Hey Automox Community,
As some of you may be aware, a number of high/critical vulnerabilities targeting Azure Virtual Machines have been discovered and patched by Microsoft. These vulnerabilities target the Open Management Infrastructure (OMI) agent running on Linux VM’s, and include remote code execution and privilege escalation vulnerabilities.
This worklet will install the correct Microsoft repository based on your distribution of Linux and patch the OMI agent. We suggest running this worklet if any of your assets are Azure Linux VM’s.
For more information about the vulnerability, see CVE-2021-38647 and Additional Guidance Regarding OMI Vulnerabilities within Azure VM Management Extensions.
Evaluation Code:
#!/bin/bash
#================================================================
# HEADER
#================================================================
#% SYNOPSIS
#+ Updates OMI on Azure Linux VM's.
#%
#% DESCRIPTION
#% The eval code checks to see if the device is an Azure VM.
#% If it is, it will install the Microsoft Repository and
#% update the Azure Open Management Infrastructure (OMI) agent.
#%
#% USAGE
#% ./evaluation.sh
#%
#% EXAMPLES
#% ./evaluation.sh
#%
#================================================================
#- IMPLEMENTATION
#- version secops-update_azure_omi (www.automox.com) 1.0
#- author Adam Nadrowski
#- reviewer Tim Millikin
#-
#================================================================
# HISTORY
# 09/17/2021 : Adam Nadrowski : Script creation
# 09/17/2021 : Tim Millikin : Validated and catalogued
# 09/18/2021 : Adam Nadrowski : Update to eval code
#
#================================================================
# END_OF_HEADER
#================================================================
ASSET_TAG=$(dmidecode --string chassis-asset-tag)
if
"$ASSET_TAG" != "7783-7084-3265-9085-8269-3286-77" ]; then
exit 0
fi
exit 1
Remediation Code:
#!/bin/bash
#================================================================
# HEADER
#================================================================
#% SYNOPSIS
#+ Updates OMI on Azure Linux VM's.
#%
#% DESCRIPTION
#% The eval code checks to see if the device is an Azure VM.
#% If it is, it will install the Microsoft Repository and
#% update the Azure Open Management Infrastructure (OMI) agent.
#%
#% USAGE
#% ./remediation.sh
#%
#% EXAMPLES
#% ./remediation.sh
#%
#================================================================
#- IMPLEMENTATION
#- version secops-update_azure_omi (www.automox.com) 1.0
#- author Adam Nadrowski
#- reviewer Tim Millikin
#-
#================================================================
# HISTORY
# 09/17/2021 : Adam Nadrowski : Script creation
# 09/17/2021 : Tim Millikin : Validated and catalogued
# 09/18/2021 : Adam Nadrowski : Update to eval code
#
#================================================================
# END_OF_HEADER
#================================================================
PMC_URL=https://packages.microsoft.com/config
SCALED_VERSION=
CHANNEL=prod
detect_distro()
{
if -f /etc/os-release ]; then
if i $(grep -o -i "amazon_linux:2" /etc/os-release) ]]; then
DISTRO='rhel'
VERSION=7
else
. /etc/os-release
DISTRO=$ID
VERSION=$VERSION_ID
fi
elif l -f /etc/redhat-release ]; then
if -f /etc/oracle-release ]; then
DISTRO="ol"
elif li $(grep -o -i "Red\ Hat" /etc/redhat-release) ]]; then
DISTRO="rhel"
elif li $(grep -o -i "Centos" /etc/redhat-release) ]]; then
DISTRO="centos"
fi
VERSION=$(grep -o "release .*" /etc/redhat-release | cut -d ' ' -f2)
else
echo "Unable to detect distro"
fi
echo "Distro detected or similar to: $DISTRO"
}
scale_version_id()
{
if "$DISTRO" == "rhel" ] || "$DISTRO" == "centos" ] || "$DISTRO" == "ol" ]; then
if i $VERSION == 7* ]]; then
SCALED_VERSION=7
elif li $VERSION == 8* ]]; then
SCALED_VERSION=8
else
echo "Unsupported version: $DISTRO $VERSION" 7
fi
elif l "$DISTRO" == "sles" ]; then
if i $VERSION == 12* ]]; then
SCALED_VERSION=12
elif li $VERSION == 15* ]]; then
SCALED_VERSION=15
else
echo "Unsupported version: $DISTRO $VERSION" 7
fi
else
SCALED_VERSION=$VERSION
fi
echo "Scaled version: $SCALED_VERSION"
}
debian_install()
{
curl -sSL $PMC_URL/$DISTRO/$SCALED_VERSION/$CHANNEL.list | tee /etc/apt/sources.list.d/microsoft-$CHANNEL.list
curl -sSL https://packages.microsoft.com/keys/microsoft.asc | tee /etc/apt/trusted.gpg.d/microsoft.asc
apt-get update && apt-get install omi -y
echo "OMI updated"
}
redhat_install()
{
local REPO=
REPO=packages-microsoft-com
yum-config-manager --add-repo=$PMC_URL/$DISTRO/$SCALED_VERSION/$CHANNEL.repo
curl -sSL https://packages.microsoft.com/keys/microsoft.asc > ./microsoft.asc
rpm --import ./microsoft.asc
yum makecache
rm -f ./microsoft.asc
yum --enablerepo=$REPO-$CHANNEL install -y omi
echo "OMI updated"
}
sles_install()
{
local REPO=
REPO=packages-microsoft-com
zypper addrepo -c -f -n microsoft-$CHANNEL https://packages.microsoft.com/config/$DISTRO/$SCALED_VERSION/$CHANNEL.repo
curl -sSL https://packages.microsoft.com/keys/microsoft.asc > ./microsoft.asc
rpm --import ./microsoft.asc
zypper refresh
rm -f ./microsoft.asc
echo "Installing MDE on distro: $DISTRO version: $VERSION"
if ! zypper install -y $REPO-$CHANNEL:omi; then
echo "Failed, trying again"
zypper install -y mdatp
fi
echo "OMI updated"
}
update_omi()
{
if "$DISTRO" = "debian" ] || "$DISTRO" = "ubuntu" ]; then
debian_install
elif l "$DISTRO" = "rhel" ] || "$DISTRO" = "centos" ] || "$DISTRO" = "ol" ]; then
redhat_install
elif l "$DISTRO" = "sles" ] || "$DISTRO" = "sle-hpc" ] ; then
sles_install
else
echo "Unsupported distro"
fi
}
detect_distro
scale_version_id
update_omi