OMIGOD: Worklet to patch OMI

Hey Automox Community,

As some of you may be aware, a number of high/critical vulnerabilities targeting Azure Virtual Machines have been discovered and patched by Microsoft. These vulnerabilities target the Open Management Infrastructure (OMI) agent running on Linux VM’s, and include remote code execution and privilege escalation vulnerabilities.

This worklet will install the correct Microsoft repository based on your distribution of Linux and patch the OMI agent. We suggest running this worklet if any of your assets are Azure Linux VM’s.

For more information about the vulnerability, see CVE-2021-38647 and Additional Guidance Regarding OMI Vulnerabilities within Azure VM Management Extensions.

Evaluation Code:

#!/bin/bash
#================================================================
# HEADER
#================================================================
#% SYNOPSIS
#+    Updates OMI on Azure Linux VM's.
#%
#% DESCRIPTION
#%    The eval code checks to see if the device is an Azure VM.
#%    If it is, it will install the Microsoft Repository and 
#%    update the Azure Open Management Infrastructure (OMI) agent.
#%
#% USAGE
#%    ./evaluation.sh
#%
#% EXAMPLES
#%	  ./evaluation.sh
#%    
#================================================================
#- IMPLEMENTATION
#-    version         secops-update_azure_omi (www.automox.com) 1.0
#-    author          Adam Nadrowski
#-    reviewer        Tim Millikin
#-
#================================================================
#  HISTORY
#     09/17/2021 : Adam Nadrowski : Script creation
#     09/17/2021 : Tim Millikin : Validated and catalogued
#     09/18/2021 : Adam Nadrowski : Update to eval code
# 
#================================================================
# END_OF_HEADER
#================================================================
ASSET_TAG=$(dmidecode --string chassis-asset-tag)
if [ "$ASSET_TAG" != "7783-7084-3265-9085-8269-3286-77" ]; then
    exit 0
fi
exit 1

Remediation Code:

#!/bin/bash
#================================================================
# HEADER
#================================================================
#% SYNOPSIS
#+    Updates OMI on Azure Linux VM's.
#%
#% DESCRIPTION
#%    The eval code checks to see if the device is an Azure VM.
#%    If it is, it will install the Microsoft Repository and 
#%    update the Azure Open Management Infrastructure (OMI) agent.
#%
#% USAGE
#%    ./remediation.sh
#%
#% EXAMPLES
#%	  ./remediation.sh
#%    
#================================================================
#- IMPLEMENTATION
#-    version         secops-update_azure_omi (www.automox.com) 1.0
#-    author          Adam Nadrowski
#-    reviewer        Tim Millikin
#-
#================================================================
#  HISTORY
#     09/17/2021 : Adam Nadrowski : Script creation
#     09/17/2021 : Tim Millikin : Validated and catalogued
#     09/18/2021 : Adam Nadrowski : Update to eval code
# 
#================================================================
# END_OF_HEADER
#================================================================

PMC_URL=https://packages.microsoft.com/config
SCALED_VERSION=
CHANNEL=prod

detect_distro()
{
    if [ -f /etc/os-release ]; then
        if [[ $(grep -o -i "amazon_linux:2" /etc/os-release) ]]; then
            DISTRO='rhel'
            VERSION=7
        else
            . /etc/os-release
            DISTRO=$ID
            VERSION=$VERSION_ID
        fi
    elif [ -f /etc/redhat-release ]; then
        if [ -f /etc/oracle-release ]; then
            DISTRO="ol"
        elif [[ $(grep -o -i "Red\ Hat" /etc/redhat-release) ]]; then
            DISTRO="rhel"
        elif [[ $(grep -o -i "Centos" /etc/redhat-release) ]]; then
            DISTRO="centos"
        fi
        VERSION=$(grep -o "release .*" /etc/redhat-release | cut -d ' ' -f2)
    else
        echo "Unable to detect distro"
    fi
    echo "Distro detected or similar to: $DISTRO"
}

scale_version_id()
{
    if [ "$DISTRO" == "rhel" ] || [ "$DISTRO" == "centos" ] || [ "$DISTRO" == "ol" ]; then
        if [[ $VERSION == 7* ]]; then
            SCALED_VERSION=7
        elif [[ $VERSION == 8* ]]; then
            SCALED_VERSION=8
        else
            echo "Unsupported version: $DISTRO $VERSION" 7
        fi
    elif [ "$DISTRO" == "sles" ]; then
        if [[ $VERSION == 12* ]]; then
            SCALED_VERSION=12
        elif [[ $VERSION == 15* ]]; then
            SCALED_VERSION=15
        else
            echo "Unsupported version: $DISTRO $VERSION" 7
        fi
    else
        SCALED_VERSION=$VERSION
    fi
    echo "Scaled version: $SCALED_VERSION"
}

