Multiple VMware Software Vulnerabilities Audit

Find Vulnerable VMware Software Tools, VMRC, App Volumes and Carbon Black App Control Installations

VMware released two new security advisories regarding its software tools. CVE-2021-21999, a local privilege escalation vulnerability, affects VMware Tools, VMRC and VMware App Volumes. The vulnerability has a CVSSv3 base score of 7.8. The second vulnerability is more critical, with a CVSSv3 base score of 9.4, it is important to update your Carbon Black App Control installation as soon as possible. Tracked as CVE-2021-21998, the Carbon Black App Control vulnerability is an authentication bypass in the VMware Carbon Black App Control management server.

To secure your network, it is important you update affecting VMware software as soon as possible. With the audit below you can check if machines within your network are using any of the vulnerable software versions mentioned in the VMware advisories. The audit checks if the versions of the tools meet the minimum fixed versions listed in the VMware advisories.

VMware Software Vulnerability Query

Select Distinct Top 1000000 tblAssets.AssetID,
tblAssets.AssetName,
tblAssets.Domain,
tsysAssetTypes.AssetTypename As AssetType,
tblAssets.Username,
tblAssets.Userdomain,
tsysAssetTypes.AssetTypeIcon10 As icon,
tblAssets.IPAddress,
tsysIPLocations.IPLocation,
tblAssetCustom.Manufacturer,
tblAssetCustom.Model,
tsysOS.OSname As OS,
subquery1.[Carbon Black App Control (VMSA-2021-0012)],
subquery2.[VMware Tools (VMSA-2021-0013)],
subquery3.[VMware Remote Console(VMSA-2021-0013)],
subquery4.[App Volumes (VMSA-2021-0013)],
Case
When tblErrors.ErrorText Is Not Null Or
tblErrors.ErrorText != '' Then
'Scanning Error: ' + tsysasseterrortypes.ErrorMsg
Else ''
End As ScanningErrors,
tblAssets.Lastseen,
tblAssets.Lasttried,
Case
When subquery1.[Carbon Black App Control (VMSA-2021-0012)] <> 'Safe' Then
'#ffadad'
When subquery2.[VMware Tools (VMSA-2021-0013)] <> 'Safe' Then '#ffadad'
When subquery3.[VMware Remote Console(VMSA-2021-0013)] <> 'Safe' Then
'#ffadad'
When subquery4.[App Volumes (VMSA-2021-0013)] <> 'Safe' Then '#ffadad'
Else '#d4f4be'
End As backgroundcolor
From tblAssets
Inner Join tblAssetCustom On tblAssets.AssetID = tblAssetCustom.AssetID
Inner Join tsysAssetTypes On tsysAssetTypes.AssetType = tblAssets.Assettype
Inner Join tsysIPLocations On tsysIPLocations.LocationID =
tblAssets.LocationID
Inner Join tblSoftware On tblAssets.AssetID = tblSoftware.AssetID
Inner Join tblSoftwareUni On tblSoftwareUni.SoftID = tblSoftware.softID
Left Join tsysOS On tsysOS.OScode = tblAssets.OScode
Inner Join tblState On tblState.State = tblAssetCustom.State
Left Join (Select Distinct Top 1000000 tblErrors.AssetID As ID,
Max(tblErrors.Teller) As ErrorID
From tblErrors
Group By tblErrors.AssetID) As ScanningError On tblAssets.AssetID =
ScanningError.ID
Left Join tblErrors On ScanningError.ErrorID = tblErrors.Teller
Left Join tsysasseterrortypes On tsysasseterrortypes.Errortype =
tblErrors.ErrorType
Left Join (Select Top 1000000 tblAssets.AssetID,
Case
When tblSoftwareUni.softwareName Like '%Carbon Black%' And
tblSoftwareUni.SoftwarePublisher Like '%VMware%' And
Cast(ParseName(tblSoftware.softwareVersion, 4) As bigint) > 8 Then
'Safe'
When tblSoftwareUni.softwareName Like '%Carbon Black%' And
tblSoftwareUni.SoftwarePublisher Like '%VMware%' And
Cast(ParseName(tblSoftware.softwareVersion, 4) As bigint) = 8 And
Cast(ParseName(tblSoftware.softwareVersion, 3) As bigint) > 6 Then
'Safe'
When tblSoftwareUni.softwareName Like '%Carbon Black%' And
tblSoftwareUni.SoftwarePublisher Like '%VMware%' And
Cast(ParseName(tblSoftware.softwareVersion, 4) As bigint) = 8 And
Cast(ParseName(tblSoftware.softwareVersion, 3) As bigint) = 6 And
Cast(ParseName(tblSoftware.softwareVersion, 2) As bigint) > 1 Then
'Safe'
When tblSoftwareUni.softwareName Like '%Carbon Black%' And
tblSoftwareUni.SoftwarePublisher Like '%VMware%' And
Cast(ParseName(tblSoftware.softwareVersion, 4) As bigint) = 8 And
Cast(ParseName(tblSoftware.softwareVersion, 3) As bigint) = 6 And
Cast(ParseName(tblSoftware.softwareVersion, 2) As bigint) Between 0
And 1 Then 'Vulnerable'
When tblSoftwareUni.softwareName Like '%Carbon Black%' And
tblSoftwareUni.SoftwarePublisher Like '%VMware%' And
Cast(ParseName(tblSoftware.softwareVersion, 4) As bigint) = 8 And
Cast(ParseName(tblSoftware.softwareVersion, 3) As bigint) = 5 And
Cast(ParseName(tblSoftware.softwareVersion, 2) As bigint) > 7 Then
'Safe'
When tblSoftwareUni.softwareName Like '%Carbon Black%' And
tblSoftwareUni.SoftwarePublisher Like '%VMware%' And
Cast(ParseName(tblSoftware.softwareVersion, 4) As bigint) = 8 And
Cast(ParseName(tblSoftware.softwareVersion, 3) As bigint) = 5 And
Cast(ParseName(tblSoftware.softwareVersion, 2) As bigint) Between 0
And 7 Then 'Vulnerable'
When tblSoftwareUni.softwareName Like '%Carbon Black%' And
tblSoftwareUni.SoftwarePublisher Like '%VMware%' And
Cast(ParseName(tblSoftware.softwareVersion, 4) As bigint) = 8 And
Cast(ParseName(tblSoftware.softwareVersion, 3) As bigint) = 1 Then
'Vulnerable'
When tblSoftwareUni.softwareName Like '%Carbon Black%' And
tblSoftwareUni.SoftwarePublisher Like '%VMware%' And
Cast(ParseName(tblSoftware.softwareVersion, 4) As bigint) = 8 And
Cast(ParseName(tblSoftware.softwareVersion, 3) As bigint) = 0 Then
'Vulnerable'
When tblSoftwareUni.softwareName Like '%Carbon Black%' And
tblSoftwareUni.SoftwarePublisher Like '%VMware%' Then 'Safe'
End As [Carbon Black App Control (VMSA-2021-0012)]
From tblAssets
Inner Join tblSoftware On tblAssets.AssetID = tblSoftware.AssetID
Inner Join tblSoftwareUni On tblSoftwareUni.SoftID = tblSoftware.softID
Where tblSoftwareUni.softwareName Like '%Carbon Black%' And
tblSoftwareUni.SoftwarePublisher Like '%VMware%') As subquery1 On
subquery1.AssetID = tblAssets.AssetID
Left Join (Select Top 1000000 tblAssets.AssetID,
Case
When tblSoftwareUni.softwareName Like '%VMware Tools%' And
tblSoftwareUni.SoftwarePublisher Like '%VMware%' And
Cast(ParseName(tblSoftware.softwareVersion, 4) As bigint) > 11 Then
'Safe'
When tblSoftwareUni.softwareName Like '%VMware Tools%' And
tblSoftwareUni.SoftwarePublisher Like '%VMware%' And
Cast(ParseName(tblSoftware.softwareVersion, 4) As bigint) = 11 And
Cast(ParseName(tblSoftware.softwareVersion, 3) As bigint) > 2 Then
'Safe'
When tblSoftwareUni.softwareName Like '%VMware Tools%' And
tblSoftwareUni.SoftwarePublisher Like '%VMware%' And
Cast(ParseName(tblSoftware.softwareVersion, 4) As bigint) = 11 And
Cast(ParseName(tblSoftware.softwareVersion, 3) As bigint) = 2 And
Cast(ParseName(tblSoftware.softwareVersion, 2) As bigint) >= 6 Then
'Safe'
When tblSoftwareUni.softwareName Like '%VMware Tools%' And
tblSoftwareUni.SoftwarePublisher Like '%VMware%' Then 'Vulnerable'
End As [VMware Tools (VMSA-2021-0013)]
From tblAssets
Inner Join tblSoftware On tblAssets.AssetID = tblSoftware.AssetID
Inner Join tblSoftwareUni On tblSoftwareUni.SoftID = tblSoftware.softID
Where tblSoftwareUni.softwareName Like '%VMware Tools%' And
tblSoftwareUni.SoftwarePublisher Like '%VMware%') As subquery2 On
subquery2.AssetID = tblAssets.AssetID
Left Join (Select Top 1000000 tblAssets.AssetID,
Case
When tblSoftwareUni.softwareName Like '%Remote console%' And
tblSoftwareUni.SoftwarePublisher Like '%VMware%' And
Cast(ParseName(tblSoftware.softwareVersion, 3) As bigint) <> 12 Then
'Safe'
When tblSoftwareUni.softwareName Like '%Remote console%' And
tblSoftwareUni.SoftwarePublisher Like '%VMware%' And
Cast(ParseName(tblSoftware.softwareVersion, 3) As bigint) = 12 And
Cast(ParseName(tblSoftware.softwareVersion, 2) As bigint) > 0 Then
'Safe'
When tblSoftwareUni.softwareName Like '%Remote console%' And
tblSoftwareUni.SoftwarePublisher Like '%VMware%' And
