Validating compliance of VMSA-2018-0002 and BIOS update

UPDATE: Please see validating compliance of VMSA-2018-0004 (Spectre) on ESXi and VM

VMware has published VMSA-2018-0002 that addresses vulnerability for Spectre and Meltdown (CVE-2017-5753, CVE-2017-5715) and tells you which patch should be installed.

Along with this patch, you also need the required BIOS update. However, when managing a large VMware environment it’s hard to keep track of what has been patched. It’s also hard to remember if BIOS has been updated.

For this reason, I have added a new script to vDocumentation that will check compliance against VMSA-2018-0002 and the required BIOS update.

Version 2.3.0 now includes a script Cmdlet (Get-ESXSpeculativeExecution) that will aide in validating your environment. If you are new to vDocumentation, please make sure to check the GitHub project page on how to install it from the PowerShell Gallery. (https://github.com/arielsanchezmora/vDocumentation).

Running Get-ESXSpeculativeExecution

Run “get-help Get-ESXSpeculativeExecution –full” to see all parameters and switches available; below are the most frequently used:

  • The Script will validate ESXi versions 5.5, 6.0, and 6.5
  • You can validate ESXi only (-PatchCompliance switch)
  • You can validate BIOS only (-BIOSCompliance switch)
  • You can validate both (specify no switch)
  • –esxi to validate a host
  • -cluster to validate a cluster
  • -datcenter to validate a datacenter
  • No parameter to run against the entire vCenter
  • -exportExcel to export to Excel

Examples:

If we run “Get-ESXSpeculativeExecution -esxi labesx001.local” , this is the output:

SXSpeculativeExecution001

If we run “Get-ESXSpeculativeExecution –exportexcel”, we will generate an Excel sheet with 2 TABs: Patch_Compliance and BIOS_Compliance.

SXSpeculativeExecution002

SXSpeculativeExecution003

BIOS Version Check

The BIOS Compliance validation relies on accessing the BIOSUpdates.csv file, which is hosted on the project page: https://raw.githubusercontent.com/edmsanchez/vDocumentation/master/powershell/vDocumentation/BIOSUpdates.csv

If you don’t have access to the Internet you can download the CSV file locally and specify it using the –inputfile parameter. The CSV file contains HP and Dell models, with updates from these these official sources:

If you’re working on something other than HP or Dell, do let me know via the #vdocumentation Vmware code Slack channel, Twitter or the GitHub webpage and we can update the CSV file with your model.

The SafeFromSpectre field on the BIOS_Compliance Tab will be True if both ESXi and BIOS have been patched (see below).  This indicates you have addressed the vulnerability completely.

SXSpeculativeExecution004

Posted in PowerShell, vDocumentation
One comment on “Validating compliance of VMSA-2018-0002 and BIOS update
  1. […] This is an update to  Validating Compliance of VMSA-2018-0002 and BIOS update. […]

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Edgar Sanchez
%d bloggers like this: