Remove USB Controller from the VMware Virtual Machine

Posted by on in , | 2 Views

VMware has released mutiple vulnerabilities in VMware ESXi, Workstation, and Fusion ((CVE-2024-22252, CVE-2024-22253, CVE-2024-22254, CVE-2024-22255) recently that was privately reported to VMware. Updates are available to remediate these vulnerabilities in affected VMware products. The individual vulnerabilities documented on this VMSA for ESXi have severity Important but combining these issues will result in Critical severity.

Known Attack Vectors

A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine’s VMX process running on the host. On ESXi, the exploitation is contained within the VMX sandbox whereas, on Workstation and Fusion, this may lead to code execution on the machine where Workstation or Fusion is installed.

VMWare also released a Response Matrix for these vulnerabilities, which includes Fixed Version and Workarounds. It is always good to upgrade and patch our systems to fix any vulnerabilities. However, In some cases, applying a workaround would also give us an option to remediate the reported vulnerabilities.

Response Matrix

Steps to remove a USB controller from a VMware ESXi virtual machine

ESXi host supports the hot-removal of a USB controller, the guest operating system of the virtual machine must also support the hot-removal functionality. In the event that the guest operating system does not support hot removal of a USB controller, then the VM will need to be powered off.


In addition, please ensure that the USB controller is not in-use prior to removing it from the virtual machine.The vSphere UI (vCenter Server, ESXi Embedded Host Client) only allows for the configuration of virtual USB 2.0 or virtual USB 3.0 controllers in VMs.


When a virtual USB 2.0 controller is added to a VM in vSphere, both a virtual USB 1.1 AND a virtual USB 2.0 controller are added to the VM by default.
Removing the virtual USB 2.0 controller will also remove the virtual USB 1.1 controller from the VM.

Remove USB Controller from vSphere UI

1) Ensure that the USB controller is not in use

2) Power off the Virtual machine (If required – No requirement to power off if the guestOS supports hot removal”

3) Right-click the virtual machine and click “Edit Settings“.

4) Remove all USB controllers from the VM. 

PowerCLI command to get list of VM’s attached with USB Controller

Below Powercli command can be used to list all the virtual machines with a USB controller.
Any VM reported should be investigated to determine if it can be safely removed

Get-VM | ?{$_.ExtensionData.Config.Hardware.Device.DeviceInfo.Label -match “USB”}

PowerCLI Script to Remove USB Controller from the VM list

With VMware KB 87617, Provided the powercli script to remove the USB controller from all VMs in specific vCenter Server. You can use the script in the KB article to remove the USB controller from all VMs in the Specific script.

In the majority of the production environment, We will not be able to remove the USB controller from all VMs at the same time. Either we might have to go by customer-by-customer VMs or by cluster or even only for the specific list of the VMs provided by some input file. I have a use case to remove USB controllers from VMs only belonging to specific customers. In that case, I can specify the VM list that belongs to a specific customer in the text file. So below script will only remove the USB controller from the provided list of VMs input via text file in the specific vCenter server.

#Script To Remove USB controller from Virtual Machines
#
 
#Import PowerCLI modules
Add-PSSnapIn VMware* -ErrorAction SilentlyContinue
$ErrorActionPreference = "Stop"
$errresult = 0


#VC FQDN or IP Address variable
#$VCFQDN = "x.x.x.x"
$VCFQDN = Read-Host -Prompt "`nPlease enter vCenter Server IP or FQDN"

#Array to store results
$USBFinalCheck = @()

#Result files names
$FinalResultFilename = "C:\Temp\USB_Controller_Final_Result.csv"

#Read Credentials and Connect to vCenter Server
if (Test-Connection $VCFQDN -Count 1 -ErrorAction SilentlyContinue)
{
    $VCCredentials = Get-Credential -Message "Please Enter User Name and Password which has Administrator permission on vCenter Server" -UserName Administrator@vsphere.local
    Connect-VIServer -Server $VCFQDN -Credential $VCCredentials
}
else
{
    write-host "VC FQDN or IP is Not Reachable, please retry with right entry"
    Exit
}

# Get all VMs with a USB controller
$VMlist = Get-Content "vmname.txt"
$VMs = Get-VM $vmlist | ? {$_.ExtensionData.Config.Hardware.Device.DeviceInfo.Label -match "USB"}

$ListofConnectedVMs = 0

# Identify the number of Connected VMs with USB Controller
$VMs | % { 
       
            if ($_.ExtensionData.Runtime.ConnectionState -eq "connected")
            {
                $ListofConnectedVMs = $ListofConnectedVMs+1
            } 
         }