Cast(ParseName(tblSoftware.softwareVersion, 3) As bigint) = 12 And
Cast(ParseName(tblSoftware.softwareVersion, 2) As bigint) = 0 And
Cast(ParseName(tblSoftware.softwareVersion, 1) As bigint) >= 1 Then
'Safe'
When tblSoftwareUni.softwareName Like '%Remote console%' And
tblSoftwareUni.SoftwarePublisher Like '%VMware%' Then 'Vulnerable'
End As [VMware Remote Console(VMSA-2021-0013)]
From tblAssets
Inner Join tblSoftware On tblAssets.AssetID = tblSoftware.AssetID
Inner Join tblSoftwareUni On tblSoftwareUni.SoftID = tblSoftware.softID
Where tblSoftwareUni.softwareName Like '%Remote console%' And
tblSoftwareUni.softwareName Not Like '%plug%' And
tblSoftwareUni.SoftwarePublisher Like '%VMware%') As subquery3 On
subquery3.AssetID = tblAssets.AssetID
Left Join (Select Top 1000000 tblAssets.AssetID,
Case
When tblSoftwareUni.softwareName Like '%App Volumes%' And
tblSoftwareUni.SoftwarePublisher Like '%VMware%' And
Cast(ParseName(tblSoftware.softwareVersion, 4) As bigint) > 4 Then
'Safe'
When tblSoftwareUni.softwareName Like '%App Volumes%' And
tblSoftwareUni.SoftwarePublisher Like '%VMware%' And
Cast(ParseName(tblSoftware.softwareVersion, 4) As bigint) = 4 And
Cast(ParseName(tblSoftware.softwareVersion, 3) As bigint) > 4 Then
'Safe'
When tblSoftwareUni.softwareName Like '%App Volumes%' And
tblSoftwareUni.SoftwarePublisher Like '%VMware%' And
Cast(ParseName(tblSoftware.softwareVersion, 4) As bigint) = 4 And
Cast(ParseName(tblSoftware.softwareVersion, 3) As bigint) = 4 And
Cast(ParseName(tblSoftware.softwareVersion, 2) As bigint) > 1 Then
'Safe'
When tblSoftwareUni.softwareName Like '%App Volumes%' And
tblSoftwareUni.SoftwarePublisher Like '%VMware%' And
Cast(ParseName(tblSoftware.softwareVersion, 4) As bigint) = 4 And
Cast(ParseName(tblSoftware.softwareVersion, 3) As bigint) = 4 And
Cast(ParseName(tblSoftware.softwareVersion, 2) As bigint) = 1 And
Cast(ParseName(tblSoftware.softwareVersion, 1) As bigint) >= 4 Then
'Safe'
When tblSoftwareUni.softwareName Like '%App Volumes%' And
tblSoftwareUni.SoftwarePublisher Like '%VMware%' And
tblSoftware.softwareVersion Like '3%' Then 'Safe'
When tblSoftwareUni.softwareName Like '%App Volumes%' And
tblSoftwareUni.SoftwarePublisher Like '%VMware%' And
Cast(ParseName(tblSoftware.softwareVersion, 3) As bigint) = 2 Then
'Safe'
When tblSoftwareUni.softwareName Like '%App Volumes%' And
tblSoftwareUni.SoftwarePublisher Like '%VMware%' And
Cast(ParseName(tblSoftware.softwareVersion, 3) As bigint) = 2 And
Cast(ParseName(tblSoftware.softwareVersion, 2) As bigint) > 18 Then
'Safe'
When tblSoftwareUni.softwareName Like '%App Volumes%' And
tblSoftwareUni.SoftwarePublisher Like '%VMware%' And
Cast(ParseName(tblSoftware.softwareVersion, 3) As bigint) = 2 And
Cast(ParseName(tblSoftware.softwareVersion, 2) As bigint) = 18 And
Cast(ParseName(tblSoftware.softwareVersion, 1) As bigint) >= 10 Then
'Safe'
When tblSoftwareUni.softwareName Like '%App Volumes%' And
tblSoftwareUni.SoftwarePublisher Like '%VMware%' Then 'Vulnerable'
End As [App Volumes (VMSA-2021-0013)]
From tblAssets
Inner Join tblSoftware On tblAssets.AssetID = tblSoftware.AssetID
Inner Join tblSoftwareUni On tblSoftwareUni.SoftID = tblSoftware.softID
Where tblSoftwareUni.softwareName Like '%App Volumes%' And
tblSoftwareUni.SoftwarePublisher Like '%VMware%') As subquery4 On
subquery4.AssetID = tblAssets.AssetID
Where tsysAssetTypes.AssetTypename = 'Windows' And tblState.Statename = 'Active'
And (tblSoftwareUni.softwareName Like '%Carbon Black%' Or
tblSoftwareUni.softwareName Like '%VMware Tools%' Or
tblSoftwareUni.softwareName Like '%Remote console%' Or
tblSoftwareUni.softwareName Like '%App Volumes%') And
tblSoftwareUni.softwareName Not Like '%plug%' And
tblSoftwareUni.SoftwarePublisher Like '%VMware%'

Audit and Take Action in 3 Easy Steps

1. Download & Install Lansweeper

3. Run the Audit & Take Action

Download Lansweeper to Run this Audit