debian_install()
{
    curl -sSL $PMC_URL/$DISTRO/$SCALED_VERSION/$CHANNEL.list | tee /etc/apt/sources.list.d/microsoft-$CHANNEL.list
    curl -sSL https://packages.microsoft.com/keys/microsoft.asc | tee /etc/apt/trusted.gpg.d/microsoft.asc
    apt-get update && apt-get install omi -y
    echo "OMI updated"
}

redhat_install()
{
    local REPO=
    REPO=packages-microsoft-com
    yum-config-manager --add-repo=$PMC_URL/$DISTRO/$SCALED_VERSION/$CHANNEL.repo
    curl -sSL https://packages.microsoft.com/keys/microsoft.asc > ./microsoft.asc 
    rpm --import ./microsoft.asc
    yum makecache
    rm -f ./microsoft.asc
    yum --enablerepo=$REPO-$CHANNEL install -y omi
    echo "OMI updated"
}

sles_install()
{
    local REPO=
    REPO=packages-microsoft-com
    zypper addrepo -c -f -n microsoft-$CHANNEL https://packages.microsoft.com/config/$DISTRO/$SCALED_VERSION/$CHANNEL.repo
    curl -sSL https://packages.microsoft.com/keys/microsoft.asc > ./microsoft.asc
    rpm --import ./microsoft.asc
    zypper refresh 
    rm -f ./microsoft.asc
    echo "Installing MDE on distro: $DISTRO version: $VERSION"
    if ! zypper install -y $REPO-$CHANNEL:omi; then
        echo "Failed, trying again"
        zypper install -y mdatp
    fi
    echo "OMI updated"
}

update_omi()
{
    if [ "$DISTRO" = "debian" ] || [ "$DISTRO" = "ubuntu" ]; then
        debian_install
    elif [ "$DISTRO" = "rhel" ] || [ "$DISTRO" = "centos" ] || [ "$DISTRO" = "ol" ]; then
        redhat_install
    elif [ "$DISTRO" = "sles" ] || [ "$DISTRO" = "sle-hpc" ] ; then
        sles_install
    else
        echo "Unsupported distro"
    fi
}

detect_distro
scale_version_id
update_omi
4 Likes

Thanks, Adam! :metal:

Thanks for posting! One question though - although Ubuntu is Debian-based, is there a reason you didn’t include the specific Ubuntu distros? I believe these are the relevant execution code sections:

These are pieced together from snippets off MS articles, specifically Linux Software Repository for Microsoft Products | Microsoft Docs"

#for 16.04
curl -sSL https://packages.microsoft.com/keys/microsoft.asc | sudo apt-key add -
sudo apt-add-repository https://packages.microsoft.com/ubuntu/16.04/prod
sudo apt-get update

#for 18.04
curl -sSL https://packages.microsoft.com/keys/microsoft.asc | sudo apt-key add -
sudo apt-add-repository https://packages.microsoft.com/ubuntu/18.04/prod
sudo apt-get update

#for 20.04
curl -sSL https://packages.microsoft.com/keys/microsoft.asc | sudo tee /etc/apt/trusted.gpg.d/microsoft.asc
sudo apt-add-repository https://packages.microsoft.com/ubuntu/20.04/prod
sudo apt-get update

Thanks,
rafael

Good question! The install functions all dynamically build the correct URL based on distro and version (referenced as scaled version), so it will build the correct URL based on these values. For example, on my Ubuntu 18.04 VM, the URL evaluates to https://packages.microsoft.com/config/ubuntu/18.04/prod.list, which is an APT data source file that points to https://packages.microsoft.com/ubuntu/18.04/prod.

If you’re experiencing something else in your environment, please let me know.

1 Like

Also, from the AX Blog: " The Worklet checks for vulnerable Azure VMs. When the Worklet is run against an Azure VM, it will install the Microsoft Repository and update the Azure Open Management Infrastucture (OMI) agent. Special thanks to Adam Nadrowski and Tim Millikin for putting this Worklet together to help remediate OMIGOD. More details on this Worklet can be found in the Automox Community."

Ah ok! I must have missed that logic. Thank you!

2 Likes