I always enjoying learning new things, especially when it is outside of my immediate domain expertise and if I can thrown in some Automation to help solve a solution, it is a win for everyone. I bring this up because, yesterday I had noticed an interesting question from one of our field folks where their customer is looking to implement a process for applying ESXi security patches to help determine compliance timeline (e.g. when a specific security update will be applied to infrastructure).
To do this, the customer would like to use the Common Vulnerability Scoring System (CVSS) score which ranges from 0-10, 0 being low and 10 being high. The CVSS score is part of the Common Vulnerabilities and Exposures (CVE) which is also referenced for every ESXi security patch (bulletin) that is published by VMware. The question that came up was how easily it would be to determine the CVSS score for a given ESXi security patch. First, I will outline the "manual" process and once that is understood, I will demonstrate an automated solution which customers can take advantage of to easily retrieve this information for all ESXi security patches.
Manual
Step 1 - Identity the ESXi security patch (bulletin) you would like to look up. Lets take ESXi550-201404420-SG for example
Step 2 - For every ESXi security patch release, there is an associated top level VMware Knowledge Base (KB) article which you will either have or can search on kb.vmware.com. In our case, it is https://kb.vmware.com/s/article/2124727 and if you look at the top, there should be a "Related CVE numbers" that you can then make a note of which is CVE-2014-0160.
Step 3 - Once we have the the CVE number(s), as there maybe more than one, we can then retrieve more details about the CVE itself by going to the NIST's database. For example, you can find it at https://nvd.nist.gov/vuln/detail/CVE-2014-0160 and under the Impact section, we can see the CVSS score and severity/complexity of our CVE. In our case, it is 5.0 and Medium.
If you only need to do this for a couple of patches, it is probably not the end of the world but imagine if you needed to cross check multiple patches across different versions of ESXi, the process can be quite time consuming and potentially even error prone with any manual task.
Automated
Imagine if we could automate this process, not only automatically determining the CVSS score for a given ESXi security patch, but what if we could do this for all ESXi security patches for a given release? Well, that is exactly what I ended up building. A simple PowerShell script called ESXiSecurityPatchCVECVSSScore.ps1 which downloads and reads the metadata file that vSphere Update Manager (VUM) uses to determine if new ESXi patches are available. From that data, I can then extract the associated VMware KB URL which I then must scrape to retrieve the respective CVE numbers. Once I have the CVE data, NIST actually provides a nice API (http://cve.circl.lu/api/cve) for retrieving the CVE details which I can then use to finally retrieve the CVSS score and severity/complexity values.
The nice thing about this solution is that you can run this at any time to produce the output. The script will process all ESXi security patches from 5.1 to 6.7, but this can be configured within the script if you only want to see output for a specific ESXi release. Below is an example output using the default options which will retrieve metadata for ESXi security patches from 5.1 to 6.7.
I know the customer will be using the CVSS score to create VUM Baselines but you can imagine even this can be automated by using this data to automatically create a VUM baseline when new ESXi security patches are available and potentially even auto-remediate based on the CVSS score for example. Pretty neat if you ask me and before yesterday, I had no clue what a CVSS score was, so learned something new! Remember, before trying to automate anything, make sure you understand the manual process because Automation is merely the orchestration of the manual steps.
Hey, this is awesome.
Quick question- is there something like this in vROps or a way to integrate this into vROps? Thinking about customers who rely heavily on vROps to provide health in their environment, would be a cool feature of a security dashboard or something, alerting on high CVSS scores, etc.
Thanks again!
If there's an API, there's a way to integrate (which hopefully this article has proven as such). Probably should ping Sunny (PM from vROps) to see if there's something that can be done as a native plugin using similiar methodology
Thanks William for notifying me about this request. This is great work BTW.
In vROps we can leverage this work by pushing custom propoerties based on this analysis on ESXi hosts and use this custom properties to create reports, dashbiards or even alerts which notify a user about the risk associated with being non compliance with ESXi patches.
