Yesterday, on 11/19/2020, VMware released a new Security Advisory which contains information how to fix the CVE-2020-4004 & CVE-2020-4005.
With that VMware also released a new set of patches. As usual the general recommendation is to deploy these as soon as possible, as the CVE score is 9.3 (CVE-2020-4004, VMware severity “critical”) and 8.8 (CVE-2020-4005, VMware severity “important”).
If patching is not an option right know, you can consider the workaround mentioned for the first CVE and remove the XHCI USB controller from the VMs for which it isn’t needed.
To check if your VMs are using this type of controller you can use the following PowerCLI script:
#List all VMs from the connected vCenter with a configured XHCI USB controller
#Usefull for the workaround of VMSA 2020-0026 (https://www.vmware.com/security/advisories/VMSA-2020-0026.html)
#Usage: first connect to vCenter, then run the script
#Output: c:\tmp\xhci_Controller_present.csv
Get-View -ViewType VirtualMachine -Property Name, Config.Hardware.Device -PipelineVariable vm |
ForEach-Object -Process {
$_.Config.Hardware.Device | where {$_ -is [VMware.Vim.VirtualUSBXHCIController] } |
select @{Name='VM';Expression={ $vm.Name }}, @{Name='Controller';Expression={ $_.DeviceInfo.Label }}
} | Export-Csv -Path c:\tmp\xhci_Controller_present.csv -Encoding ascii -NoTypeInformationMore information:
