VMware

Check for XHCI USB controller on VMs / VMSA 2020-0026

Yesterday, on 11/19/2020, VMware released a new Security Advisory which contains information how to fix the CVE-2020-4004 & CVE-2020-4005.

With that VMware also released a new set of patches. As usual the general recommendation is to deploy these as soon as possible, as the CVE score is 9.3 (CVE-2020-4004, VMware severity “critical”) and 8.8 (CVE-2020-4005, VMware severity “important”).

If patching is not an option right know, you can consider the workaround mentioned for the first CVE and remove the XHCI USB controller from the VMs for which it isn’t needed.

To check if your VMs are using this type of controller you can use the following PowerCLI script:

#List all VMs from the connected vCenter with a configured XHCI USB controller 
#Usefull for the workaround of VMSA 2020-0026 (https://www.vmware.com/security/advisories/VMSA-2020-0026.html)
#Usage: first connect to vCenter, then run the script
#Output: c:\tmp\xhci_Controller_present.csv

Get-View -ViewType VirtualMachine -Property Name, Config.Hardware.Device -PipelineVariable vm |
ForEach-Object -Process {

$_.Config.Hardware.Device | where {$_ -is [VMware.Vim.VirtualUSBXHCIController] } |

  select @{Name='VM';Expression={ $vm.Name }}, @{Name='Controller';Expression={ $_.DeviceInfo.Label }}

} | Export-Csv -Path c:\tmp\xhci_Controller_present.csv -Encoding ascii -NoTypeInformation

More information:

(Visited 48 times, 1 visits today)

Author

I have more than 13 years experience in the Telco and IT business. Most of this time I spent with VMware environments in the SMB / Enterprise environment. At first I worked in the support department, then I changed to the consulting area and then to the operations and architecture team of a large provider of IT solutions for tax consultants. Currently I work as a Technical Account Manager at VMware. I have an affinity for VDI solutions with a strong technical background in the core product range of our company.

Leave a Reply

Your email address will not be published. Required fields are marked *