There was a recent VMware local privilege escalation vulnerability in VMware tools version 11.2.6 and below. See VMware advisors VMSA-2021-0013 (vmware.com).
The vunerablity has been fixed in VMware tools version 11.3
We needed to update the version of VMware tools running manually as the tools are not currently included in any of our standard baselines we apply to our ESXi hosts.
I decided to do a post on how to update the version of VMware tools using VMware Lifecycle manager baseline as it’s a little bit different than VMware Update Manager.
First we need to go to Lifecycle Manager, open the vSphere web console > Menu > Lifecycle Manager
In Lifecycle manager the tools should be synced as previously in VMware Update Manager the tools need to be manually uploaded.
The quickest way I find to check the latest tools that have been synced is by click on image depot and select components.
We could also check under updates and turn off show only rollup updates. (If the tools required a reboot it would show under impact)
Next we will create a baseline to apply the latest tools.
Go to baselines and select new baseline.
Give the baseline a name and select patch
Untick Automatically update this baseline
Untick show only rollup updates and filter for VMware tools, there will probable be a different VMware tools for 6.x and 7.x so check before adding to the baseline.
Click next and complete the baseline creation.
We can check the current tools status by going to the esxi host > Updates > VMware tools and check status.
We can now apply the baseline and run the check again and it should show as out of date.
The baseline can be applied either directly to the ESXi host or to the cluster we will be applying to the cluster as it saves time having to apply to each host individually .
Go to the cluster > Updates > attach and select attached baseline.
Select the VMware tools baseline and attach.
Next run a compliance check on the ESXi host.
Check the baseline status.
Next we will remediate the baseline to apply the latest tools.
If there are no issue with the pre-check click remediate.
Once the remediation is done the tools should show as compliant.
Once applied the VM should now pickup that there is a new tools version available.
The tools can now be applied to the VM either using a script, updated on reboot or manually.