There was recent VMware local privilege escalation vulnerability in VMware tools below 11.2.6 and below. See VMware advisors VMSA-2021-0013 (vmware.com).
The vunerablity has been fixed in VMware tools version 11.3
We needed to update the version of VMware tools running manually as the tools are not currently included in any other of our standard baselines we apply to our hosts.
I decided to do a to a post on how to update the version of VMware tools using VMware Lifecycle manager baseline as it a little bit different that VMware Update Manager.
First we need to go to Lifecycle Manager, open the vSphere web console > Menu > Lifecycle Manager
In Lifecycle manager the tools should be synced as previously in VMware Update Manager the tools need to be manually uploaded.
To quickest way I find to check the latest tools have been synced is by click on image depot and select components.
We could also check under updates and turn off show only rollup updates. (If the tools required a reboot it would show under impact)
Next we will create a baseline to apply the latest tools.
Go to baselines and select new baseline.
Give the baseline a name and select patch
Untick Automatically update this baseline
Untick show only rollup updates and filter for VMware tools, there will probable be a different VMware tools for 6.x and 7.x so check before adding to the baseline.
Click next and complete the baseline creation.
We can check the current tools status by going to the esxi host > Updates > VMware tools and check status.
We can now apply the baseline and run the check again and it should show as out of date.
The baseline can be applied either directly to the ESXi host or to the cluster we will be applying to the cluster as it save time having to apply to each host indiduvally .
Go to the cluster > Updates > attach and select attached baseline.
Select the VMware tools baseline and attach.
Next run a compliance check on the ESXi host.
Check the baseline status.
Next we will remediate the baseline to apply the latest tools.
If there are no issue with the pre-check click remediate.
Once the remediation is done the tools should show as compliant.
Once applied the VM should now pickup that there is a new tools version available.
The tools can now be applied to the VM either using a script, update on reboot or manually.