Identify VMs that have VMware Tools with the OpenSSL v3 vulnerability

In OpenSSL version 3.0.0 to 3.0.6, a critical vulnerability is found (link). A lot of vendors use these versions of OpenSSL in their products. VMware has the following statement:

To date, no VMware products have been found to be critically impacted by CVE-2022-3602 or CVE-2022-3786. Regardless, VMware products that consume OpenSSL 3.0.x will consume 3.0.7 fixes as a precautionary measure in upcoming releases.

VMware Tools version 12.0.0 and 12.1.0 both contain the OpenSSL 3.0.x version.

VMware Tools OpenSSL version
12.0.0 3.0.0
12.1.0 3.0.3

To quickly identify what VMs have the OpenSSL 3 vulnerability present you can use PowerCLI. The following script identifies all VMware Tools 12 versions and higher:

$vcserver = 'the FQDN of the vCenter Server name'
Connect-VIServer $vcserver
Get-VM | Where-Object {$_.Guest.ToolsVersion -ge '12.0.0'} | Select -property Name,PowerState,@{Name='Toolsversion';Expression={$_.Guest.Toolsversion}} | Sort Toolsversion
Disconnect-VIServer * -Confirm:$false

The results can be exported to a CSV file by adding the following line after the Sort ToolsVersion

| export-csv c:\temp\vmwtools.csv -notypeinformation

OpenSSL v3.0.7 is released. This version will fix the critical vulnerability. The NCSC has a GitHub page (Link) with software that is affected. Now it is time for VMware to release an updated version of VMware Tools that included the new OpenSSL version

Update: November 29, 2022

VMware Tools 12.1.5 is released. This is a maintenance release of VMware Tools to provide fixes for critical product issues and security issues:

  • Updated OpenSSL to 3.0.7
  • Updated zlib to 1.2.12 with additional fixes
  • Updated GLib to 2.56.3 with additional fixes
  • Updated libxml2 to 2.10.2
  • This release resolves CVE-2022-31693. For more information on this vulnerability and its impact on VMware products, see https://www.vmware.com/security/advisories/VMSA-2022-0029.html.

The release notes can be found here and the download location can be found here.

 

VMware Tools installation and upgrade tips and tricks

The VMware Tools package provides drivers (such as VMXNET3, PVSCSI, SVGA etc.) and services that enhance the performance of virtual machines and make several vSphere features easy to use. Here are some tips and tricks when working with VMware Tools:

  • An overview of the VMware Tools versions mapping can be found here, link
  • The latest VMware Tools versions can be downloaded from the following links: link and link
  • Within VMware ESXi, the VMware Tools are located under: /vmimages/tools-isoimages
  • The latest VMware Tools version 10.3.10 is compatible with ESXi 6.0.0 to 6.7 U3
  • To view what VMware Tools components are installed on a Windows operating system: open Regedit and browse to the following location.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Features\10176710886A59A4C938D6DEE96B37D5

Names with a squire or minus are not installed. Another method in Windows 10 for example is going to the Apps & Features and select: modify VMware Tools

  • A silent or unattended default installation can be done using the following command. This command does not installed the NSX components:
 Setup64.exe /s /v "/qb REBOOT=R" /l c:\windows\temp\vmware_tools_install.log

  • Use the ADDLOCAL and REMOVE option to define what components to install. The following command installs all the components expect the Hgfs, SVGA,VSS, AppDefense and the NetworkIntrospection component. This VMware Tools configuration can be used for example for a Horizon View Golden image.
setup64.exe /s /v" /qb REBOOT=R ADDLOCAL=All REMOVE=Hgfs,SVGA,VSS,AppDefense,NetworkIntrospection"" /l c:\windows\temp\vmware_tools_install.log

The following VMware Tools component values can be used:

