Identify VMs that have VMware Tools with the OpenSSL v3 vulnerability

In OpenSSL version 3.0.0 to 3.0.6, a critical vulnerability is found (link). A lot of vendors use these versions of OpenSSL in their products. VMware has the following statement:

To date, no VMware products have been found to be critically impacted by CVE-2022-3602 or CVE-2022-3786. Regardless, VMware products that consume OpenSSL 3.0.x will consume 3.0.7 fixes as a precautionary measure in upcoming releases.

VMware Tools version 12.0.0 and 12.1.0 both contain the OpenSSL 3.0.x version.

VMware Tools OpenSSL version
12.0.0 3.0.0
12.1.0 3.0.3

To quickly identify what VMs have the OpenSSL 3 vulnerability present you can use PowerCLI. The following script identifies all VMware Tools 12 versions and higher:

$vcserver = 'the FQDN of the vCenter Server name'
Connect-VIServer $vcserver
Get-VM | Where-Object {$_.Guest.ToolsVersion -ge '12.0.0'} | Select -property Name,PowerState,@{Name='Toolsversion';Expression={$_.Guest.Toolsversion}} | Sort Toolsversion
Disconnect-VIServer * -Confirm:$false

The results can be exported to a CSV file by adding the following line after the Sort ToolsVersion

| export-csv c:\temp\vmwtools.csv -notypeinformation

OpenSSL v3.0.7 is released. This version will fix the critical vulnerability. The NCSC has a GitHub page (Link) with software that is affected. Now it is time for VMware to release an updated version of VMware Tools that included the new OpenSSL version

Update: November 29, 2022

VMware Tools 12.1.5 is released. This is a maintenance release of VMware Tools to provide fixes for critical product issues and security issues:

  • Updated OpenSSL to 3.0.7
  • Updated zlib to 1.2.12 with additional fixes
  • Updated GLib to 2.56.3 with additional fixes
  • Updated libxml2 to 2.10.2
  • This release resolves CVE-2022-31693. For more information on this vulnerability and its impact on VMware products, see https://www.vmware.com/security/advisories/VMSA-2022-0029.html.

The release notes can be found here and the download location can be found here.

 

An unattended installation of VMware Tools 12 generates a 2711 error

For a new Windows 10 image build, I used the latest supported VMware Tools  In this case that was VMware Tools 12.0.0. VMware Tools is deployed using an unattended installation such as:

e:\setup64.exe /S /v "/qb REBOOT=R ADDLOCAL=All REMOVE=AppDefense,Hgfs,CBHelper,VmwTimeProvider,VSS,NetworkIntrospection,FileIntrospection" /l c:\windows\temp\vmware_tools_install.log

During the installation of VMware Tools, the following error occurred: “The installer has encountered an unexpected error installing this package. This may indicate a problem with this package. The error code is 2711.”

After comparing the syntax of the components and could not find any clue (link).

Feature Name Description
CBHelper Helper to install of Carbon black Sensor on a virtual machine.
Perfmon Utility for WMI performance logging. Enables performance monitoring between the Guest SDK and the WMI environment.
VmwTimeProvider Time provider for VMware virtual precision clock device.
AppDefense The VMware AppDefense component performs Application Security Monitoring. VMware Appdefense consists of glxgi.sysgiappdef.sys kernel mode drivers and gisvc.exe user mode service.
FileIntrospection The NSX File Introspection driver, vsepflt.sys is the first of the two guest introspection drivers. You can install it separately, without installing the NSX Network Introspection driver.

Note:This component is dependent on the VMCI driver.
NetworkIntrospection The NSX Network Introspection driver, vnetflt.sys is the second of the two guest introspection drivers.

Note:This component is dependent on the VMCI driver.

VMware Tools 10.2.5 supports vnetWFP driver for Windows 7 and later.

ServiceDiscovery The Service Discovery component enables the discovery of various services running inside a virtual machine.

Note:This user-mode component is dependent on the VMCI driver.
DeviceHelper The VMware Device Helper component helps to perform a device check and swap in your virtual machine.

Note:This user-mode component is dependent on the VMCI driver.
Hgfs Hgfs is a VMware shared folders driver that allows files to be shared between your virtual machine and the host computer.

You can use this driver, if you plan to use this virtual machine with VMware Workstation, Player, or Fusion.

Note:

  • If you exclude this feature, you cannot share a folder between your virtual machine and the host system.
  • This component is dependent on the VMCI driver.
SVGA The VMware SVGA driver enhances the performance of your virtual video card.

Note:If you exclude this feature, it limits the display capabilities of your virtual machine.
VMXNet The VMware VMXNet networking driver enhances the performance of your virtual network card.
VMXNet3 The VMware VMXNet3 networking driver enahnces the performance of your virtual network card (ndis5/ndis6). This is the Next-generation VMware VMXnet networking driver for virtual machines that use virtual hardware version 7 and higher.

For more information, see the VMware Knowledge Base article KB 1001805.

VMXNET3 adds several new features, such as multiqueue support (also known as ‘Receive Side Scaling’ in Windows), IPv6 offloads, and MSI/MSI-X interrupt delivery.

VMXNET 3 is not related to VMXNET or VMXNET 2.

Receive Side Scaling is enabled by default.

VMware Tools 10.3.0 adds receive data ring support for Windows VMXNET3 driver.

Virtual hardware version 7 corresponds to ESX/ESXi 4.x compatibility.

PVSCSI The VMware Paravirtual SCSI adapters enhances the performance of your paravirtual SCSI devices.
EFIFW The EFIFW driver is used for EFI Firmware update.
MemCtl The Memory Control Driver provides enahnced memory management of the virtual machine.

You can use this driver, if you plan to use a virtual machine in the vSphere environment.

Note:If you exclude this feature, it hinders the memory management capabilities of the virtual machine running in a vSphere environment.
Mouse The VMware PS2 Mouse driver enhances the performance of your virtual PS2 mouse.

Note:If you exclude this feature, the mouse performance of your virtual machine will decrease.
MouesUsb The VMware USB Mouse Driver enhances performance of your USB mouse.
Audio The Audio driver provides audio for your virtual sound card.

Note:This Audio driver is for 64-bit Windows Vista and later operating systems.
VSS The VSS driver is used for creating automatic backups. This driver is used, if the guest operating system is Windows Vista, Windows Server 2003, or other newer operating systems. Linux and older Windows operating systems use the Filesystem Sync driver.
BootCamp The BootCamp driver provides Mac BootCamp support.

So I decided to install VMware Tools 12 manually and search in the Windows registry for the components:

As you can see, the AppDefense component doesn’t exist anymore in VMware Tools 12. Removing the AppDefense component from the unattended VMware Tools installation command fixed the problem.

e:\setup64.exe /S /v "/qb REBOOT=R ADDLOCAL=All REMOVE=Hgfs,CBHelper,VmwTimeProvider,VSS,NetworkIntrospection,FileIntrospection" /l c:\windows\temp\vmware_tools_install.log

I filled in a feedback form on the VMware Tools 12 documentation page to change to remove the AppDefense component.

VMware Tools installation and upgrade tips and tricks

The VMware Tools package provides drivers (such as VMXNET3, PVSCSI, SVGA etc.) and services that enhance the performance of virtual machines and make several vSphere features easy to use. Here are some tips and tricks when working with VMware Tools:

  • An overview of the VMware Tools versions mapping can be found here, link
  • The latest VMware Tools versions can be downloaded from the following links: link and link
  • Within VMware ESXi, the VMware Tools are located under: /vmimages/tools-isoimages
  • The latest VMware Tools version 10.3.10 is compatible with ESXi 6.0.0 to 6.7 U3
  • To view what VMware Tools components are installed on a Windows operating system: open Regedit and browse to the following location.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Features\10176710886A59A4C938D6DEE96B37D5

Names with a squire or minus are not installed. Another method in Windows 10 for example is going to the Apps & Features and select: modify VMware Tools

  • A silent or unattended default installation can be done using the following command. This command does not installed the NSX components:
 Setup64.exe /s /v "/qb REBOOT=R" /l c:\windows\temp\vmware_tools_install.log

  • Use the ADDLOCAL and REMOVE option to define what components to install. The following command installs all the components expect the Hgfs, SVGA,VSS, AppDefense and the NetworkIntrospection component. This VMware Tools configuration can be used for example for a Horizon View Golden image.
setup64.exe /s /v" /qb REBOOT=R ADDLOCAL=All REMOVE=Hgfs,SVGA,VSS,AppDefense,NetworkIntrospection"" /l c:\windows\temp\vmware_tools_install.log