Here is a blkog article which explains how the output of this script can be pushed into vROps - https://blogs.vmware.com/management/2017/06/how-to-programmatically-push-data-in-vrealize-operations-manager.html
This gives me some work on the weekend to consume this script and create a dashboard which reflects this data in vROps based on custom properties 🙂
From a vROps roadmap perspective Custom Properties has been in high demand and I will look to push it through to ensure we can do this without a bunch of scripting in vROps in the near future.
Thanks so much for this, great solution. I did have to do a little debugging. It seems that this line is missing from the script $wc = New-Object System.Net.WebClient. I placed it just above the $wc.DownloadFile($metadataUrl,$metadataDownloadPath) line
i:e:
$wc = New-Object System.Net.WebClient
$wc.DownloadFile($metadataUrl,$metadataDownloadPath)
There is also a typo in line 15, the 'i' is missing from $esxversion.xml. it should be:
$metadataFileExtractionPath = $pathToStoreMetdataFile + "\$esxiVersion.xml"
I am also not getting any data for versions 6.5 and 6.7
If you're not seeing anything, it simply means there's probably no security patches or more likely for 6.5, there's no associated CVE attached to the KB
Hi William
Cool stuff, but I'm running into a problem I can't seem to get my head around. The invoke-webrequest command fails, when doing https request to (kb.)vmware.com.
PS > Invoke-WebRequest -Uri http://kb.vmware.com/articleview?docid=2041640 -UseBasicParsing
Invoke-WebRequest : The underlying connection was closed: An unexpected error occurred on a send.
At line:1 char:1
+ Invoke-WebRequest -Uri http://kb.vmware.com/articleview?docid=2041640 ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-WebRequest], WebException
+ FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeWebRequestCommand
PS > Invoke-WebRequest -Uri http://vmware.com -UseBasicParsing
StatusCode : 200
PS > Invoke-WebRequest -Uri https://vmware.com -UseBasicParsing
Invoke-WebRequest : The underlying connection was closed: An unexpected error occurred on a send.
PS > Invoke-WebRequest -Uri google.com -UseBasicParsing
StatusCode : 200
At first I thought it might be a https issue, but as the first lines show I also tried http.
Well I'm guessing it's not a copy/paste issue either as I tried downloading it via powershell, with the same result.
PS > Invoke-WebRequest https://raw.githubusercontent.com/lamw/vghetto-scripts/master/powershell/ESXiSecurityPatchCVECVSSScore.ps1 -OutFile ESXiSecurityPatchCVECVSSScore.ps1
PS > .\ESXiSecurityPatchCVECVSSScore.ps1
Downloading ESXi Metadata Files ...
Processing ESXi Metadata Files ...
Extracting KB Information & CVE URLs for 5.1.0 ...
Invoke-WebRequest : The underlying connection was closed: An unexpected error occurred on a send.
At C:\Users\mir\ESXiSecurityPatchCVECVSSScore.ps1:33 char:24
+ ... $results = Invoke-WebRequest -Uri https://kb.vmware.com/articleview? ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-WebRequest], WebException
Also tested the script with another user on his pc with the same result 🙁 So not a powershell issue I guess
PS > $PSVersionTable
Name Value
---- -----
PSVersion 5.1.15063.1206
PSEdition Desktop
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...}
BuildVersion 10.0.15063.1206
CLRVersion 4.0.30319.42000
WSManStackVersion 3.0
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
Any clue?
This no longer works
I think this might be due to the default timeout in PowerCLI (which I normally tweak from 300 to 600 seconds) for long running tasks. I just re-ran the script and it works fine for me
Try the following:
Get-PowerCLIConfiguration | select WebOperationTimeoutSeconds
If you're seeing 300, try setting it to 600 or something higher
Found the error. Tried to download from git and got a different error this time around.
Powershell is per default TLS 1.0. vmware.com is TSL 1.2
Could you the below line to the script. That you fix it.
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
Once again thanks for the script
Is this script still working?