Using ASC to find machines affected by OMI vulnerabilities in Azure VM Management Extensions

Published Sep 20 2021 07:13 AM 8,650 Views
Microsoft

Two weeks ago, Microsoft released fixes for three Elevation of Privilege (EoP) vulnerabilities and one unauthenticated Remote Code Execution (RCE) vulnerability in the Open Management Infrastructure (OMI) framework:  CVE-2021-38645, CVE-2021-38649, CVE-2021-38648, and CVE-2021-38647, respectively.   

 

OMI is an open-source Web-Based Enterprise Management (WBEM) implementation for managing Linux and UNIX systems. Several Azure Virtual Machine (VM) management extensions use this framework to orchestrate configuration management and log collection on Linux VMs. The remote code execution vulnerability, CVE-2021-38647, only impacts customers using a Linux management solution (on-premises SCOM or Azure Automation State Configuration or Azure Desired State Configuration extension) that enables remote OMI management.  

 

We’ve already released extensive guidance for how to resolve these issues, as well as how to protect against these vulnerabilities, and how to detect whether these vulnerabilities have been exploited. For full details see this post on the Microsoft Security Response Center (MSRC) blog.  

 

How can Azure Security Center help? 

Organizations using Azure Security Center who’ve also enabled the integrated threat protection plan, Azure Defender for servers, can take advantage of the built-in vulnerability scanner.  

 

The vulnerability scanner included with Azure Security Center is powered by Qualys. Qualys' scanner is one of the leading tools for real-time identification of vulnerabilities. Learn more in Azure Defender's integrated vulnerability assessment solution for Azure and hybrid machines

 

Using Security Center’s asset inventory page, you can quickly find all machines affected by any CVE with the fast-filtering tools, as shown in the video below.

 

Machines impacted by CVE-2021-38647.gif

 

 

When you’ve identified any affected machines in your subscriptions, download the fixed version of the relevant extension from the table in the MSRC blog post.

