Brian Knutsson in ScriptsSecurity

PowerCLI Script: Check if you have VMs with USB contollers

I light of many serious vulnerabilities in vSphere ESXi revolve around the USB controller, here is a script that will list the virtual machines that have an USB controller attached.

Requirements:

You need to have the VMware.PowerCLI module installed. This can be done with the commands:

Install-Module VMware.PowerCLI
Import-Module VMware.PowerCLI

You also need to be connected to vCenter. This can be accomplished with the following command:

Connect-VIServer <vCenter FQDN>

Function Get-USBEnabledVMs {
    <#  
    .SYNOPSIS Find VMs that have USB enabled
    .DESCRIPTION Returns the VMs that have USB enabled. https://www.vmware.com/security/advisories/VMSA-2018-0025.html
    https://www.vmware.com/security/advisories/VMSA-2019-0005.html
    https://www.vmware.com/security/advisories/VMSA-2020-0026.html
    https://www.vmware.com/security/advisories/VMSA-2024-0006.html
    .NOTES  Author:  Brian F. Knutsson CRIT Solutions
    .EXAMPLE
       PS> Get-USBEnabledVMs
      
      
    #>
    #Find VMs with USB Controller enabled
    $vms = Get-View -ViewType VirtualMachine -Property Name,Config.Hardware.Device
    $deviceList = @()

    ForEach ($vm in $vms) {
        try {
            foreach ($device in $VM.Config.Hardware.Device) {
                $devType = $device.GetType()
                if ($devType.Name -match "VirtualUSBController" -Or $devType.Name -match "VirtualUSBXHCIController") {
                    $devObject = $device | Select-Object -property @{N="vCenter";E={$VM.Client.ServiceUrl.Split("/")[2]}},@{N="VM";E={$VM.Name}},@{N="Controller";E={$_.DeviceInfo.Label.Trim()}} -ErrorAction:Stop
                    $deviceList += $devObject
                    $specDevice = $device
                }
            }
        }
        catch { continue }
    }
    $deviceList | Sort-Object -Property vCenter,VM
}

# To Execute
Get-USBEnabledVMs

As always, use at you own risk.

Next Read: PowerCli Script: Migrate host from missing dvSwitch to new dvSwitch with same Id's »

View Comments (4)

Jason Woody says:

2020-11-23 at 6:33 PM

Is there a way to tell the exact controller it is using? (USB3.x vs USB2.x vs USB1.x)
Corey says:

2020-11-24 at 7:38 PM

question this report usb 2 and usb 3 does the secruity effect usb 2.0?
Tim says:

2020-11-27 at 4:27 PM

Hello,

Specific to VMSA-2020-0026 this script would return the wrong output as the 'USB xHCI Controller' is a different type of device and would not get returned by the script above.

the correct code to retrieve the xHCI contollers would be:

$VM.Config.Hardware.Device | Where-Object { $_.DeviceInfo.Where({$_.Label -match "USB xHCI controller"}) } | Select-Object -property @{N="VM";E={$VM.Name}},@{N="Controller";E={$_.DeviceInfo.Label}} -ErrorAction:Stop

Regards.
Hernan says:

2022-02-21 at 2:00 PM

Thanks for sharing Brian!