VMware Tools for Windows update addresses a denial-of-service vulnerability


Userlevel 7
Badge +9

VMware Tools is a set of services and modules that enable several features in VMware products for better management of guests operating systems and seamless user interactions with them. VMware Tools has the ability to pass messages from the host operating system to the guest operating system.

 

Therefore, VMware Tools is a suite of utilities that enhances the performance of the virtual machine guest operating system and improves the management of the virtual machine. Without VMware Tools installed in your guest operating system, guest performance lacks important functionality. Installing VMware Tools improves these issues low video resolution, inadequate color depth, incorrect display of network speed, restricted movement of the mouse, inability to copy and paste and drag and drop files, missing sound, and provides the ability to take quiesced snapshots of the guest OS, and synchronises the time in the guest operating system with the time on the host

 

Impacted Product

VMware Tools for Windows

A denial-of-service vulnerability in VMware Tools for Windows was privately reported to VMware. Updates are available to remediate this vulnerability in affected VMware products.

Issue description

VMware Tools for Windows contains a denial-of-service vulnerability in the VM3DMP driver. VMware has evaluated the severity of this issue to be in the Low Severity Range with a maximum CVSSv3 base score of 3.3.

How can this vulnerability be exploited?

On devices where the VMware Tools is installed, an attacker (a malicious actor) with local user privileges in the Windows guest OS can trigger a PANIC in the VM3DMP driver leading to a denial-of-service condition in the Windows guest OS.

 

How can this vulnerability be exploited?

This vulnerability does not have a workaround. To remediate this issue (CVE-2022-31693), please apply the patches listed in the ‘Fixed Version’ column of the ‘Response Matrix’ found below.

 

Product Version Running On CVE Identifier CVSSv3 Severity Fixed Version Workarounds Additional Documentation
VMware Tools for Windows 12.x.y, 11.x.y and 10.x.y Windows CVE-2022-31693 3.3 Low 

12.1.5

 

None

 

 

Here is the link to the original blogpost.

 


14 comments

Userlevel 7
Badge +20

Thanks for sharing.  Amazing how much these tools are affected but good to keep them updated.  Nice to also see some of the drivers for this coming to the Windows Update as well as the overall packages from VMware.

Userlevel 7
Badge +6

I should make another post for this, but I’m curious of anyone is aware of a tool that can be used to upgrade multiple vCenter’s and Hosts remotely for multiple clients.  To be clear, I have 20-30 VMware environments that I manage, and vCenter Update Manager/Lifecycle Manager does a great job of patching hosts and keeping up to date itself from the appliance management, but each environment is managed one by one which is quite the task.  Our RMM manages our Windows boxes, etc, but it would be great if there was a tool to manage or even just monitor versions and available patches, etc for VMware environments.  I did some looking to see if there were any tools for this sort of thing a year ago or so, but didn’t really find anything.

Userlevel 7
Badge +9

I should make another post for this, but I’m curious of anyone is aware of a tool that can be used to upgrade multiple vCenter’s and Hosts remotely for multiple clients.  To be clear, I have 20-30 VMware environments that I manage, and vCenter Update Manager/Lifecycle Manager does a great job of patching hosts and keeping up to date itself from the appliance management, but each environment is managed one by one which is quite the task.  Our RMM manages our Windows boxes, etc, but it would be great if there was a tool to manage or even just monitor versions and available patches, etc for VMware environments.  I did some looking to see if there were any tools for this sort of thing a year ago or so, but didn’t really find anything.

Maybe this is what you need as per your description: https://docs.vmware.com/en/VMware-Tools/10.3.0/com.vmware.vsphere.vmwaretools.doc/GUID-7E1225DC-9CC6-401A-BE40-D78110F9441C.html, or https://thesleepyadmins.com/2021/08/08/upgrading-vmware-tools-different-methods/

Take a look at this too:https://blogs.vmware.com/vsphere/2018/09/automating-upgrade-of-vmware-tools-and-vmware-compatibility.html

Userlevel 7
Badge +6

Well in this case, I’m looking to upgrade more than just tools, but also upgrade vSphere ESXI and the VSCA.  But…the first list you sent looks like a series for upgrading the PSC/VCSA and ESXI and such, so this may be helpful.  And I hadn’t considered automating using the CLI though I have performed updates via the CLI in the past on really small environments where the VCSA runs on the only host present making it difficult to use VUM/VLM as it will have to be taken offline to perform the update of the host.  Thanks for pointing this out and I’ll do a bit more digging!

