Automation

 View Only
  • 1.  List VMs with USB controllers attached (CVE-2022-31705)

    Posted Dec 14, 2022 04:17 PM

    Hello,

    I'm looking at the vulnerability CVE-2022-31705 which suggests removing the USB controller from VMs.

    I'm trying to list this and tried the following but it only shows VMs with 'USB Controller' 2.0 or 3.1.  We have Many VMs with USB xHCI Controller 3.1 also that doesn't get listed.  However I can tell if the vulnerability is related to that also.

     Get-View -ViewType VirtualMachine -Property Name,'Config.Hardware' | Where-Object { $_.Config.Hardware.Device.Where({$_.gettype().name -match 'VirtualUSBController'}) } | Select-Object -ExpandProperty Name 

      

    Any help would be great.



  • 2.  RE: List VMs with USB controllers attached (CVE-2022-31705)

    Posted Dec 14, 2022 05:16 PM

    You should also include the VirtualUSBXHCIController type in your Where-clause.
    That type is not derived from VirtualUSBController, hence the script won't find it.



  • 3.  RE: List VMs with USB controllers attached (CVE-2022-31705)

    Posted Dec 15, 2022 06:54 PM

    https://www.vmware.com/security/advisories/VMSA-2022-0033.html

    1. Is the USB 3.1 (xHCI) Controller affected?  The article only lists the USB 2.0 (EHCI) Controller, however the script they provide to remove it will remove all USB Controller versions.   We have hundreds of VMs with the USB 3.1 (xHCI) Controller and only a few using the 2.0 Controller

    2. Are the ESXi 6.7 and 6.5 OSes affected as well?  The article only mentions ESXi 8.0 and 7.0 and are not sure if the older versions are not listed because they are no longer supported by VMware.



  • 4.  RE: List VMs with USB controllers attached (CVE-2022-31705)

    Posted Dec 22, 2022 02:47 PM

    The KB specifically lists a problem with the USB 2.0 EHCI controllers, so one can assume that the xhci controllers are not affected.

    I have tested adding and removing USB 2.0 and 3.1 controllers to a VM and I think the following code works:

    # VMs with USB 1.1 or 2.0 EHCI controller 'USB controller'
    Get-VM | ?{$_.ExtensionData.Config.Hardware.Device.DeviceInfo.Label -match "USB controller"}
    
    # VMs with USB 3.1 xHCI controller 'USB xHCI controller'
    Get-VM | ?{$_.ExtensionData.Config.Hardware.Device.DeviceInfo.Label -match "xhci"}

     

    This vulnerability reinforces the thought that VMs should only be configured with the hardware they actually need to function.. 99.9% of the VMs I have looked after have no need for a virtual USB controller.