Identify VMs that have VMware Tools with the OpenSSL v3 vulnerability

In OpenSSL version 3.0.0 to 3.0.6, a critical vulnerability is found (link). A lot of vendors use these versions of OpenSSL in their products. VMware has the following statement:

To date, no VMware products have been found to be critically impacted by CVE-2022-3602 or CVE-2022-3786. Regardless, VMware products that consume OpenSSL 3.0.x will consume 3.0.7 fixes as a precautionary measure in upcoming releases.

VMware Tools version 12.0.0 and 12.1.0 both contain the OpenSSL 3.0.x version.

VMware Tools OpenSSL version
12.0.0 3.0.0
12.1.0 3.0.3

To quickly identify what VMs have the OpenSSL 3 vulnerability present you can use PowerCLI. The following script identifies all VMware Tools 12 versions and higher:

$vcserver = 'the FQDN of the vCenter Serbver name'
Connect-VIServer $vcserver
Get-VM | Where-Object {$_.Guest.ToolsVersion -ge '12.0.0'} | Select -property Name,PowerState,@{Name='Toolsversion';Expression={$_.Guest.Toolsversion}} | Sort Toolsversion
Disconnect-VIServer * -Confirm:$false

The results can be exported to a CSV file by adding the following line after the Sort ToolsVersion

| export-csv c:\temp\vmwtools.csv -notypeinformation

OpenSSL v3.0.7 is released. This version will fix the critical vulnerability. The NCSC has a GitHub page (Link) with software that is affected. Now it is time for VMware to release an updated version of VMware Tools that included the new OpenSSL version

Update: November 29, 2022

VMware Tools 12.1.5 is released. This is a maintenance release of VMware Tools to provide fixes for critical product issues and security issues:

  • Updated OpenSSL to 3.0.7
  • Updated zlib to 1.2.12 with additional fixes
  • Updated GLib to 2.56.3 with additional fixes
  • Updated libxml2 to 2.10.2
  • This release resolves CVE-2022-31693. For more information on this vulnerability and its impact on VMware products, see https://www.vmware.com/security/advisories/VMSA-2022-0029.html.

The release notes can be found here and the download location can be found here.

 

How to install Windows 11 on VMware Workstation

For testing purposes, I frequently use VMware Workstation to install Operating Systems such as Windows 11.  The biggest challenge with Windows 11 is that you need a TPM 2.0 device. When installing Windows 11, if your computer does not meet the hardware requirements, you will see a message stating, “This PC can’t run Windows 11“.

Windows 11 requires the following hardware specifications:

  • CPU: 1 GHz or faster with 2 or more cores on the processor
  • RAM: 4 GB RAM
  •  Storage: 64 GB or larger
  • Firmware: UEFI, Secure boot
  • TPM: Trusted Platform Module (TPM) 2.0

More info: link

The following options are available when installing Windows 11 using VMware Workstation Pro/Player and Fusion:

Option 1: The physical endpoint such as a laptop or PC has a TPM 2.0 device. This requires adding encryption and adding a vTPM device.

Option 2: The physical endpoint such as a laptop or PC has compatible hardware but no TPM 2.0 device. VMware Workstation 16.2 Pro adds an experimental vTPM device that uses a new encryption mode with increased performance over fully encrypting the VM in option 1.

Update October 17, 2022:  Wil van Antwerpen has a good blog post about the risks of this experimental feature.  Make sure that you read the blog before using this feature!

What you should know about VMware’s experimental vTPM – Vimalin

Option 3: The physical endpoint such as a laptop or PC has no compatible hardware such as a TPM 2.0 device. Use a registry hack to bypass the TPM check.

If you don’t have a Windows 10/11 ISO, you can create one following this blog post: Quick Tip: Download the latest Windows 10/11 ISO files – ivobeerens.nl

Here are the steps outlined for each option:

Option 1. The physical endpoint such as a laptop or PC has a TPM 2.0 chip

Start VMware Workstation and create a new Virtual Machine with the following configuration:

  • Type of configuration: Custom (advanced)
  • Virtual Machine hardware compatibility: Workstation 16.2.x
  • Guest Operating System Installation: Installer disc image file (iso): Point to the downloaded Windows 11 ISO
  • Guest operating system: Microsoft Windows
    • Version: Windows 10 and later x64
  • Virtual Machine name: Name of the VM such as: Windows 11
    • Location: for example: c:\vms\win11
  • Firmware: UEFI
    • Secure boot: Check
  • Processors: 2 or more
    • Number of cores: 1 or more
  • Memory (MB): 4096 or more
  • Network Type: Use network address translation (NAT)
  • SCSI Controller: LSI Logic SAS or Paravirtualized SCSI
  • Virtual Disk Type: NVMe
  • Disk: Create a new virtual disk
    • Maximum disk size (GB): 64 or more
  • Disk file: Windows 10 and later x64.vmdk
  • The new VM will be created.
  • Edit the virtual machine settings
  • Click on the options tab, choose Access Control, and select Encrypt

  • Enter a virtual machine password twice

  • The VM will be encrypted
  • Select the Hardware tab and select Add
  • Select the Trusted Platform Module and click Finish and OK

  • Start the VM to install Windows 11

The VM is encrypted and has a TPM device configured.

 

Option 2: The physical endpoint such as a laptop or PC has compatible hardware but no TPM 2.0 device.

Since VMware Workstation 16.2 there is an experimental feature without the need fully encrypt the VM. Use it with care and read the blog from Wil van Antwerpen before using this feature!

  • Follow the steps in step 1 till  ” The new VM will be created”
  • Before starting the VM close VMware Workstation
  • Edit the VMX file of the created VM in notepad for example
    • Add the following line to the end of the file:
    • managedVM.autoAddVTPM = “software”
    • This line adds a TPM 2.0 device to the VM
    • Save the VMX file

  • Open VMware Workstation
  • Start the VM to install Windows 11

Option 3: The physical endpoint such as a laptop or PC has no compatible hardware such as a TPM 2.0 device. Use a registry hack to bypass the TPM check.

In 2021 I already blogged about this hack. More information can be found here: Install Windows 11 as VM on VMware vSphere / Workstation without TPM 2.0 – ivobeerens.nl

 

With these 3 options, you are able to install Windows 11 on VMware Workstation Pro/Player and Fusion in most situations.

Quick Tip – Download the Azure Virtual Desktop RDPW files

Sometimes you need the RDPW files when having for example remote apps listed in a central portal application integration. Here is a quick tip on how to download the Azure Virtual Desktop RDPW files for desktops and remote apps.

1. Log in using the AVD WebClient using the following URL: https://client.wvd.microsoft.com/arm/webclient/index.html

2. In the right corner click on the Settings wheel

3. Select in “Resources Launch Method” section for “Download the rdp file”

4. Close the screen by clicking on the X mark

5. Click on the remote app or desktop to download the RDPW file