The following VMware Tools component values can be used:

Component Values Component Description
Drivers Audio Audio driver for 64-bit Operating Systems
BootCamp Driver for Mac BootCamp Support
MemCtl VMware Memory control driver for memory management
Mouse VMware mouse driver
PVSCSI VMware Paravirtual SCSI adapter
SVGA VMware SVGA driver
Sync Filesystem Sync driver, which enables backup applications to create application-consistent snapshots. This driver is used if the guest operating system is earlier than Windows Server 2003. Newer operating systems use the VSS driver.
ThinPrint Driver that enables printers added to the host operating system to appear in the list of available printers in the virtual machine. VMware Tools does not support ThinPrint features for vSphere 5.5 and later.
VMCI Virtual Machine Communication Interface driver. This driver allows virtual machines to communicate with the hosts on which they run without using the network
Hgfs VMware shared folders driver. Use this driver if you plan to use this virtual machine with VMware Workstation, Player, or Fusion. Excluding this feature prevents you from sharing a folder between your virtual machine and the host system.
VMXNet VMware VMXnet networking driver.
VMXNet3 Next-generation VMware VMXnet networking driver for virtual machines that use virtual hardware version 7 and higher (ESX(i) 4.x and higher)
FileIntrospection NSX File Introspection driver, vsepflt.sys.
NetworkIntrospection NSX Network Introspection driver, vnetflt.sys.
VSS Driver for creating automatic backups. This driver is used if the guest operating system is Windows Vista, Windows Server 2003, or other newer operating system. Linux and older Windows operating systems use the Filesystem Sync driver.
AppDefense VMware AppDefense component. The AppDefense components consists of glxgi.sys kernel mode driver and gisvc.exe user mode service.
Toolbox Perfmon Driver for WMI performance logging.

The latest version of the VMware Tools component values can be found here, link

Extract the VMware ISO for drivers

Sometimes is handy to extract the VMware ISO to get the VMXnet3 and PVSCSI drivers.

  • Mount the ISO
  • setup64.exe /A /P C:\Folder to extract

PowerCLI

To identify and upgrade the VMware Tools versions PowerCLI is your friend. First install the PowerCLI module, link. After the module is installed, connect to the vCenter Server.


$vcsa = "vcsa03.lab.local"

Import-Module VMware.PowerCLI
Connect-VIServer -Server $vcsa

Identify VMware Tools versions

To get the VMware Tools versions of the running VMs use the following PowerCLI command:

Get-VM | Get-VMguest | Where {$_.State -eq 'Running'} | Select VmName, ToolsVersion
  • Get all the running VMs that don’t have VMware Tools version 10.3.10 installed:
Get-VM | Get-VMguest | Where-Object {$_.State -eq 'Running' -and $_.ToolsVersion -notlike '10.3.10'} | Select VmName, ToolsVersion
  • Get all the running VMs that have an outdated version of VMware Tools:
Get-VM | Get-VMguest | where-object {$_.State -eq 'Running' -and $_.ExtensionData.ToolsversionStatus -eq 'GuestToolsNeedUpgrade'} | Select VmName

Update VMware Tools

Once you have an overview of all the VMware Tools versions that are outdated is easy to upgrade them to the latest version. In this example, the -NoReboot option is used so the OS will not be rebooted. Make sure when using -NoReboot option that the reboot will be planned in a maintenance window. This stops for example installing Windows Updates because there is a pending reboot action that needs to be performed first.

First export all the VMs to a CSV file that will be saved under c:\temp\vms.csv

 
Get-VM | Get-VMguest | where-object {$_.State -eq 'Running' -and $_.ExtensionData.ToolsversionStatus -eq 'GuestToolsNeedUpgrade'} | Select VmName | export-csv c:\temp\vms.csv -NoTypeInformation

Verify the CSV file and make sure only the VMs are listed that need to be upgraded. After that import the CSV and update the VMware Tools using the following commands:

$vms = Import-Csv c:\temp\vms.csv
$vms | % { get-vm -name $_.VmName | Update-Tools -NoReboot}