Userlevel 7
Badge +7

Ah nice one! I didn’t see this earlier and created a duplicate on the Security Group. For some reason I no longer get notifications from the Community boards. 

Userlevel 7
Badge +6

Ah nice one! I didn’t see this earlier and created a duplicate on the Security Group. For some reason I no longer get notifications from the Community boards. 

Go here (https://community.veeam.com/settings/general) to turn on your notifications.  More than once (or 6 or 7 times or more) I’ve actually clicked the link at the bottom of the email to turn off notifications rather than the link to go to the posting I wanted to read, and had to go here to turn things back on.

 

Userlevel 7
Badge +14

Thank you for posting this, I'll update those in a next maintenance window.

 

Fun fact, easiest way on Windows is with Chocolatey, no need to change anything on your host to include the vmware tools ISO, just install / upgrade the vmware-tools package.

choco install vmware-tools

choco upgrade vmware-tools

Userlevel 7
Badge +20

Thank you for posting this, I'll update those in a next maintenance window.

 

Fun fact, easiest way on Windows is with Chocolatey, no need to change anything on your host to include the vmware tools ISO, just install / upgrade the vmware-tools package.

choco install vmware-tools

choco upgrade vmware-tools

This is how I do it in my HomeLab. 😁

Userlevel 7
Badge +14

Thank you for posting this, I'll update those in a next maintenance window.

 

Fun fact, easiest way on Windows is with Chocolatey, no need to change anything on your host to include the vmware tools ISO, just install / upgrade the vmware-tools package.

choco install vmware-tools

choco upgrade vmware-tools

This is how I do it in my HomeLab. 😁

  

Screenshot from The Mandalorian (Lucasfilm Ltd. LLC) with the text “This is the way”

 

Userlevel 7
Badge +9

Ah nice one! I didn’t see this earlier and created a duplicate on the Security Group. For some reason I no longer get notifications from the Community boards. 

Go here (https://community.veeam.com/settings/general) to turn on your notifications.  More than once (or 6 or 7 times or more) I’ve actually clicked the link at the bottom of the email to turn off notifications rather than the link to go to the posting I wanted to read, and had to go here to turn things back on.

 

You just did the magic for me. I get emails only on topics i engage in. I come on here to check on active participants and then engage. I can see some settings were set to no for me. I hope this resolves my issue.

Userlevel 7
Badge +7

Ah nice one! I didn’t see this earlier and created a duplicate on the Security Group. For some reason I no longer get notifications from the Community boards. 

Go here (https://community.veeam.com/settings/general) to turn on your notifications.  More than once (or 6 or 7 times or more) I’ve actually clicked the link at the bottom of the email to turn off notifications rather than the link to go to the posting I wanted to read, and had to go here to turn things back on.

 

Thank you! That seems to have done it :) 

Userlevel 7
Badge +7

Great post!  

 

Having upgraded VMware tools is also part of the Veeam best practices.  Veeam uses the VMX for things like Networkless restores, and AAP processing can be done from VMX as well.  Bit as mentioned in the article VMtools also affect speed and performance and API integration.  Fun fact - The Veeam One reporter has a Backup assessment report that on VMs that have outdated VMtools.  

 

The VM assessment report also reports on that.  And of course, everyone updates their VMtools all the time right? ;) 

Userlevel 7
Badge +20

Great post!  

 

Having upgraded VMware tools is also part of the Veeam best practices.  Veeam uses the VMX for things like Networkless restores, and AAP processing can be done from VMX as well.  Bit as mentioned in the article VMtools also affect speed and performance and API integration.  Fun fact - The Veeam One reporter has a Backup assessment report that on VMs that have outdated VMtools.  

 

The VM assessment report also reports on that.  And of course, everyone updates their VMtools all the time right? ;) 

This is a report in VONE that we are using more and more now that we are upgrading VMware across all our DCs as we need to then tell clients to update the VM hardware versions and tools as well.  😁

Userlevel 7
Badge +9

Great post!  

 

Having upgraded VMware tools is also part of the Veeam best practices.  Veeam uses the VMX for things like Networkless restores, and AAP processing can be done from VMX as well.  Bit as mentioned in the article VMtools also affect speed and performance and API integration.  Fun fact - The Veeam One reporter has a Backup assessment report that on VMs that have outdated VMtools.  

 

The VM assessment report also reports on that.  And of course, everyone updates their VMtools all the time right? ;) 

Thanks a lot! 

> Fun fact - The Veeam One reporter has a Backup assessment report that on VMs that have outdated VMtools.  

I was about suggesting this to @dloseke, but I couldn’t since I haven’t tried it.

Thank you for pointing this out!

Comment