VMware Tools Vulnerability Audit August 2022
Security Software VulnerabilityFind Outdated VMware Tools Installations in Your Network
VMware released a new security advisory for VMware Tools to address a local privilege escalation vulnerability CVE-2022-31676 that affects VMware Tools versions 10, 11, and 12. To secure your network, VMware advises its users to update their installations to version 12.1.0 or 10.3.25 (only for older Linux releases). With the audit below you can check if machines within your network are using VMware tools 10.
Discover if your VMware guests have an up-to-date VMware Tools installed or if you still have vulnerable guests in your network. You can read more information about this vulnerability in our VMware Tools vulnerability blog post.
VMware Tools Audit Query
Select Top 1000000 tblAssets.AssetID,
tblAssets.AssetName,
tblAssets.Domain,
tsysAssetTypes.AssetTypename As AssetType,
tblAssets.Username,
tblAssets.Userdomain,
Coalesce(tsysOS.Image, tsysAssetTypes.AssetTypeIcon10) As icon,
tblAssets.IPAddress,
tblSoftwareUni.softwareName As Software,
tblSoftware.softwareVersion As Version,
tblSoftwareUni.SoftwarePublisher As Publisher,
tsysIPLocations.IPLocation,
tblAssetCustom.Manufacturer,
tblAssetCustom.Model,
Coalesce(tsysOS.OSname, tblSccmAsset.OsCaption,
tblSccmAsset.OperatingSystemNameandVersion) As OS,
tblAssets.Version As OSVersion,
Case
When tblErrors.ErrorText Is Not Null Or
tblErrors.ErrorText != '' Then
'Scanning Error: ' + tsysasseterrortypes.ErrorMsg
Else ''
End As ScanningErrors,
tblAssets.Lastseen,
tblAssets.Lasttried
From tblAssets
Inner Join tblAssetCustom On tblAssets.AssetID = tblAssetCustom.AssetID
Inner Join tsysAssetTypes On tsysAssetTypes.AssetType = tblAssets.Assettype
Inner Join tsysIPLocations On tsysIPLocations.LocationID =
tblAssets.LocationID
Inner Join tblState On tblState.State = tblAssetCustom.State
Inner Join tblSoftware On tblAssets.AssetID = tblSoftware.AssetID
Inner Join tblSoftwareUni On tblSoftwareUni.SoftID = tblSoftware.softID
Left Outer Join tsysOS On tsysOS.OScode = tblAssets.OScode
Left Outer Join tblSccmAsset On tblAssets.AssetID = tblSccmAsset.AssetId
Left Join (Select Distinct Top 1000000 tblErrors.AssetID As ID,
Max(tblErrors.Teller) As ErrorID
From tblErrors
Group By tblErrors.AssetID) As ScanningError On tblAssets.AssetID =
ScanningError.ID
Left Join tblErrors On ScanningError.ErrorID = tblErrors.Teller
Left Join tsysasseterrortypes On tsysasseterrortypes.Errortype =
tblErrors.ErrorType
Where tblSoftwareUni.softwareName = 'VMware Tools' And
(((tblSoftware.softwareVersion Like '12%' Or tblSoftware.softwareVersion Like
'11%' Or tblSoftware.softwareVersion Like '10%') And
(Cast(ParseName(tblSoftware.softwareVersion, 4) As bigint) < 12)) Or
((tblSoftware.softwareVersion Like '12%' Or tblSoftware.softwareVersion Like
'11%' Or tblSoftware.softwareVersion Like '10%') And
(Cast(ParseName(tblSoftware.softwareVersion, 4) As bigint) = 12 And
Cast(ParseName(tblSoftware.softwareVersion, 3) As bigint) < 1))) And
tblState.Statename = 'Active'
Union
Select Top 1000000 tblAssets.AssetID,
tblAssets.AssetName,
tblAssets.Domain,
tsysAssetTypes.AssetTypename As AssetType,
tblLinuxUser.UserName,
tblAssets.Userdomain,
tsysAssetTypes.AssetTypeIcon10 As icon,
tblAssets.IPAddress,
subquery1.Software,
subquery1.Version,
subquery1.Publisher,
tsysIPLocations.IPLocation,
tblAssetCustom.Manufacturer,
tblAssetCustom.Model,
tblLinuxSystem.OSRelease As OS,
tblAssets.Version As OSVersion,
Case
When tblErrors.ErrorText Is Not Null Or
tblErrors.ErrorText != '' Then
'Scanning Error: ' + tsysasseterrortypes.ErrorMsg
Else ''
End As ScanningErrors,
tblAssets.Lastseen As [Last successful scan],
tblAssets.Lasttried As [Last scan attempt]
From tblAssets
Inner Join tblAssetCustom On tblAssets.AssetID = tblAssetCustom.AssetID
Inner Join tsysAssetTypes On tsysAssetTypes.AssetType = tblAssets.Assettype
Inner Join tsysIPLocations On tsysIPLocations.LocationID =
tblAssets.LocationID
Inner Join tblState On tblState.State = tblAssetCustom.State
Inner Join tblLinuxSystem On tblAssets.AssetID = tblLinuxSystem.AssetID
Inner Join tblLinuxUser On tblAssets.AssetID = tblLinuxUser.AssetID
Inner Join tblLinuxUserLogon On tblLinuxUserLogon.Id = tblLinuxUser.id
Inner Join (Select tblLinuxUser.AssetId,
Max(tblLinuxUserLogon.LogonTime) As MaxLogontime
From tblLinuxUser
Inner Join tblLinuxUserLogon On tblLinuxUserLogon.Id = tblLinuxUser.id
Group By tblLinuxUser.assetid) As subquery2 On subquery2.MaxLogontime =
tblLinuxUserLogon.LogonTime
Inner Join (Select tblSoftwareUni.softwareName As Software,
tblSoftwareUni.SoftwarePublisher As Publisher,
tblLinuxSoftware.LastChanged,
tblLinuxSoftware.assetid,
Case
When tblLinuxSystem.OSRelease Like '%Ubuntu%' And
tblLinuxSoftware.Version Like '%-%' And tblLinuxSoftware.Version Like
'%.%.%[^0-9]%' Then Replace(SubString(tblLinuxSoftware.Version,
CharIndex(':', tblLinuxSoftware.Version) + 1, CharIndex('-',
tblLinuxSoftware.Version) - 1 - CharIndex(':',
tblLinuxSoftware.Version) + Len('-')), '-', '')
When tblLinuxSystem.OSRelease Like '%debian%' And
tblLinuxSoftware.Version Like '%-%' And tblLinuxSoftware.Version Like
'%.%.%[^0-9]%' Then Replace(SubString(tblLinuxSoftware.Version,
CharIndex(':', tblLinuxSoftware.Version) + 1, CharIndex('-',
tblLinuxSoftware.Version) - 1 - CharIndex(':',
tblLinuxSoftware.Version) + Len('-')), '-', '')
Else tblLinuxSoftware.Version
End As Version
From tblLinuxSoftware
Inner Join tblSoftwareUni On tblSoftwareUni.SoftID =
tblLinuxSoftware.SoftwareUniID
Inner Join tblLinuxSystem On tblLinuxSoftware.AssetID =
tblLinuxSystem.AssetID
Where tblSoftwareUni.softwareName Like 'open-vm-tools%') As subquery1 On
subquery1.assetid = tblAssets.assetid
Left Join (Select Distinct Top 1000000 tblErrors.AssetID As ID,
Max(tblErrors.Teller) As ErrorID
From tblErrors
Group By tblErrors.AssetID) As ScanningError On tblAssets.AssetID =
ScanningError.ID
Left Join tblErrors On ScanningError.ErrorID = tblErrors.Teller
Left Join tsysasseterrortypes On tsysasseterrortypes.Errortype =
tblErrors.ErrorType
Where (subquery1.Software In ('open-vm-tools', 'open-vm-tools-desktop') And
(subquery1.Version Like '12%' Or subquery1.Version Like '11%') And
Cast(ParseName(subquery1.Version, 3) As bigint) < 12 And
tblState.Statename = 'Active') Or
((subquery1.Version Like '12%' Or subquery1.Version Like '11%') And
Cast(ParseName(subquery1.Version, 3) As bigint) = 12 And
Cast(ParseName(subquery1.Version, 2) As bigint) < 1) Or
(subquery1.Version Like '10%' And Cast(ParseName(subquery1.Version,
2) As bigint) < 3) Or
(subquery1.Version Like '10%' And Cast(ParseName(subquery1.Version,
2) As bigint) = 3 And Cast(ParseName(subquery1.Version, 1) As bigint) < 25)
Order By Domain,
AssetName,
Software