DEV Community

Olivier Miossec
Olivier Miossec

Posted on • Edited on

How to list Azure VM potentially affected by the OMI RCE

There is Remote Code Execution (RCE) vulnerability in the Open Management Infrastructure (OMI) framework used in several Azure extension you can add to your Linux workload.

Details can be found here.

But how can you list affected VM? Azure Resource Graph is the answer. It is fast, can scan all your subscriptions and be integrated in various scripting language.
But you will need to query two table virtualmachines and virtualmachines/extensions.

Resources
| where type == 'microsoft.compute/virtualmachines'
| extend
    JoinID = toupper(id),
    OSName = tostring(properties.osProfile.computerName),
    OSType = tostring(properties.storageProfile.osDisk.osType)
| where OSType =~ 'Linux'
| join kind=leftouter(
    Resources
    | where type == 'microsoft.compute/virtualmachines/extensions'
    | extend 
        VMId = toupper(substring(id, 0, indexof(id, '/extensions'))),
        ExtensionName = name
) on $left.JoinID == $right.VMId
| where ExtensionName in ('OmsAgentForLinux', 'OMSExtension')
| summarize Extensions = make_list(ExtensionName) by subscriptionId, resourceGroup,name, OSName
Enter fullscreen mode Exit fullscreen mode

The extension list is not complete in

where ExtensionName in ('OmsAgentForLinux', 'OMSExtension')
Enter fullscreen mode Exit fullscreen mode

You will need to add the complete extension list from the Microsoft post

Edit: You can also use this script published by Microsoft on GitHub to find and update VM in your subscriptions

Top comments (1)

Collapse
 
jayendran profile image
Jayendran Arumugam

Thanks Oliver ! Makes my day easier :)

As per MS

For any PaaS service offerings that use the vulnerable VM extensions for Linux as part of the default service offering, Microsoft will be updating the extension on the affected VM’s transparently for the customer.
Where customers explicitly enabled the VM extensions for Linux, they are required to follow the guidance as provided in table above.

So I had a conversation with MS, it seems they are planning to push the update for the extensions starting from tomorrow 9-22-2021 and targeting to complete every region within 1 week (one by one). Hope this helps some one