DEV Community

Olivier Miossec
Olivier Miossec

Posted on • Edited on

3 1

How to list Azure VM potentially affected by the OMI RCE

There is Remote Code Execution (RCE) vulnerability in the Open Management Infrastructure (OMI) framework used in several Azure extension you can add to your Linux workload.

Details can be found here.

But how can you list affected VM? Azure Resource Graph is the answer. It is fast, can scan all your subscriptions and be integrated in various scripting language.
But you will need to query two table virtualmachines and virtualmachines/extensions.

Resources
| where type == 'microsoft.compute/virtualmachines'
| extend
    JoinID = toupper(id),
    OSName = tostring(properties.osProfile.computerName),
    OSType = tostring(properties.storageProfile.osDisk.osType)
| where OSType =~ 'Linux'
| join kind=leftouter(
    Resources
    | where type == 'microsoft.compute/virtualmachines/extensions'
    | extend 
        VMId = toupper(substring(id, 0, indexof(id, '/extensions'))),
        ExtensionName = name
) on $left.JoinID == $right.VMId
| where ExtensionName in ('OmsAgentForLinux', 'OMSExtension')
| summarize Extensions = make_list(ExtensionName) by subscriptionId, resourceGroup,name, OSName
Enter fullscreen mode Exit fullscreen mode

The extension list is not complete in

where ExtensionName in ('OmsAgentForLinux', 'OMSExtension')
Enter fullscreen mode Exit fullscreen mode

You will need to add the complete extension list from the Microsoft post

Edit: You can also use this script published by Microsoft on GitHub to find and update VM in your subscriptions

Heroku

Build apps, not infrastructure.

Dealing with servers, hardware, and infrastructure can take up your valuable time. Discover the benefits of Heroku, the PaaS of choice for developers since 2007.

Visit Site

Top comments (1)

Collapse
 
jayendran profile image
Jayendran Arumugam

Thanks Oliver ! Makes my day easier :)

As per MS

For any PaaS service offerings that use the vulnerable VM extensions for Linux as part of the default service offering, Microsoft will be updating the extension on the affected VM’s transparently for the customer.
Where customers explicitly enabled the VM extensions for Linux, they are required to follow the guidance as provided in table above.

So I had a conversation with MS, it seems they are planning to push the update for the extensions starting from tomorrow 9-22-2021 and targeting to complete every region within 1 week (one by one). Hope this helps some one

AWS Security LIVE!

Tune in for AWS Security LIVE!

Join AWS Security LIVE! for expert insights and actionable tips to protect your organization and keep security teams prepared.

Learn More

👋 Kindness is contagious

Immerse yourself in a wealth of knowledge with this piece, supported by the inclusive DEV Community—every developer, no matter where they are in their journey, is invited to contribute to our collective wisdom.

A simple “thank you” goes a long way—express your gratitude below in the comments!

Gathering insights enriches our journey on DEV and fortifies our community ties. Did you find this article valuable? Taking a moment to thank the author can have a significant impact.

Okay