Information Technology - Jesse Boyce

PowerShell Quality of Life Improvements – Code Signing

13/03/2022 by user

PowerShell uses Execution Policies to control whether a script can be run or not. Some of these policies rely on scripts being digitally signed by a trusted publisher. By signing your scripts, you can look at implementing a more restrictive Execution Policy that increases security. The first step in this process is getting a certificate.

Code Signing Certificate

To sign your scripts, you need a special type of certificate, one for code signing. If your scripts will be for internal use only and your organisation has an internal PKI, then using a code signing certificate from that PKI will be enough. If you are writing scripts or modules for consumption by a broader audience, then you’ll need a code signing certificate from a 3rd party Certificate Authority.

VMSA-2022-0007 – VMware Tools vulnerability

09/03/2022 by user

VMware have published a new security advisory relating to VMware Tools for Windows. It affects v10 and 11 of the Tools. The vulnerability allows a user with local admin rights in the guest OS to acquire system privileges.

The version with the fix for this vulnerability is 12.0.0. While this is a major version jump, from the release notes there doesn’t appear to be any major breaking changes. It still supports Windows as far back as 7 SP1/2008 R2 SP1.

PowerShell Quality of Life Improvements – Code Testing

06/03/2022 by user

PowerShell has been around for 15 years now. One of the changes that has happened in the IT industry in that time is the rise of DevOps, and the associated tools and technology with it. If we consider the process of creating and consuming PowerShell scripts, it can be applied to the major stages of software development – test, build, release. By using the methods associated with this, we can look at improving the quality of PowerShell code we deliver.

Why Do Code Testing?

Code testing can cover a broad spectrum of activities. At the most basic end is syntax checking or a “linter” to perform static code checking. At the complex end, there’s things like unit tests. For the sake of this example, I’ll be using a “linter”, the PS Script Analyzer. By using such a tool on our code, we can establish whether it meets minimum quality requirements. PS Script Analyzer comes with an array of built-in rules and can be extended with your own rules.

Creating The Code Test Pipeline

The first step is to create a pipeline that will perform the code testing activities. In my case, I’m using Azure DevOps, but a similar approach can be used with Github. The pipeline itself is relatively simple, with two tasks. One will install the PS Script Analyzer module, as it’s not installed by default on Azure DevOps agents. The second task will execute the analysis process. The pipeline code is shown below:

vExpert 2022

28/02/2022 by user

VMware once again requested applicants for their vExpert program. I was forunate enough to be accepted again.

vRealize Automation 8.6.2

26/01/2022 by user

Normally I wouldn’t write about a minor release but in this case I think it’s worth mentioning. On 18th January, VMware released version 8.6.2 of vRealize Automation. The big item in this release is that log4j has been updated to resolve some of the vulnerabilities that have been discovered.

Log4J Updated to 2.17

Starting in December 2021, a number of vulernerabilities were discovered in the Log4J logging utility. Log4j is used in a lot of other products to allow easy logging functionality. The first vulnerability, dubbed “Log4Shell”, was given a CVSS score of 10. The CVE ID assigned was CVE-2021-44228. As per the Release Notes, this is one of the CVEs that 8.6.2 resolves.

The second vulnerability mentioned in the Release Notes is CVE-2021-45046. Like the first vulnerability, it can also be exploited remotely and was considered quite severe. There have been two further vulnerabilities that have been discovered, however according to VMware, they can’t be exploited on their products.

Resouce Center

One key interface change is the Deployments tab is now called Resources. It seems the intent here is to create a consolidated view of all resources and integrate day 2 actions. There’s also the ability to quickly create a simple VM in this area, without the need for a Cloud Template. How useful that ends up being is up for debate.

Final Thoughts

As with a lot of the updates over 2021, this one adds a few nice improvements. The official fix for Log4j is reason enough to get on this version.

VMSA-2021-0020 – 19 vulnerabilities on vCenter

22/09/2021 by user

VMware published a new security advisory overnight (VMSA-2021-0020) and it’s a big one. In total, it lists 19 vulnerabilities affecting multiple versions of vCenter. The most serious of the vulnerabilities is the first one – CVE-2021-22005. This vulnerability allows an attacker to upload files to vCenter. This vulnerability could then be used as an avenue to execute code. It’s been giving a CVSS score of 9.8

The second most worrying item on the list (CVE-2021-21991) allows an attacker to escalate their priveleges to Administrator level in the vSphere web interface. This vulnerability has been scored at 8.8.

The resolution for all these vulnerabilities is to update vCenter to the appropriate version. The advistory lists these, and I’ve produced a condensed version below.

Product/Version	Update To	Notes
vCenter 7.0	7.0 U2d	The majority of issues are fixed by going to U2c. U2d resolves CVE-2021-22011 and CVE-2021-22018
vCenter 6.7	6.7 U3o	This version will resolve all the associated issues with 6.7
vCenter 6.5	6.5 U3q	This version will resolve all the associated issues with 6.5

Given the nature of some of these vulnerabilities, this would be one to get onto ASAP.

vRealize Automation 8.5 Released

22/08/2021 by user

A few days ago, VMware released an update for vRealize Automation (vRA). The list of improvements seems relatively minor this time, as detailed in the Release Notes. It seems the biggest change was mentioned in the blog announcement for this release, where vRA is moving to monthly releases. Since these updates are feature focused, that potentially means a more frequent update cycle for administrators. Hopefully this means the update process will become smoother going forward. From personal experience, it’s been a bit hit and miss.

vRealize Automation 8.4 Released

12/05/2021 by user

VMware have released another update to vRealize Automation (vRA) 8. Like 8.3, I had issues updating to this version using Lifecycle Manager. This is why I never got around to writing about the 8.3 release. I ended up doing a fresh installation of 8.4 to see what’s new and changed.

What’s New

Going through the Release Notes, it seems that this release is a set of incremental changes. There is a change to how the Access Token for the API functions, which could have an impact on those who are leveraging the REST API. As per the notes, there’s also been a lot of improvements to accessibility. It’s good to see VMware pushing ahead with this sort of initiative.

Remediating VMSA-2021-0002 – Potential Issues

10/03/2021 by user

In late February, VMware published their second security advisory for 2021. It contained contained three items:

CVE-2021-21972 – A remote code execution vulnerability in vCenter that has a CVSS score of 9.8
CVE-2021-21974 – A vulnerablity in OpenSLP, which is used in ESXi. This one has a CVSS score of 8.8
CVE-2021-21973 – Another vCenter vulnerability that was rated with a CVSS score of 5.3

Given the product versions affected, most organisations with relatively up to date virtualisation infrastructure would be at risk from these items. While testing and simulating the update process, I ran into some issues that might be worth publishing for a broader audience.

VMware Horizon 8/2012 – Install Walkthrough & First Impressions

15/01/2021 by user

This month VMware announced the latest release of their desktop virtualisation product, Horizon. It’s been a while since I’ve gotten really into this product so I decided to have a look at what’s changed.