There was a recent VMware local privilege escalation vulnerability in VMware tools version 11.2.6 and below. See VMware advisors VMSA-2021-0013 (vmware.com).
The vunerablity has been fixed in VMware tools version 11.3
VMware Tools 11.3.0 Release Notes
We needed to update the version of VMware tools running manually as the tools are not currently included in any of our standard baselines we apply to our ESXi hosts.
I decided to do a post on how to update the version of VMware tools using VMware Lifecycle manager baseline as it’s a little bit different than VMware Update Manager.
First we need to go to Lifecycle Manager, open the vSphere web console > Menu > Lifecycle Manager

In Lifecycle manager the tools should be synced as previously in VMware Update Manager the tools need to be manually uploaded.
The quickest way I find to check the latest tools that have been synced is by click on image depot and select components.

We could also check under updates and turn off show only rollup updates. (If the tools required a reboot it would show under impact)

Next we will create a baseline to apply the latest tools.
Go to baselines and select new baseline.

Give the baseline a name and select patch

Untick Automatically update this baseline

Untick show only rollup updates and filter for VMware tools, there will probable be a different VMware tools for 6.x and 7.x so check before adding to the baseline.

Click next and complete the baseline creation.

We can check the current tools status by going to the esxi host > Updates > VMware tools and check status.

We can now apply the baseline and run the check again and it should show as out of date.
The baseline can be applied either directly to the ESXi host or to the cluster we will be applying to the cluster as it saves time having to apply to each host individually .
Go to the cluster > Updates > attach and select attached baseline.

Select the VMware tools baseline and attach.

Next run a compliance check on the ESXi host.

Check the baseline status.

Next we will remediate the baseline to apply the latest tools.

If there are no issue with the pre-check click remediate.

Once the remediation is done the tools should show as compliant.

Once applied the VM should now pickup that there is a new tools version available.

The tools can now be applied to the VM either using a script, updated on reboot or manually.
Great article, clears up a very confusing subject.
LikeLike
Thanks for this. Very well done.
LikeLike
Very great, simple and useful!
LikeLike
Thanks for the great and straightforward article, this worked perfectly in our environment for the latest critical tools update!
LikeLike
Thanks for the post, very well done. Have you ever seen the hosts get remediated but the VMs not see the new Tools version? I’ve just created, attached, and remediated a baseline for Tools 12.1.0 however my VMs are still showing current on an 11.3 version. Thanks!
LikeLike
Hi
No haven’t seen any issue with VM not showing the update version being available.
LikeLike
The baseline remediation didn’t require a reboot, and only one of my three hosts picked up the new version of Tools right away. Even after sitting over night, the other two hosts didn’t reflect it. I rebooted both this morning and all three are now offering it. When it doubt, reboot!
LikeLike
SSH to the each host and run these two commands:
# rm -rf /tools/*
# cp -r /locker/packages/vmtoolsRepo/* /tools/
The host will show the latest vestion of tools.
LikeLike