I always enjoying learning new things, especially when it is outside of my immediate domain expertise and if I can thrown in some Automation to help solve a solution, it is a win for everyone. I bring this up because, yesterday I had noticed an interesting question from one of our field folks where their customer is looking to implement a process for applying ESXi security patches to help determine compliance timeline (e.g. when a specific security update will be applied to infrastructure).
To do this, the customer would like to use the Common Vulnerability Scoring System (CVSS) score which ranges from 0-10, 0 being low and 10 being high. The CVSS score is part of the Common Vulnerabilities and Exposures (CVE) which is also referenced for every ESXi security patch (bulletin) that is published by VMware. The question that came up was how easily it would be to determine the CVSS score for a given ESXi security patch. First, I will outline the "manual" process and once that is understood, I will demonstrate an automated solution which customers can take advantage of to easily retrieve this information for all ESXi security patches.
Step 1 - Identity the ESXi security patch (bulletin) you would like to look up. Lets take ESXi550-201404420-SG for example
Step 2 - For every ESXi security patch release, there is an associated top level VMware Knowledge Base (KB) article which you will either have or can search on kb.vmware.com. In our case, it is https://kb.vmware.com/s/article/2124727 and if you look at the top, there should be a "Related CVE numbers" that you can then make a note of which is CVE-2014-0160.
Step 3 - Once we have the the CVE number(s), as there maybe more than one, we can then retrieve more details about the CVE itself by going to the NIST's database. For example, you can find it at https://nvd.nist.gov/vuln/detail/CVE-2014-0160 and under the Impact section, we can see the CVSS score and severity/complexity of our CVE. In our case, it is 5.0 and Medium.
If you only need to do this for a couple of patches, it is probably not the end of the world but imagine if you needed to cross check multiple patches across different versions of ESXi, the process can be quite time consuming and potentially even error prone with any manual task.
Imagine if we could automate this process, not only automatically determining the CVSS score for a given ESXi security patch, but what if we could do this for all ESXi security patches for a given release? Well, that is exactly what I ended up building. A simple PowerShell script called ESXiSecurityPatchCVECVSSScore.ps1 which downloads and reads the metadata file that vSphere Update Manager (VUM) uses to determine if new ESXi patches are available. From that data, I can then extract the associated VMware KB URL which I then must scrape to retrieve the respective CVE numbers. Once I have the CVE data, NIST actually provides a nice API (http://cve.circl.lu/api/cve) for retrieving the CVE details which I can then use to finally retrieve the CVSS score and severity/complexity values.
The nice thing about this solution is that you can run this at any time to produce the output. The script will process all ESXi security patches from 5.1 to 6.7, but this can be configured within the script if you only want to see output for a specific ESXi release. Below is an example output using the default options which will retrieve metadata for ESXi security patches from 5.1 to 6.7.
I know the customer will be using the CVSS score to create VUM Baselines but you can imagine even this can be automated by using this data to automatically create a VUM baseline when new ESXi security patches are available and potentially even auto-remediate based on the CVSS score for example. Pretty neat if you ask me and before yesterday, I had no clue what a CVSS score was, so learned something new! Remember, before trying to automate anything, make sure you understand the manual process because Automation is merely the orchestration of the manual steps.