DEV Community

Olivier Miossec
Olivier Miossec

Posted on • Edited on

3 1

How to list Azure VM potentially affected by the OMI RCE

There is Remote Code Execution (RCE) vulnerability in the Open Management Infrastructure (OMI) framework used in several Azure extension you can add to your Linux workload.

Details can be found here.

But how can you list affected VM? Azure Resource Graph is the answer. It is fast, can scan all your subscriptions and be integrated in various scripting language.
But you will need to query two table virtualmachines and virtualmachines/extensions.

Resources
| where type == 'microsoft.compute/virtualmachines'
| extend
    JoinID = toupper(id),
    OSName = tostring(properties.osProfile.computerName),
    OSType = tostring(properties.storageProfile.osDisk.osType)
| where OSType =~ 'Linux'
| join kind=leftouter(
    Resources
    | where type == 'microsoft.compute/virtualmachines/extensions'
    | extend 
        VMId = toupper(substring(id, 0, indexof(id, '/extensions'))),
        ExtensionName = name
) on $left.JoinID == $right.VMId
| where ExtensionName in ('OmsAgentForLinux', 'OMSExtension')
| summarize Extensions = make_list(ExtensionName) by subscriptionId, resourceGroup,name, OSName
Enter fullscreen mode Exit fullscreen mode

The extension list is not complete in

where ExtensionName in ('OmsAgentForLinux', 'OMSExtension')
Enter fullscreen mode Exit fullscreen mode

You will need to add the complete extension list from the Microsoft post

Edit: You can also use this script published by Microsoft on GitHub to find and update VM in your subscriptions

Do your career a big favor. Join DEV. (The website you're on right now)

It takes one minute, it's free, and is worth it for your career.

Get started

Community matters

Top comments (1)

Collapse
 
jayendran profile image
Jayendran Arumugam

Thanks Oliver ! Makes my day easier :)

As per MS

For any PaaS service offerings that use the vulnerable VM extensions for Linux as part of the default service offering, Microsoft will be updating the extension on the affected VM’s transparently for the customer.
Where customers explicitly enabled the VM extensions for Linux, they are required to follow the guidance as provided in table above.

So I had a conversation with MS, it seems they are planning to push the update for the extensions starting from tomorrow 9-22-2021 and targeting to complete every region within 1 week (one by one). Hope this helps some one

A Workflow Copilot. Tailored to You.

Pieces.app image

Our desktop app, with its intelligent copilot, streamlines coding by generating snippets, extracting code from screenshots, and accelerating problem-solving.

Read the docs

👋 Kindness is contagious

Engage with a sea of insights in this enlightening article, highly esteemed within the encouraging DEV Community. Programmers of every skill level are invited to participate and enrich our shared knowledge.

A simple "thank you" can uplift someone's spirits. Express your appreciation in the comments section!

On DEV, sharing knowledge smooths our journey and strengthens our community bonds. Found this useful? A brief thank you to the author can mean a lot.

Okay