manager (SCOM) to monitor the health and performance of your workloads running on Linux, you might be impacted since the Microsoft Monitoring Agent (MMA) uses OMI behind the scenes.

 

As reported in the bulletin, there are several methods to identify the affected virtual machines. I just want to add another one that can be immediately used by customers which have Azure Monitor in place.

 

What am I talking about here? A simple Azure Monitor Workbook. The workbook, called OMI Vulnerabilities - Rapid Check, verifies if any among the monitoring extension, monitoring agent, Linux Diagnostic extension or Desired State Configuration extension in use is vulnerable. If you’re using the Change Tracking and Inventory solution, this workbook will also check the version of the OMI software, letting you know if it is vulnerable or not.

 

Below you can see the sample screenshots taken from my lab. When consuming the workbook, all you have to do is to set the parameters (Subscription, Workspaces and TimeRange)

 

 

It is organized in 2 tabs: one tab for the Azure Virtual Machines and one tab for non-Azure Virtual Machines. Just to be clear with the term non-Azure, we refer to any on-premises physical or virtual machine and to 3rd party cloud virtual machines.

 

 

In the 1st tab you will see the status of the following:

  • Linux Azure VMs with OmsAgentForLinux extension
 

 
  • Linux Azure VMs with OmsAgentForLinux agent

 

 

  • Linux Azure VMs with LinuxDiagnostic (LAD) extension
 

 

  • Linux Azure VMs with DSCForLinux (DSC) extension
 

 

In the 2nd tab instead, you will get the information about the following:

  • Linux non-Azure VMs with OmsAgentForLinux agent
 

 

In any tile, there is a column called Details, containing a link that opens a new blade on the right-side. This blade shows additional data which can help in further analysis like the operating system name and version:

 

 

The complete workbook can be found attached to this post (rename it to .json before use). Since it uses parameters, you can import it and use it in any environment just by configuring the parameters accordingly.

 

Should you need help on how to import Azure Monitor workbooks, you can refer to a blogpost of a colleague of mine (credits to Billy York) that can be found https://www.cloudsma.com/2020/11/import-azure-monitor-workbooks/.

 

As I always recommend and stress on, don’t forget to TEST, TEST and TEST :smile:

 

Special thanks to hspinto  for his support and help in testing this out.

 

Disclaimer

The sample scripts are not supported under any Microsoft standard support program or service. The sample scripts are provided AS IS without warranty of any kind. Microsoft further disclaims all implied warranties including, without limitation, any implied warranties of merchantability or of fitness for a particular purpose. The entire risk arising out of the use or performance of the sample scripts and documentation remains with you. In no event shall Microsoft, its authors, or anyone else involved in the creation, production, or delivery of the scripts be liable for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) arising out of the use of or inability to use the sample scripts or documentation, even if Microsoft has been advised of the possibility of such damages.

Updated Dec 21, 2021
Version 13.0
  • 20211007 - Updated attachment with workbook version 2.0. Check the change log for more details on what has been fixed.

  • Luca_Bovo's avatar
    Luca_Bovo
    Iron Contributor

    Very good BrunoGabrielli, I can confirm you are right: now I can set to false the "Change Tracking Enabled"...

     

    ...and all panels are working as expected!

     

    Same here for the last two panels, working as before:

     

     

    Just tested in the 3 environments I mentioned before and they are all working.

    Thanks a lot for your very fast update!

    PS: Jamesdld can you please update your deployment scripts with the updated Workbook JSON?

     

    Thanks to all,

    Luca Bovo

     

  • Thx for the useful feedback Luca_Bovo . I just updated the attachment with a new version. The issue you encountered was probably because in that given workspace the ChangeTracking is not in use. To fix that, i added a new parameter with which you can specify if the ChangeTracking is in use or not and the queries will be performed accordingly. Let me know if it works any betternow.

     

    Thx,

    Bruno.

  • Luca_Bovo's avatar
    Luca_Bovo
    Iron Contributor

    Thanks a lot BrunoGabrielli for this useful tool!

    I just tested it in 3 different Azure environments and I get the same errors on the first and second check (see following screenshot):

     

    Conversely, the third and the fourth didn't return any error but simply "no results":

     

    How can I solve this issue?

    Am I missing something?

     

    Thanks in advance for your cooperation.

    Luca Bovo

  • Jamesdld's avatar
    Jamesdld
    Brass Contributor

    Thank you for this amazing workbook, perfect timing!

    May i propose you the following procedure to ease this workbook deployment, including a "Deploy to Azure icon".