vSphere: Security Vulnerability w/ "Shared Folders" Feature


Since this appears to be making the rounds, I figured I'd post a little Powershell code on how to figure out if a guest's VMware tools is affected.  It only appears to affect Window's so this little bit of code can help you determine whether the "Shared Folders" feature is installed.  I posted this to communities too.

$VM = Get-VM NameofVM
 
$Reg = [Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey('LocalMachine', $vm.extensiondata.summary.guest.hostname)
$RegKey= $Reg.OpenSubKey("System\CurrentControlSet\Control\NetworkProvider\Order")
$RegKeyValue = $RegKey.GetValue("ProviderOrder")
If($RegKeyValue -match "hgfs|hgs"){Write-Host ("$($VM.Name) might be affected by VMSA-2016-0001." + "  String Values hgfs, vmhgs, and/or vmhgfs need to be removed and VM rebooted.  ESXi Host should be patched prior.  RegistryPath: $($RegKey.Name), ProviderOrderKeyStringValue: $($RegKeyValue)") -ForegroundColor:Red}
Else(Write-Host "$($VM.Name) not affected by VMSA-2016-0001" -ForegroundColor:Green)


Caveats to this is that once you find those that have the HGFS/HFS, the ESXi host needs to be patched, the string values removed from the registry, and VM needs to be rebooted for change to take effect.
Also note:

  1. This only escalates privileges within the Guest OS. This does not escalate rights into the ESXi host.
  2. Just because those values are there, doesn't necessarily mean the function is actually in use.

The other half is that you will need to patch your ESXi hosts:
http://www.vmware.com/security/advisories/VMSA-2016-0001

No comments: