Following the September 14th, 2021 release of three Elevation of Privilege (EoP) vulnerabilities (CVE-2021-38645, CVE-2021-38649, CVE-2021-38648) and one unauthenticated Remote Code Execution (RCE) vulnerability (CVE-2021-38647) in the Open Management Infrastructure (OMI) Framework, analysts in the Microsoft Threat Intelligence Center (MSTIC) have been monitoring for signs of exploitation and investigating detections to further protect customers. The official MSRC post is here.
This article is only meant for troubleshooting Agents related to Azure Monitor. The focus of this post is help you detect if any of your machines are/were currently vulnerable and how to update. Microsoft has patched all agents installed via extensions (cloud environments). Instances where the Agent was installed as shell bundles, on-prem or physical hardware you manage, your IT organization will have to manually update the agents.
Agents in scope:
Log Analytics Agent [OmsAgentForLinux]
Azure Diagnostic Agent [LinuxDiagnostic] (LAD)
In a cloud environment, to check and see if your VM has the OMI vulnerability, you can run this script here,