Azure Monitor - OMI Vulnerabilities Rapid Check Workbook

Published Sep 24 2021 12:00 AM 4,269 Views
Microsoft

Hi folks,

As you have heard for sure, Microsoft found, and released fixes for, serious vulnerabilities, which allow for Elevation of Privilege (EoP) and unauthenticated Remote Code Execution (RCE) attacks in the Open Management Infrastructure (OMI).

 

These vulnerabilities are deeply explained in the Microsoft Security Response Center bulletin that can be found at https://msrc-blog.microsoft.com/2021/09/16/additional-guidance-regarding-omi-vulnerabilities-within-... .

 

According to the bulletin the affected objects are the Linux-based virtual machine (Azure and non-Azure) which use OMI for monitoring and management purposes. For instance, if you’re using Azure Monitor or System Center Operations Manager (SCOM) to monitor the health and performance of your workloads running on Linux, you might be impacted since the Microsoft Monitoring Agent (MMA) uses OMI behind the scenes.

 

As reported in the bulletin, there are several methods to identify the affected virtual machines. I just want to add another one that can be immediately used by customers which have Azure Monitor in place.

 

What am I talking about here? A simple Azure Monitor Workbook. The workbook, called OMI Vulnerabilities - Rapid Check, verifies if any among the monitoring extension, monitoring agent, Linux Diagnostic extension or Desired State Configuration extension in use is vulnerable. If you’re using the Change Tracking and Inventory solution, this workbook will also check the version of the OMI software, letting you know if it is vulnerable or not.

 

Below you can see the sample screenshots taken from my lab. When consuming the workbook, all you have to do is to set the parameters (Subscription, Workspaces and TimeRange)

 

BrunoGabrielli_0-1632424442265.png

 

It is organized in 2 tabs: one tab for the Azure Virtual Machines and one tab for non-Azure Virtual Machines. Just to be clear with the term non-Azure, we refer to any on-premises physical or virtual machine and to 3rd party cloud virtual machines.

 

BrunoGabrielli_1-1632424442279.png

 

In the 1st tab you will see the status of the following:

  • Linux Azure VMs with OmsAgentForLinux extension
 

Picture1.png

 
  • Linux Azure VMs with OmsAgentForLinux agent

 

Picture2-b.png

 

  • Linux Azure VMs with LinuxDiagnostic (LAD) extension
 

Picture2.png

 

  • Linux Azure VMs with DSCForLinux (DSC) extension
 

Picture3.png

 

In the 2nd tab instead, you will get the information about the following:

  • Linux non-Azure VMs with OmsAgentForLinux agent
 

Picture4.png

 

In any tile, there is a column called Details, containing a link that opens a new blade on the right-side. This blade shows additional data which can help in further analysis like the operating system name and version:

 

Picture5.png

 

The complete workbook can be found attached to this post (rename it to .json before use). Since it uses parameters, you can import it and use it in any environment just by configuring the parameters accordingly.

 

Should you need help on how to import Azure Monitor workbooks, you can refer to a blogpost of a colleague of mine (credits to Billy York) that can be found https://www.cloudsma.com/2020/11/import-azure-monitor-workbooks/.

 

As I always recommend and stress on, don’t forget to TEST, TEST and TEST :smile:

 

Special thanks to @hspinto  for his support and help in testing this out.

 

Disclaimer

The sample scripts are not supported under any Microsoft standard support program or service. The sample scripts are provided AS IS without warranty of any kind. Microsoft further disclaims all implied warranties including, without limitation, any implied warranties of merchantability or of fitness for a particular purpose. The entire risk arising out of the use or performance of the sample scripts and documentation remains with you. In no event shall Microsoft, its authors, or anyone else involved in the creation, production, or delivery of the scripts be liable for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) arising out of the use of or inability to use the sample scripts or documentation, even if Microsoft has been advised of the possibility of such damages.

7 Comments
Occasional Contributor

Thank you for this amazing workbook, perfect timing!

May i propose you the following procedure to ease this workbook deployment, including a "Deploy to Azure icon".

Senior Member

Thanks a lot @Bruno Gabrielli for this useful tool!

I just tested it in 3 different Azure environments and I get the same errors on the first and second check (see following screenshot):

Luca_Bovo_0-1632734185339.png

 

Conversely, the third and the fourth didn't return any error but simply "no results":

Luca_Bovo_1-1632734228548.png

 

How can I solve this issue?

Am I missing something?

 

Thanks in advance for your cooperation.

Luca Bovo

Microsoft

Thx for the useful feedback @Luca_Bovo . I just updated the attachment with a new version. The issue you encountered was probably because in that given workspace the ChangeTracking is not in use. To fix that, i added a new parameter with which you can specify if the ChangeTracking is in use or not and the queries will be performed accordingly. Let me know if it works any betternow.

 

Thx,

Bruno.

Senior Member

Very good @Bruno Gabrielli, I can confirm you are right: now I can set to false the "Change Tracking Enabled"...

Luca_Bovo_3-1632771609987.png

 

...and all panels are working as expected!

Luca_Bovo_0-1632771275623.png

Luca_Bovo_2-1632771545533.png

 

Same here for the last two panels, working as before:

Luca_Bovo_1-1632771415229.png

 

 

Just tested in the 3 environments I mentioned before and they are all working.

Thanks a lot for your very fast update!

PS: @Jamesdld can you please update your deployment scripts with the updated Workbook JSON?

 

Thanks to all,

Luca Bovo

 

Senior Member

Script updated guys :ok_hand:

Microsoft

20211007 - Updated attachment with workbook version 2.0. Check the change log for more details on what has been fixed.

Occasional Contributor

Script up to date! 

Co-Authors
Version history
Last update:
‎Dec 21 2021 10:19 AM
Updated by:
www.000webhost.com