Following the September 14th, 2021 release of three Elevation of Privilege (EoP) vulnerabilities (CVE-2021-38645, CVE-2021-38649, CVE-2021-38648) and one unauthenticated Remote Code Execution (RCE) vulnerability (CVE-2021-38647) in the Open Management Infrastructure (OMI) Framework, analysts in the Microsoft Threat Intelligence Center (MSTIC) have been monitoring for signs of exploitation and investigating detections to further protect customers. The official MSRC post is here.
This article is only meant for troubleshooting Agents related to Azure Monitor. The focus of this post is help you detect if any of your machines are/were currently vulnerable and how to update. Microsoft has patched all agents installed via extensions (cloud environments). Instances where the Agent was installed as shell bundles, on-prem or physical hardware you manage, your IT organization will have to manually update the agents.
Agents in scope:
Detection:
In a cloud environment, to check and see if your VM has the OMI vulnerability, you can run this script here,
OMS-Agent-for-Linux/tools/OMIcheck at master · microsoft/OMS-Agent-for-Linux · GitHub
Note: Make sure guest agent is working properly, otherwise this script cannot be executed successfully
On-prem/Physical Hardware run the commands below and see if your omi is below 1.6.8-1. If so, see the updating section for patching.
Debian based: dpkg -l | grep omi
Redhat based: rpm -qa | grep omi
Updating:
For cloud machines your agent has most likely been patched. To see for yourself, run the script: OMS-Agent-for-Linux/tools/OMIcheck at master · microsoft/OMS-Agent-for-Linux · GitHub
This will also provide an option to update your agent extensions. As always, we recommend customers to be using the latest version of all our agents.
For on-prem and physical hardware, only the OmsAgentForLinux is available. You can manually update with the following command,
wget https://raw.githubusercontent.com/Microsoft/OMS-Agent-for-Linux/master/installer/scripts/onboard_age... && sh onboard_agent.sh
How to directly update OMI (only if approaches above fail & still vulnerable):
$ openssl version
$ wget https://github.com/microsoft/omi/releases/download/v1.6.8-1/omi-1.6.8-1.ssl_110.ulinux.x64.deb
$ sudo dpkg -i omi-1.6.8-1.ssl_110.ulinux.x64.deb
$ dpkg -l | grep omi (Or rpm -qa | grep omi)
ii omi 1.6.8.1 ...
$ /opt/omi/bin/omiserver -v
/opt/omi/bin/omiserver: OMI-1.6.8-1 - Wed Aug 11 20:52:52 PDT 2021
Azure Monitoring Agent
The newly GA’d Azure Monitoring Agent (AMA) does not use OMI. The OMS Agent is in process of being deprecated and will no longer be supported by Microsoft as of August 2024. We recommend all customers to migrate to AMA as soon as possible. Check this guide to see if your scenarios are currently covered.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.