On October 1st 2015 VMware published Security Advisory VMSA-2015-0007. In that advisory you will find three vulnerabilities: CVE-2015-5177, CVE-2015-2342 and CVE-2015-1047.
To anticipate the questions you will surely get from your local Security Officer, I created a function to report which vSphere Servers in your environment are impacted, and which action to take.
Update October 5th 2015:
- Updated build numbers in $vmsaTab
- Corrected build number testing (thanks Richard)
The Script
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 |
function Get-VMSA-2015-0007 { <# .SYNOPSIS Report on VMSA-2015-0007 vulnerabilities .DESCRIPTION The function will look at all connected vSphere servers ($global:defaultviservers), and report which ones are impacted by VMSA-2015-0007, and which action to take .NOTES Author: Luc Dekens .EXAMPLE PS> Get-VMSA-2015-0007 #> Begin { $vmsaTab = @( @{ Vulnerability = 'CVE-2015-5177' Product = 'Vmware ESXi' Safe = @( @{ Version = '5.5' Build = '3029837' Action = 'ESXi550-201509101' }, @{ Version = '5.1' Build = '3021178' Action = 'ESXi510-201510101' }, @{ Version = '5.0' Build = '3021432' Action = 'ESXi500-201510101' } ) }, @{ Vulnerability = 'CVE-2015-2342' Product = 'VMware vCenter Server' Safe = @( @{ Version = '6.0' Build = '3018521' Action = '6.0 u1' }, @{ Version = '5.5' Build = '3000241' Action = '5.5 u3' }, @{ Version = '5.1' Build = '3072311' Action = '5.1 u3b' }, @{ Version = '5.0' Build = '3073234' Action = '5.0 u3e' } ) }, @{ Vulnerability = 'CVE-2015-1047' Product = 'VMware vCenter Server' Safe = @( @{ Version = '5.5' Build = '2063318' Action = '5.5u2' }, @{ Version = '5.1' Build = '2308385' Action = '5.1u3' }, @{ Version = '5.0' Build = '3073234' Action = '5.0u3e' } ) } ) } Process { foreach($vc in $global:DefaultVIServers){ Foreach($dc in (Get-Datacenter -Server $vc)){ Foreach($esx in Get-VMHost -Location $dc -Server $vc){ $product = $esx.ExtensionData.Config.Product foreach($entry in ($vmsaTab | where{$_.Product -eq $product.Name})){ $esx | Select @{N='vCenter';E={$vc.Name}}, @{N='Datacenter';E={$dc.Name}}, @{N='Cluster';E={$_.Parent}}, @{N='Name';E={$_.Name.Split('.')[0]}}, @{N='Product';E={$product.Name}}, Version, Build, @{N='CVE';E={$entry.Vulnerability}}, @{N='Safe';E={ $script:entrySafe = $entry.Safe | where{$esx.Version -match "^$($_.Version)"} if($script:entrySafe -ne $null){ if([int]$esx.Build -ge [int]$script:entrySafe.Build){[string]$true}else{[string]$false} } else{'na'} }}, @{N='Action';E={ if($script:entrySafe -ne $null){ $script:entrySafe.Action } else{'na'} }} } } } $product = $vc.ExtensionData.Content.About foreach($entry in ($vmsaTab | where{$_.Product -eq $product.Name})){ $vc | Select @{N='vCenter';E={$vc.Name}}, @{N='Datacenter';E={''}}, @{N='Cluster';E={''}}, @{N='Name';E={$_.Name.Split('.')[0]}}, @{N='Product';E={$product.Name}}, Version, Build, @{N='CVE';E={$entry.Vulnerability}}, @{N='Safe';E={ $script:entrySafe = $entry.Safe | where{$vc.Version -match "^$($_.Version)"} if($script:entrySafe -ne $null){ if([int]$vc.Build -ge [int]$entrySafe.Build){[string]$true}else{[string]$false} } else{'na'} }}, @{N='Action';E={ if($script:entrySafe -ne $null){ $script:entrySafe.Action } else{'na'} }} } } } } |
Annotations
Line 17-85: The correlation between each of the vulnerabilities, the vSphere Server version and build and the fix mentioned in VMSA-2015-0007. Note that KB1014508, where one can normally find all update levels and the corresponding build number, is missing some of the proposed solutions from VMSA-2015-0007. For these I tried to determine the desired build number from the Product Download page under MyVMware. Also note that the Product Patches page under MyVMware, doesn’t seem to use the same terminology that is used in VMSA-2015-0007.
Line 91: the script uses the connected vCenters, as available in $Global:DefaultVIServers, to scan. It’s important that you connect to the vCenter(s) before you call the function.
Sample Usage
The function will look at all connected vCenters. It uses the values in $Global:DefaultVIServers to find these connected vSphere vCenters. For each vCenter it will query all connected ESXi servers.
|
1 2 |
Get-VMSA-2015-0007 | Export-Csv -Path C:\VMSA-2015-0007.csv -NoTypeInformation -UseCulture |
The function returns an object array with all results from the investigation. When you redirect the result to a CSV file, you will get something like this.
Note that CVE-2015-1047 and CVE-2015-2342 list different fix levels for the vCenter. The report lists the build corresponding with the CVE (Common Vulnerabilities and Exposures). You should of course apply the highest build, that way you will comply with both requirements.
Should you find any discrepancies in the product, versions and build numbers, please let me know.
Enjoy!
Joe
How do you execute this script? I saved the it as a .ps1 but when I run it as shown above, nothing happens. I run it after connecting to VC
LucD
Hi Joe,
In the .ps1 file you copy the Get-VMSA-2015-0007 function.
At the end of the .ps1 file you call the function, just a line with Get-VMSA-2015-0007 on it.
Then run the .ps1 file
Matt
Are you sure the vCenter 5.5 Update 3 build number is correct? According to https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1014508, it should be 3000241.
LucD
Thanks, I also noticed that on that page it says 3000241.
But on the download site it says 3000346 for vCenter and 3000347 for VCSA.
In fact I’m not sure which of these it should be 🙁
Update: if someone has vCenter 5.5 Update 3 running, can you check what the build number is ?
Aaron Rogers
Mine shows 3000241 as the build number in the vSphere Client.
LucD
Thanks, does the report also show 3000241 ?
It gets the build from the vSphere object.
LucD
I got confirmation from others that it indeed shows 3000241.
The value in the script has been updated
Matt
Yeah, it’s really confusing. If you look at the vCenter object in the vSphere client, the build number shows as 3000241. But if you log into the appliance VAMI page and look at the system tab, it shows 3000347.
But the script seems to be working now with 3000241.
Robert van den Nieuwendijk
Nice script!
In the current version there is a typo. There should be a { after the else on line 133.
LucD
Thanks for spotting that.
Corrected.