# User Confirmation to remove the USB Controllers
$Confirmation = Read-Host -Prompt "`nScript will remove USB Controller from $ListofConnectedVMs VMs, please confirm with ('Y or Yes') to continue ?"

if ($Confirmation -eq "y" -or $Confirmation -eq "Y" -or $Confirmation -eq "Yes" -or $Confirmation -eq "yes" -or $Confirmation -eq "YES" )
{
    echo "`nContinuing with the Script Execution as per user selection"    
}
else
{
    echo "`nTerminating the script based on user selection"
    exit
}

#Now loop through that list and remove the controller from the VM
foreach ($vmx in $VMs)
{
    if ($vmx.ExtensionData.Runtime.ConnectionState -eq "connected")
    {
        echo "Found VM $vmx with USB Controller"

        $vmxv = $vmx | Get-View
        $vmxv.Config.Hardware.Device | where {$_.DeviceInfo.Label -match "USB"} | %{
            $myObj = "" | select Dev
            $myObj.Dev = $_
            $vmConfigSpec = New-Object VMware.Vim.VirtualMachineConfigSpec
            $vmConfigSpec.DeviceChange += New-Object VMware.Vim.VirtualDeviceConfigSpec
            $vmConfigSpec.DeviceChange[-1].device = $myObj.Dev
            $vmConfigSpec.DeviceChange[-1].operation = "remove"
            sleep 5
            Write-Host "Removing USB Device From $vmx`n"
			Try 
			{
			$vmxv.ReconfigVM($vmConfigSpec)
			}
			Catch
			{
			$_.exception.message
			$errresult = 1
			Write-Host "Error removing USB controller from $vmx`n*******************************`n"
			} 
			
			If ($errresult -ne 1)
			{
			Write-Host "Removed USB controller from $vmx`n*******************************`n"
			}
			$errresult = 0
			sleep 5
         }
    }
}

Write-Host "`nVerifying the USB Controller Status on Virtual Machines"

#Verification of USB Controller post removal task
sleep 10
$VMs = Get-VM

foreach ($vmx in $VMs)
{
    $USBResult = new-object PSObject
    $USBResult | add-member -type NoteProperty -Name VMName -Value $vmx.Name
    $USBResult | add-member -type NoteProperty -Name VMStatus -Value $vmx.ExtensionData.Runtime.ConnectionState
    
    if ($vmx.ExtensionData.Runtime.ConnectionState -eq "connected")
    {
        if ($vmx.ExtensionData.Config.Hardware.Device.DeviceInfo.Label -match "USB")
        {
            $USBResult | add-member -type NoteProperty -Name USB_Controller_Status -Value "Virtual Machine Has a USB controller configured"
        }
        else
        {
            $USBResult | add-member -type NoteProperty -Name USB_Controller_Status -Value "No USB Controller configured"
        }
    }
    else
    {
        $USBResult | add-member -type NoteProperty -Name USB_Controller_Status -Value "Not Checked (VM Not in Connected State)"
    }
    
    $USBFinalCheck+=$USBResult
}

try
{
    $USBFinalCheck | export-csv $FinalResultFilename -notype -ErrorAction Stop
    Write-Host "`nPlease check the verification result of VMs with USB Controller - " $FinalResultFilename
}

catch
{
    $ResultFilename = "USB_Controller_Verification_Result" + (Get-Date).tostring("dd-MM-yyyy-hh-mm-ss") + ".csv"
    $USBFinalCheck | export-csv $ResultFilename -notype
    $result = Get-Item $ResultFilename
    Write-Host "`nPlease check the verification result of VMs with USB Controller - " $result.fullname
}

How to Run the Powercli Script to Remove the USB Controller from the VM list?

  1. Save the list of the VM’s in the text file named “vmname.txt” in the same directory as your powercli script is located

2. Save the powercli script as “Remove_USBController_Vmlist.ps1” and Run the Powercli script.

3. It will ask to enter the vCenter Server IP or FQDN address and  Prompt the user to allow for the USB controllers to be removed

4. Find all virtual machines with a USB controller and attempt to remove the USB controller from the virtual machines


5. Review the environment and provide a CSV file output detailing whether a virtual machine has a USB controller or not

I hope this is informative for you. This post will help you with automation steps to remove the USB controller from the list of virtual machines. Thanks for Reading. Be social and share it with social media, if you feel worth sharing it.