I light of many serious vulnerabilities in vSphere ESXi revolve around the USB controller, here is a script that will list the virtual machines that have an USB controller attached.
Requirements:
You need to have the VMware.PowerCLI module installed. This can be done with the commands:
Install-Module VMware.PowerCLI
Import-Module VMware.PowerCLI
You also need to be connected to vCenter. This can be accomplished with the following command:
Connect-VIServer <vCenter FQDN>
Function Get-USBEnabledVMs {
<#
.SYNOPSIS Find VMs that have USB enabled
.DESCRIPTION Returns the VMs that have USB enabled. https://www.vmware.com/security/advisories/VMSA-2018-0025.html
https://www.vmware.com/security/advisories/VMSA-2019-0005.html
https://www.vmware.com/security/advisories/VMSA-2020-0026.html
https://www.vmware.com/security/advisories/VMSA-2024-0006.html
.NOTES Author: Brian F. Knutsson CRIT Solutions
.EXAMPLE
PS> Get-USBEnabledVMs
#>
#Find VMs with USB Controller enabled
$vms = Get-View -ViewType VirtualMachine -Property Name,Config.Hardware.Device
$deviceList = @()
ForEach ($vm in $vms) {
try {
foreach ($device in $VM.Config.Hardware.Device) {
$devType = $device.GetType()
if ($devType.Name -match "VirtualUSBController" -Or $devType.Name -match "VirtualUSBXHCIController") {
$devObject = $device | Select-Object -property @{N="vCenter";E={$VM.Client.ServiceUrl.Split("/")[2]}},@{N="VM";E={$VM.Name}},@{N="Controller";E={$_.DeviceInfo.Label.Trim()}} -ErrorAction:Stop
$deviceList += $devObject
$specDevice = $device
}
}
}
catch { continue }
}
$deviceList | Sort-Object -Property vCenter,VM
}
# To Execute
Get-USBEnabledVMs
As always, use at you own risk.
Is there a way to tell the exact controller it is using? (USB3.x vs USB2.x vs USB1.x)
question this report usb 2 and usb 3 does the secruity effect usb 2.0?
Hello,
Specific to VMSA-2020-0026 this script would return the wrong output as the ‘USB xHCI Controller’ is a different type of device and would not get returned by the script above.
the correct code to retrieve the xHCI contollers would be:
$VM.Config.Hardware.Device | Where-Object { $_.DeviceInfo.Where({$_.Label -match “USB xHCI controller”}) } | Select-Object -property @{N=”VM”;E={$VM.Name}},@{N=”Controller”;E={$_.DeviceInfo.Label}} -ErrorAction:Stop
Regards.
Thanks for sharing Brian!