VMware Tools v 11.3 fixes a Denial of Service vulnerability (VMSA-2021-0011, CVE-2021-21997, CVSv3 3.3)

This week, VMware introduced a new version of its VMware Tools. The reason for this release is a Denial of Service (DoS) vulnerability.

About VMware Tools

VMware Tools is a set of services and modules that enable several features in VMware products for better management of, and seamless user interactions with, guest Operating Systems.

Although the guest operating system can run without VMware Tools, many VMware features are not available until you install VMware Tools. For example, if you do not have VMware Tools installed in your virtual machine, you cannot use the shutdown or restart options from the toolbar. You can only use the power options. VMware Tools manage time synchronization on VMware vSphere and may offer quiescence for backups.

About the vulnerability

A Denial of Service (DoS) vulnerability in VMware Tools for Windows in the VM3DMP driver was privately reported to VMware. This vulnerability is known as CVE-2021-21997. An attacker with local user privileges in the Windows guest Operating System on which VMware Tools is installed, can trigger a PANIC in the VM3DMP driver, leading to a Denial of Service condition in the Windows guest operating system.

Upgrading VMware Tools

To remediate CVE-2021-21997 install VMware Tools version 11.3.0, or a later version of the VMware Tools.

According to its release notes, version 11.3.0 incorporates several other new features:

  • When GlobalConf feature related settings are modified in the VMware Tools Configuration file (tools.conf), the VMware Tools System service (vmsvc) no longer needs to restart.
  • A new command line option /pv is added in the VMware Tools setup.exe to show the package versions that it will install.
  • When a VMware Tools component is installed or upgraded, a notification is displayed to the user to restart the system. The admin can enable or disable this notification display in the Window's VM's system settings.
  • The VMCI driver is installed by default as part of VMware Tools installation. If an admin had disabled the VMCI driver in the setup settings during a previous installation, VMware Tools automatically re-installs the VMCI driver during the upgrade.

Download the latest version of the VMware Tools.

Follow these steps to upgrade VMware Tools on Windows Server-based guest Operating Systems in your vSphere environment:

  • Sign in to vCenter Server.
  • In the Inventory > Hosts and Clusters view, select the host, cluster, or datacenter and click the Virtual Machines tab.
  • Select the Windows Server-based virtual machines you want to upgrade VMware Tools on. Use Ctrl or Shift to select multiple virtual machines.
  • Right-click the selected virtual machine(s) and select Guest from the context menu. Then, click Install/Upgrade VMware Tools.
  • Complete the wizard.

Alternatively, you can use vSphere Update Manager to apply a baseline with the latest VMware Tools version.

Concluding

While the Denial of Service vulnerability in VMware Tools has a low CVS v3 score of 3.3, it is apparent to upgrade VMware Tools on all Windows and Windows Server installations that are essential to the organization. This includes (read-only) Domain Controllers and Remote Desktop servers.

Further reading

KnowledgeBase: VMware Tools Quiescence corrupts Active Directory backups 
VMware vSphere 7.0 Update 1 introduces an interface for advanced time configuration 
Managing Active Directory Time Synchronization on VMware vSphere 
Installing and upgrading VMware Tools in vSphere (2004754)

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.