vSphere: Security Vulnerability w/ "Shared Folders" Feature


Since this appears to be making the rounds, I figured I'd post a little Powershell code on how to figure out if a guest's VMware tools is affected.  It only appears to affect Window's so this little bit of code can help you determine whether the "Shared Folders" feature is installed.  I posted this to communities too.

$VM = Get-VM NameofVM
 
$Reg = [Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey('LocalMachine', $vm.extensiondata.summary.guest.hostname)
$RegKey= $Reg.OpenSubKey("System\CurrentControlSet\Control\NetworkProvider\Order")
$RegKeyValue = $RegKey.GetValue("ProviderOrder")
If($RegKeyValue -match "hgfs|hgs"){Write-Host ("$($VM.Name) might be affected by VMSA-2016-0001." + "  String Values hgfs, vmhgs, and/or vmhgfs need to be removed and VM rebooted.  ESXi Host should be patched prior.  RegistryPath: $($RegKey.Name), ProviderOrderKeyStringValue: $($RegKeyValue)") -ForegroundColor:Red}
Else(Write-Host "$($VM.Name) not affected by VMSA-2016-0001" -ForegroundColor:Green)

Caveats to this is that once you find those that have the HGFS/HFS, the ESXi host needs to be patched, the string values removed from the registry, and VM needs to be rebooted for change to take effect.
Also note:

  1. This only escalates privileges within the Guest OS. This does not escalate rights into the ESXi host.
  2. Just because those values are there, doesn't necessarily mean the function is actually in use.

The other half is that you will need to patch your ESXi hosts:
http://www.vmware.com/security/advisories/VMSA-2016-0001

Comments

Post a Comment

Popular posts from this blog

NSX-T: vCenter and NSX-T Inventory out of Sync (Hosts in vSphere not showing up in NSX-T)

Image
Summary: NSX-T loses synch w/ vCenter inventory, but statuses don't appear to show an issue.  Basically, you add a host to a vCenter cluster, NSX-T bits should start to automatically installing on new host.  Assuming you've created a Transport Node Profile and associated w/ the cluster.  The problem is that NSX-T doesn't see the new host and its link to the compute manager (vCenter) looks fine. Looks fine, Y U NO WORK!? So what's going on here?  This appears to affect NSX-T 2.5 and 2.5.1.  Cause is unknown. Workaround: Restart the cm-inventory service on each NSX-T mgmt/controller node using API or CLI. Details: If you were to query the status of the cm-inventory via API or CLI, you could query all 3 manager/controller nodes and get a status of running.  Even if the primary node associated w/ the VIP, if configured, is not necessarily in charge of inventory.  So you could restart the cm-inventory service till you are blue in the face and get nowhere be
Read more

MacOS: AnyConnect VPN client was unable to successfully verify the IP forwarding table modifications.

Image
The VPN client was unable to successfully verify the IP forwarding table modification.  A VPN connection will not be established. Summary: I started running into issue utilizing Cisco AnyConnect on my Mac basically complaining about not able to overwrite IP forwarding tables.  This was on 4.6.x.  Since my VPN endpoints were not providing me w/ an updated client and w/ no access to Cisco Anyconnect downloads, my only option was to try openconnect.  It was totally worth it, here is why and how to set it up. PreReqs: Homebrew Installing OpenConnect: Launch MacOS Terminal brew install openconnect Getting VPN IP's/DNS Endpoints from AnyConnect: The information is typically located in your profile xml files located here: /opt/cisco/anyconnect/profile/somethingsomething.xml In the xml file, you are looking for "<HostAddress>typicallyaDNSName.com</HostAddress>" entry.  These are your VPN endpoints that you would need to pass to openconnect. Using
Read more

vCenter: Cluster Skip Quickstart Workflow via API

Image
Summary: Basically, whenever you reset vCenter, you might end up w/ a warning on a cluster running vSAN that's just annoying.  To circumvent, this from alerting, you need to disable quickstart.  Easy enough via UI, but API is a little weird here. Details: For one, code capture doesn't seem to understand this.  So no help there unfortunately.  Secondly, nothing named "quickstart" is in the API, so made this somewhat annoying to try and find.  Seems like someone had this question on the VMware communities forum 2 years ago w/ no answer.   Someone asked me internally, so I had to dig into it. Basically, two things: You can create a cluster w/ quick start disabled from the get go by passing a false boolean to a parameter named: "InHciWorkflow" via API/PowerCLI call Secondly, to "skip QuickStart" on an already created cluster, you can call a method called: "AbandonHciWorkflow" So yeah, you can see how "quickstart" and "HCIWorkfl
Read more