Component Values Component Description
Drivers Audio Audio driver for 64-bit Operating Systems
BootCamp Driver for Mac BootCamp Support
MemCtl VMware Memory control driver for memory management
Mouse VMware mouse driver
PVSCSI VMware Paravirtual SCSI adapter
SVGA VMware SVGA driver
Sync Filesystem Sync driver, which enables backup applications to create application-consistent snapshots. This driver is used if the guest operating system is earlier than Windows Server 2003. Newer operating systems use the VSS driver.
ThinPrint Driver that enables printers added to the host operating system to appear in the list of available printers in the virtual machine. VMware Tools does not support ThinPrint features for vSphere 5.5 and later.
VMCI Virtual Machine Communication Interface driver. This driver allows virtual machines to communicate with the hosts on which they run without using the network
Hgfs VMware shared folders driver. Use this driver if you plan to use this virtual machine with VMware Workstation, Player, or Fusion. Excluding this feature prevents you from sharing a folder between your virtual machine and the host system.
VMXNet VMware VMXnet networking driver.
VMXNet3 Next-generation VMware VMXnet networking driver for virtual machines that use virtual hardware version 7 and higher (ESX(i) 4.x and higher)
FileIntrospection NSX File Introspection driver, vsepflt.sys.
NetworkIntrospection NSX Network Introspection driver, vnetflt.sys.
VSS Driver for creating automatic backups. This driver is used if the guest operating system is Windows Vista, Windows Server 2003, or other newer operating system. Linux and older Windows operating systems use the Filesystem Sync driver.
AppDefense VMware AppDefense component. The AppDefense components consists of glxgi.sys kernel mode driver and gisvc.exe user mode service.
Toolbox Perfmon Driver for WMI performance logging.

The latest version of the VMware Tools component values can be found here, link

Extract the VMware ISO for drivers

Sometimes is handy to extract the VMware ISO to get the VMXnet3 and PVSCSI drivers.

  • Mount the ISO
  • setup64.exe /A /P C:\Folder to extract

PowerCLI

To identify and upgrade the VMware Tools versions PowerCLI is your friend. First install the PowerCLI module, link. After the module is installed, connect to the vCenter Server.


$vcsa = "vcsa03.lab.local"

Import-Module VMware.PowerCLI
Connect-VIServer -Server $vcsa

Identify VMware Tools versions

To get the VMware Tools versions of the running VMs use the following PowerCLI command:

Get-VM | Get-VMguest | Where {$_.State -eq 'Running'} | Select VmName, ToolsVersion
  • Get all the running VMs that don’t have VMware Tools version 10.3.10 installed:
Get-VM | Get-VMguest | Where-Object {$_.State -eq 'Running' -and $_.ToolsVersion -notlike '10.3.10'} | Select VmName, ToolsVersion
  • Get all the running VMs that have an outdated version of VMware Tools:
Get-VM | Get-VMguest | where-object {$_.State -eq 'Running' -and $_.ExtensionData.ToolsversionStatus -eq 'GuestToolsNeedUpgrade'} | Select VmName

Update VMware Tools

Once you have an overview of all the VMware Tools versions that are outdated is easy to upgrade them to the latest version. In this example, the -NoReboot option is used so the OS will not be rebooted. Make sure when using -NoReboot option that the reboot will be planned in a maintenance window. This stops for example installing Windows Updates because there is a pending reboot action that needs to be performed first.

First export all the VMs to a CSV file that will be saved under c:\temp\vms.csv

 
Get-VM | Get-VMguest | where-object {$_.State -eq 'Running' -and $_.ExtensionData.ToolsversionStatus -eq 'GuestToolsNeedUpgrade'} | Select VmName | export-csv c:\temp\vms.csv -NoTypeInformation

Verify the CSV file and make sure only the VMs are listed that need to be upgraded. After that import the CSV and update the VMware Tools using the following commands:

$vms = Import-Csv c:\temp\vms.csv
$vms | % { get-vm -name $_.VmName | Update-Tools -NoReboot}