%3CLINGO-SUB%20id%3D%22lingo-sub-2767240%22%20slang%3D%22en-US%22%3EUsing%20ASC%20to%20find%26nbsp%3Bmachines%20affected%20by%20OMI%20vulnerabilities%20in%20Azure%20VM%20Management%20Extensions%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2767240%22%20slang%3D%22en-US%22%3E%3CP%3ETwo%20weeks%20ago%2C%26nbsp%3BMicrosoft%20released%20fixes%20for%20three%20Elevation%20of%20Privilege%20(EoP)%20vulnerabilities%20and%20one%20unauthenticated%20Remote%20Code%20Execution%20(RCE)%20vulnerability%20in%20the%20Open%20Management%20Infrastructure%20(OMI)%20framework%3A%26nbsp%3B%20CVE-2021-38645%2C%20CVE-2021-38649%2C%20CVE-2021-38648%2C%20and%20CVE-2021-38647%2C%20respectively.%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EOMI%20is%20an%20open-source%20Web-Based%20Enterprise%20Management%20(WBEM)%20implementation%20for%20managing%20Linux%20and%20UNIX%20systems.%20Several%20Azure%20Virtual%20Machine%20(VM)%20management%20extensions%20use%20this%20framework%20to%20orchestrate%20configuration%20management%20and%20log%20collection%20on%20Linux%20VMs.%20The%20remote%20code%20execution%20vulnerability%2C%26nbsp%3BCVE-2021-38647%2C%26nbsp%3Bonly%20impacts%20customers%20using%20a%20Linux%20management%20solution%20(on-premises%20SCOM%20or%20Azure%20Automation%20State%20Configuration%20or%20Azure%20Desired%20State%20Configuration%20extension)%20that%20enables%20remote%20OMI%20management.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWe%E2%80%99ve%20already%20released%20extensive%26nbsp%3Bguidance%26nbsp%3Bfor%20how%26nbsp%3Bto%20resolve%20these%20issues%2C%20as%20well%20as%20how%26nbsp%3Bto%20protect%20against%20these%20vulnerabilities%2C%20and%20how%26nbsp%3Bto%26nbsp%3Bdetect%26nbsp%3Bwhether%20these%26nbsp%3Bvulnerabilities%26nbsp%3Bhave%26nbsp%3Bbeen%20exploited.%20For%20full%20details%20see%26nbsp%3B%3CU%3E%3CA%20href%3D%22https%3A%2F%2Fmsrc-blog.microsoft.com%2F2021%2F09%2F16%2Fadditional-guidance-regarding-omi-vulnerabilities-within-azure-vm-management-extensions%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ethis%20post%20on%20the%20Microsoft%20Security%20Response%20Center%20(MSRC)%20blog%3C%2FA%3E%3C%2FU%3E.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId--351436088%22%20id%3D%22toc-hId--351435247%22%3EHow%20can%20Azure%20Security%20Center%20help%3F%26nbsp%3B%3C%2FH2%3E%0A%3CP%3EOrganizations%20using%20Azure%26nbsp%3BSecurity%20Center%26nbsp%3Bwho%E2%80%99ve%20also%20enabled%20the%26nbsp%3Bintegrated%26nbsp%3Bthreat%20protection%26nbsp%3Bplan%2C%26nbsp%3B%3CU%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fazure%2Fsecurity-center%2Fdefender-for-servers-introduction%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EAzure%20Defender%20for%20servers%3C%2FA%3E%3C%2FU%3E%2C%26nbsp%3Bcan%20take%20advantage%20of%20the%20built-in%26nbsp%3Bvulnerability%20scanner.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20vulnerability%20scanner%20included%20with%20Azure%20Security%20Center%20is%20powered%20by%20Qualys.%20Qualys'%20scanner%20is%20one%20of%20the%20leading%20tools%20for%20real-time%20identification%20of%20vulnerabilities.%26nbsp%3BLearn%20more%20in%26nbsp%3B%3CU%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fazure%2Fsecurity-center%2Fdeploy-vulnerability-assessment-vm%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EAzure%20Defender's%20integrated%20vulnerability%20assessment%20solution%20for%20Azure%20and%20hybrid%20machines%3C%2FA%3E%3C%2FU%3E.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EUsing%20Security%20Center%E2%80%99s%26nbsp%3B%3CU%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fazure%2Fsecurity-center%2Fasset-inventory%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Easset%20inventory%20page%3C%2FA%3E%3C%2FU%3E%2C%20you%20can%20quickly%20find%20all%20machines%20affected%20by%20any%20CVE%20with%20the%20fast-filtering%20tools%2C%20as%20shown%20in%20the%20video%20below.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%22Machines%20impacted%20by%20CVE-2021-38647.gif%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F311525iF3D9F1C963A8D35A%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Machines%20impacted%20by%20CVE-2021-38647.gif%22%20alt%3D%22Machines%20impacted%20by%20CVE-2021-38647.gif%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWhen%20you%E2%80%99ve%20identified%20any%20affected%20machines%20in%20your%20subscriptions%2C%20download%20the%20fixed%20version%20of%20the%20relevant%20extension%20from%20%3CA%20href%3D%22https%3A%2F%2Fmsrc-blog.microsoft.com%2F2021%2F09%2F16%2Fadditional-guidance-regarding-omi-vulnerabilities-within-azure-vm-management-extensions%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ethe%20table%20in%20the%20MSRC%20blog%20post%3C%2FA%3E.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-2767240%22%20slang%3D%22en-US%22%3E%3CP%3EHow%20to%20use%20the%20fast-filtering%20tools%20on%20Security%20Center%E2%80%99s%26nbsp%3B%3CU%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fazure%2Fsecurity-center%2Fasset-inventory%22%20rel%3D%22noopener%20noreferrer%22%20target%3D%22_blank%22%3Easset%20inventory%20page%3C%2FA%3E%3C%2FU%3E%26nbsp%3Bto%20quickly%20find%20all%20machines%20affected%20by%20any%20CVE.%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2767240%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EASC%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ECVE-2021-38647%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOMI%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EQualys%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Co-Authors
Version history
Last update:
‎Sep 20 2021 07:34 AM
Updated by: