<?xml version="1.0" encoding="UTF-8"?><rss version="2.0"
	xmlns:content="http://purl.org/rss/1.0/modules/content/"
	xmlns:wfw="http://wellformedweb.org/CommentAPI/"
	xmlns:dc="http://purl.org/dc/elements/1.1/"
	xmlns:atom="http://www.w3.org/2005/Atom"
	xmlns:sy="http://purl.org/rss/1.0/modules/syndication/"
	xmlns:slash="http://purl.org/rss/1.0/modules/slash/"
	>

<channel>
	<title>Vulnerability Archives - LucD notes</title>
	<atom:link href="https://www.lucd.info/tag/vulnerability/feed/" rel="self" type="application/rss+xml" />
	<link>https://www.lucd.info/tag/vulnerability/</link>
	<description>My PowerShell ramblings</description>
	<lastBuildDate>Wed, 08 Apr 2020 10:59:34 +0000</lastBuildDate>
	<language>en-US</language>
	<sy:updatePeriod>
	hourly	</sy:updatePeriod>
	<sy:updateFrequency>
	1	</sy:updateFrequency>
	<generator>https://wordpress.org/?v=6.9</generator>

<image>
	<url>https://www.lucd.info/wp-content/uploads/2018/12/cropped-120px-Tibetan_Dharmacakra-32x32.png</url>
	<title>Vulnerability Archives - LucD notes</title>
	<link>https://www.lucd.info/tag/vulnerability/</link>
	<width>32</width>
	<height>32</height>
</image> 
<atom:link rel="hub" href="https://pubsubhubbub.appspot.com"/><atom:link rel="hub" href="https://pubsubhubbub.superfeedr.com"/><atom:link rel="hub" href="https://websubhub.com/hub"/>	<item>
		<title>VMSA-2015-0007 Report</title>
		<link>https://www.lucd.info/2015/10/04/vmsa-2015-0007-report/</link>
					<comments>https://www.lucd.info/2015/10/04/vmsa-2015-0007-report/#comments</comments>
		
		<dc:creator><![CDATA[LucD]]></dc:creator>
		<pubDate>Sun, 04 Oct 2015 11:40:09 +0000</pubDate>
				<category><![CDATA[ESXi]]></category>
		<category><![CDATA[PowerShell]]></category>
		<category><![CDATA[vCenter]]></category>
		<category><![CDATA[VMSA-2015-0007]]></category>
		<category><![CDATA[vSphere]]></category>
		<category><![CDATA[Vulnerability]]></category>
		<category><![CDATA[CVE-2015-1047]]></category>
		<category><![CDATA[CVE-2015-2342]]></category>
		<category><![CDATA[CVE-2015-5177]]></category>
		<category><![CDATA[PowerCLI]]></category>
		<category><![CDATA[report]]></category>
		<guid isPermaLink="false">http://www.lucd.info/?p=4990</guid>

					<description><![CDATA[On October 1st 2015 VMware published Security Advisory VMSA-2015-0007. In that advisory you [&#8230;]]]></description>
										<content:encoded><![CDATA[<p>On October 1st 2015 VMware published Security Advisory <a href="https://www.vmware.com/security/advisories/VMSA-2015-0007.html" target="_blank">VMSA-2015-0007</a>. In that advisory you will find three vulnerabilities: <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5177" target="_blank">CVE-2015-5177</a>, <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2342" target="_blank">CVE-2015-2342</a> and <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1047" target="_blank">CVE-2015-1047</a>.</p>
<p style="padding-left: 30px;"><a href="https://www.lucd.info/2015/10/04/vmsa-2015-0007-report/vmsa-2015-0007/" rel="attachment wp-att-4992"><img fetchpriority="high" decoding="async" class="alignnone size-full wp-image-4992" src="https://lucd.info/wp-content/uploads/2015/10/VMSA-2015-0007.png" alt="VMSA-2015-0007" width="340" height="153" srcset="https://www.lucd.info/wp-content/uploads/2015/10/VMSA-2015-0007.png 340w, https://www.lucd.info/wp-content/uploads/2015/10/VMSA-2015-0007-300x135.png 300w" sizes="(max-width: 340px) 100vw, 340px" /></a></p>
<p>To anticipate the questions you will surely get from your local <strong>Security Officer</strong>, I created a function to report which <strong>vSphere Servers</strong> in your environment are impacted, and which action to take.</p>
<p><span style="background-color: #ffff00;">Update October 5th 2015</span>:</p>
<ul>
<li>Updated build numbers in <strong>$vmsaTab</strong></li>
<li>Corrected build number testing (thanks <a href="https://twitter.com/RichardKenyan" target="_blank">Richard</a>)</li>
</ul>
<p><span id="more-4990"></span></p>
<h2>The Script</h2>
<p></p><pre class="urvanov-syntax-highlighter-plain-tag">function Get-VMSA-2015-0007
{
&lt;#
.SYNOPSIS  Report on VMSA-2015-0007 vulnerabilities
.DESCRIPTION The function will look at all connected
  vSphere servers ($global:defaultviservers), and 
  report which ones are impacted by VMSA-2015-0007,
  and which action to take
.NOTES  Author:  Luc Dekens
.EXAMPLE
  PS&gt; Get-VMSA-2015-0007
#&gt;
  
  Begin
  {
  
    $vmsaTab = @(
      @{
        Vulnerability = 'CVE-2015-5177'
        Product = 'Vmware ESXi'
        Safe = @(
          @{
            Version = '5.5'
            Build = '3029837'
            Action = 'ESXi550-201509101'
          },
          @{
            Version = '5.1'
            Build = '3021178'
            Action = 'ESXi510-201510101'
          },
          @{
            Version = '5.0'
            Build = '3021432'
            Action = 'ESXi500-201510101'
          }
        )
      },
      @{
        Vulnerability = 'CVE-2015-2342'
        Product = 'VMware vCenter Server'
        Safe = @(
          @{
            Version = '6.0'
            Build = '3018521'
            Action = '6.0 u1'
          },
          @{
            Version = '5.5'
            Build = '3000241'
            Action = '5.5 u3'
          },
          @{
            Version = '5.1'
            Build = '3072311'
            Action = '5.1 u3b'
          },
          @{
            Version = '5.0'
            Build = '3073234'
            Action = '5.0 u3e'
          }
        )
      },
      @{
        Vulnerability = 'CVE-2015-1047'
        Product = 'VMware vCenter Server'
        Safe = @(
          @{
            Version = '5.5'
            Build = '2063318'
            Action = '5.5u2'
          },
          @{
            Version = '5.1'
            Build = '2308385'
            Action = '5.1u3'
          },
          @{
            Version = '5.0'
            Build = '3073234'
            Action = '5.0u3e'
          }
        )
      }
    )
  }
  
  Process
  {
    foreach($vc in $global:DefaultVIServers){
      Foreach($dc in (Get-Datacenter -Server $vc)){
        Foreach($esx in Get-VMHost -Location $dc -Server $vc){
          $product = $esx.ExtensionData.Config.Product
          foreach($entry in ($vmsaTab | where{$_.Product -eq $product.Name})){
            $esx | Select @{N='vCenter';E={$vc.Name}},
              @{N='Datacenter';E={$dc.Name}},
              @{N='Cluster';E={$_.Parent}},
              @{N='Name';E={$_.Name.Split('.')[0]}},
              @{N='Product';E={$product.Name}},
              Version,
              Build,
              @{N='CVE';E={$entry.Vulnerability}},
              @{N='Safe';E={
                $script:entrySafe = $entry.Safe | where{$esx.Version -match &quot;^$($_.Version)&quot;}
                if($script:entrySafe -ne $null){
                  if([int]$esx.Build -ge [int]$script:entrySafe.Build){[string]$true}else{[string]$false} 
                }
                else{'na'}
              }},
              @{N='Action';E={
                if($script:entrySafe -ne $null){
                  $script:entrySafe.Action
                }
                else{'na'}
              }}
          }
        }
      }
      $product = $vc.ExtensionData.Content.About
      foreach($entry in ($vmsaTab | where{$_.Product -eq $product.Name})){
        $vc | Select @{N='vCenter';E={$vc.Name}},
          @{N='Datacenter';E={''}},
          @{N='Cluster';E={''}},
          @{N='Name';E={$_.Name.Split('.')[0]}},
          @{N='Product';E={$product.Name}},
          Version,
          Build,
          @{N='CVE';E={$entry.Vulnerability}},
          @{N='Safe';E={
            $script:entrySafe = $entry.Safe | where{$vc.Version -match &quot;^$($_.Version)&quot;}
            if($script:entrySafe -ne $null){
              if([int]$vc.Build -ge [int]$entrySafe.Build){[string]$true}else{[string]$false}
            }
            else{'na'}
          }},
          @{N='Action';E={
            if($script:entrySafe -ne $null){
            $script:entrySafe.Action
            }
            else{'na'}
          }}
      }
    }
  }
}</pre><p></p>
<h3>Annotations</h3>
<p><strong>Line 17-85</strong>: The correlation between each of the vulnerabilities, the vSphere Server version and build and the fix mentioned in VMSA-2015-0007. Note that <a href="https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&amp;cmd=displayKC&amp;externalId=1014508" target="_blank">KB<span id="kbarticlename">1014508</span></a>, where one can normally find all update levels and the corresponding build number, is missing some of the proposed solutions from VMSA-2015-0007. For these I tried to determine the desired build number from the Product Download page under <a href="https://my.vmware.com/web/vmware/login" target="_blank">MyVMware</a>. Also note that the <strong>Product Patches</strong> page under MyVMware, doesn&#8217;t seem to use the same terminology that is used in VMSA-2015-0007.</p>
<p><strong>Line 91</strong>: the script uses the connected vCenters, as available in $Global:DefaultVIServers, to scan. It&#8217;s important that you connect to the vCenter(s) before you call the function.</p>
<h2>Sample Usage</h2>
<p>The function will look at all connected vCenters. It uses the values in $Global:DefaultVIServers to find these connected vSphere vCenters. For each vCenter it will query all connected ESXi servers.</p>
<p></p><pre class="urvanov-syntax-highlighter-plain-tag">Get-VMSA-2015-0007 |
Export-Csv -Path C:\VMSA-2015-0007.csv -NoTypeInformation -UseCulture</pre><p></p>
<p>The function returns an object array with all results from the investigation. When you redirect the result to a CSV file, you will get something like this.</p>
<p><a href="https://www.lucd.info/2015/10/04/vmsa-2015-0007-report/patch-2/" rel="attachment wp-att-5024"><img decoding="async" class="alignnone size-full wp-image-5024" src="https://lucd.info/wp-content/uploads/2015/10/patch1.png" alt="patch" width="863" height="356" srcset="https://www.lucd.info/wp-content/uploads/2015/10/patch1.png 863w, https://www.lucd.info/wp-content/uploads/2015/10/patch1-300x124.png 300w" sizes="(max-width: 863px) 100vw, 863px" /></a></p>
<p><span style="background-color: #ffff00;">Note</span> that CVE-2015-1047 and CVE-2015-2342 list different fix levels for the vCenter. The report lists the build corresponding with the CVE (Common Vulnerabilities and Exposures). You should of course apply the highest build, that way you will comply with both requirements.</p>
<p>Should you find any discrepancies in the product, versions and build numbers, please let me know.</p>
<p>Enjoy!</p>
]]></content:encoded>
					
					<wfw:commentRss>https://www.lucd.info/2015/10/04/vmsa-2015-0007-report/feed/</wfw:commentRss>
			<slash:comments>10</slash:comments>
		
		
			</item>
		<item>
		<title>PowerCLI and the Linux Shellshock vulnerability</title>
		<link>https://www.lucd.info/2014/09/28/powercli-linux-shellshock-vulnerability/</link>
					<comments>https://www.lucd.info/2014/09/28/powercli-linux-shellshock-vulnerability/#comments</comments>
		
		<dc:creator><![CDATA[LucD]]></dc:creator>
		<pubDate>Sun, 28 Sep 2014 20:13:38 +0000</pubDate>
				<category><![CDATA[Linux]]></category>
		<category><![CDATA[PowerCLI]]></category>
		<category><![CDATA[PowerShell]]></category>
		<category><![CDATA[report]]></category>
		<category><![CDATA[Security]]></category>
		<category><![CDATA[Exploit]]></category>
		<category><![CDATA[Vulnerability]]></category>
		<guid isPermaLink="false">http://www.lucd.info/?p=4813</guid>

					<description><![CDATA[With all the fuss going round about the latest Linux vulnerability you will [&#8230;]]]></description>
										<content:encoded><![CDATA[<p>With all the fuss going round about the latest Linux vulnerability you will probably get a request from your local Security Officer to produce a report which of your Linux systems are vulnerable to the <a href="https://en.wikipedia.org/wiki/Shellshock_%28software_bug%29" target="_blank" rel="noopener noreferrer">Shellshock </a>bug. And, seen there are already several known exploits, who can blame him for asking such a report.</p>
<p><a href="https://www.lucd.info/2014/09/28/powercli-linux-shellshock-vulnerability/shellshock-main/" rel="attachment wp-att-4814"><img decoding="async" class="alignnone wp-image-4814 size-medium" title="PowerCLI report on the Linux Shellshock bug" src="https://lucd.info/wp-content/uploads/2014/09/shellshock-main-300x174.png" alt="shellshock-main" width="300" height="174" srcset="https://www.lucd.info/wp-content/uploads/2014/09/shellshock-main-300x174.png 300w, https://www.lucd.info/wp-content/uploads/2014/09/shellshock-main.png 600w" sizes="(max-width: 300px) 100vw, 300px" /></a></p>
<p>Since a lot of these Linux boxes are running under vSphere, we can use <a href="https://communities.vmware.com/community/vmtn/automationtools/powercli" target="_blank" rel="noopener noreferrer">PowerCLI</a> to produce such a report. The <a href="https://www.vmware.com/support/developer/PowerCLI/PowerCLI58R1/html/Invoke-VMScript.html" target="_blank" rel="noopener noreferrer">Invoke-VMScript</a> cmdlet is the vehicle I use in the following function. With the Invoke-VMScript cmdlet it is very easy to execute, what is considered the <a href="https://security.stackexchange.com/questions/68168/is-there-a-short-command-to-test-if-my-server-is-secure-against-the-shellshock-b" target="_blank" rel="noopener noreferrer">best test</a> to check for the vulnerability.</p>
<p><span style="background-color: #ffff00;"><strong>Update2 September 29 2014</strong></span>: the 2nd test from the Shellshocker gives a syntax error. The test is replaced by the one found on <span class="n fn"><span class="full-name"><a href="https://twitter.com/mboelen">Michael Boelen</a>&#8216;s website </span></span>in <a href="https://linux-audit.com/protect-shellshock-bash-vulnerability/">How to protect yourself against Shellshock Bash vulnerability</a>. Big thanks to <a class="ProfileHeaderCard-nameLink u-textInheritColor js-nav " href="https://twitter.com/wilva">Wil van Antwerpen</a> for the pointer.</p>
<p><span style="background-color: #ffff00;"><strong>Update1 September 29 2014</strong></span>: the function was updated to include tests for most of the known Shellshock vulnerabilities. The tests were collected from the Shellshocker site.<br />
<span id="more-4813"></span></p>
<h2>The Linux Shellshock Bug</h2>
<p>The <a href="https://en.wikipedia.org/wiki/Shellshock_%28software_bug%29">Shellshock</a>, or Bash Bug, is a security issue in the Unix Bash shell. With specially crafted environment variables, a hacker can have malicious code executed on a Linux system.</p>
<p>Seen the widespread use of the Bash Shell, the risk imposed by this bug can not be underestimated.</p>
<h2>The Script</h2>
<p></p><pre class="urvanov-syntax-highlighter-plain-tag">function Get-VMShellShock{
&lt;#
.SYNOPSIS  Check for ShellShock vulnerability
.DESCRIPTION The function will connect to all VMs, that run
  a Linux guest OS, to check if they are vulnerable for
  the ShellShock buug
.NOTES  Author:  Luc Dekens
.PARAMETER Location
  The function will check all VMs in this Location. This can
  be a Cluster, a Datacenter, a Folder, a Datastore...
.PARAMETER VM
  The function will check all VMs passed on this parameter.
.PARAMETER Credential
  The credential to logon to the Linux guest OS
.EXAMPLE
  PS&gt; Get-VMShellShock -VM vm1 -Credential $cred
.EXAMPLE
  PS&gt; Get-VMShellShock -Location $cluster -Credential $cred
#&gt;

  [CmdletBinding()]
  param(
  [parameter(Mandatory=$true,ParameterSetName = &quot;Location&quot;)]
  [VMware.VimAutomation.Sdk.Types.V1.VIObject]$Location,
  [parameter(Mandatory=$true,ParameterSetName = &quot;VM&quot;)]
  [PSObject[]]$VM,
  [System.Management.Automation.PSCredential]$Credential
  )

  Begin{
    $exploits = @{
        'CVE_2014_6271' = 'x=''() { :;}; echo VULNERABLE'' bash -c :'
        'CVE_2014_7169' = 'env X=''() { (a)=&gt;\'' bash -c &quot;echo echo nonvuln&quot; 2&gt;/dev/null; [[ &quot;$(cat echo 2&gt; /dev/null)&quot; == &quot;nonvuln&quot; ]] &amp;&amp; echo &quot;vulnerable&quot; 2&gt; /dev/null'
        'CVE_2014_7186' = 'bash -c ''true &lt;&lt;EOF &lt;&lt;EOF &lt;&lt;EOF &lt;&lt;EOF &lt;&lt;EOF &lt;&lt;EOF &lt;&lt;EOF &lt;&lt;EOF &lt;&lt;EOF &lt;&lt;EOF &lt;&lt;EOF &lt;&lt;EOF &lt;&lt;EOF &lt;&lt;EOF'' || echo &quot;vulnerable&quot;'
        'CVE_2014_7187' = '(for x in {1..200} ; do echo &quot;for x$x in ; do :&quot;; done; for x in {1..200} ; do echo done ; done) | bash || echo &quot;vulnerable&quot;'
    }
    $oldProgressPreference = $ProgressPreference
    $ProgressPreference = &quot;SilentlyContinue&quot;
  }

  Process{
    if($PSCmdlet.ParameterSetName -eq &quot;Location&quot;){
      $vms = Get-VM -Location $entity | where {$_.GuestId -match &quot;rhel|sles&quot;}
    }
    elseif($PSCmdlet.ParameterSetName -eq &quot;VM&quot;){
      $vms = $VM| %{
        if($_ -is [System.String]){
          Get-VM -Name $_ | where {$_.GuestId -match &quot;rhel|sles&quot;}
        }
        else{
          $_
        }
      }
    }

    foreach($vm in $vms){
      $logon = &quot;ok&quot;
      $CVE_2014_6271 = $CVE_2014_7169 = $CVE_2014_7186 = $CVE_2014_7187 = $null
      if($vm.Guest.State -ne &quot;notRunning&quot;){
        $exploits.GetEnumerator() | %{
            Try{
              $result = Invoke-VMScript -VM $vm -ScriptText $_.Value -GuestCredential $Credential -ScriptType Bash -ErrorAction Stop
              Set-Variable -Name $_.Name -Value ($result.ScriptOutput -match &quot;VULNERABLE&quot;)
            }
            Catch [VMware.VimAutomation.ViCore.Types.V1.ErrorHandling.InvalidGuestLogin]{
              $logon = &quot;Guest logon failed&quot;
            }
            Catch [VMware.VimAutomation.Sdk.Types.V1.ErrorHandling.VimException.VimException]{
              if($error[0].Exception.Message -match &quot;Failed to resolve host&quot;){
                $logon = &quot;Failed to resolve host&quot;
              }
              else{
                $logon = $error[0].Exception.Message
              }
            }
            Catch{
              $logon = $error[0].Execption.Message
            }
        }
      }
      New-Object PSObject -Property @{
        VM = $vm.Name
        OS = $vm.GuestId
        &quot;OS Full&quot; = $vm.Guest.OSFullName
        &quot;VMware Tools&quot; = $vm.Guest.State
        Logon = $logon
        CVE_2014_6271 = $CVE_2014_6271
        CVE_2014_7169 = $CVE_2014_7169
        CVE_2014_7186 = $CVE_2014_7186
        CVE_2014_7187 = $CVE_2014_7187
      }
    }
  }

  End{
    $ProgressPreference = $oldProgressPreference
  }
}</pre><p></p>
<h4>Annotations</h4>
<p><strong>Line 23-26</strong>: The function supports two parametersets, <strong>Location</strong> and <strong>VM</strong><br />
<strong>Line 31-36</strong>: The tests that are executed inside the Linux OS to determine if the guest OS is vulnerable to any of the known vulnerabilities. Tests 1,3 and 4 come from the Shellshocker website.<br />
<strong>Line 33</strong>: Test 2 comes from the <a href="https://linux-audit.com/protect-shellshock-bash-vulnerability/">Linux Audit website</a><br />
<strong>Line 43</strong>: The function currently only looks at <strong>Red Hat</strong> and <strong>SUSE</strong> systems, since these are currently the only ones I have to test. If someone needs to include other Linux distros, please contact me, and I can update the function.<br />
<strong>Line 46-53</strong>: A simple implementation of <strong>Object By Name</strong><br />
<strong>Line 60</strong>: All the tests in the <strong>$exploits</strong> hash table are executed<br />
<strong>Line 61-78</strong>: The Try part will use Invoke-VMScript to execute the test the vulnerability inside the guest OS. The Catch parts provide more information why a call to Invoke-VMScript might have failed. The last Catch code block is the &#8220;catch-all&#8221;.<br />
<strong>Line 81-91</strong>: The results are returned as an object.</p>
<h2>Sample Runs</h2>
<p>The function accepts two types of calls, the first one uses the Location parameter. Then the function will check all VMs under that Location that run a Linux guest OS.</p>
<p></p><pre class="urvanov-syntax-highlighter-plain-tag">$username = &quot;root&quot;
$pswd = &quot;MyPassword&quot;

$pswdSecure = ConvertTo-SecureString -String $pswd -AsPlainText -Force
$cred = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $username,$pswdSecure

Get-VMShellShock -Location (Get-Cluster -Name MyCluster) -Credential $cred |
Select VM,OS,&quot;OS Full&quot;,&quot;VMware Tools&quot;,CVE_2014_6271,CVE_2014_7169,CVE_2014_7186,CVE_2014_7187,Logon |
Export-Csv c:\shellshock.csv -NoTypeInformation -UseCulture</pre><p></p>
<p>The second way to call the function uses the VM parameter. On this parameter you can pass one or more VMs, beit by name or by object.</p>
<p></p><pre class="urvanov-syntax-highlighter-plain-tag">$vm = Get-VM -Name lsrv001
Get-VMShellShock -VM $vm -Credential $cred |
Select VM,OS,&quot;OS Full&quot;,&quot;VMware Tools&quot;,CVE_2014_6271,CVE_2014_7169,CVE_2014_7186,CVE_2014_7187,Logon</pre><p></p>
<p>The result, when saved in a CSV file, looks something like this.</p>
<p><a href="https://www.lucd.info/2014/09/28/powercli-linux-shellshock-vulnerability/shellshock-report/" rel="attachment wp-att-4829"><img loading="lazy" decoding="async" class="alignnone wp-image-4829 size-full" title="Linux Shellshock report" src="https://lucd.info/wp-content/uploads/2014/09/shellshock-report.png" alt="shellshock-report" width="1511" height="231" srcset="https://www.lucd.info/wp-content/uploads/2014/09/shellshock-report.png 1511w, https://www.lucd.info/wp-content/uploads/2014/09/shellshock-report-300x45.png 300w, https://www.lucd.info/wp-content/uploads/2014/09/shellshock-report-1024x156.png 1024w" sizes="auto, (max-width: 1511px) 100vw, 1511px" /></a></p>
<h2>Community Participation</h2>
<p>As I mentioned in the Annotations, the current function <strong>only</strong> looks at <strong>Red Hat</strong> and <strong>SUSE</strong> installations. The simple reason for that is that I currently do not have any other distributions available for testing in my lab.</p>
<p>If you use other Linux distributions in your VMs, please let me know which tests are conclusive for that guest OS. And I will try to add them to the function.</p>
<p>Enjoy !</p>
]]></content:encoded>
					
					<wfw:commentRss>https://www.lucd.info/2014/09/28/powercli-linux-shellshock-vulnerability/feed/</wfw:commentRss>
			<slash:comments>2</slash:comments>
		
		
			</item>
	</channel>
</rss>
