How to easily update your VMware Hypervisor from ESXi 6.5 to 6.5.0a Build 5224934 Advisory ID VMSA-2017-0006 - Critical Severity

Important Update - On Mar 20 2018, VMware VMSA-2018-0004.3 announced that CVE-2017-5715 (Spectre-2) mitigation is now included in the latest patch that you should be using instead of the older patch featured in the original article below. You'll find the newer article that features an even easier update method here:

• How to easily update your VMware Hypervisor from 6.x to 6.5 Update 1 Patch Release ESXi650-201803001 (ESXi Build 7967591) with Spectre mitigation

Article below as it originally appeared.

Let's keep this recent story in perspective, some excerpts below, but you should read the whole article:
The Security Landscape: Pwn2Own 2017

...two teams succeeded in demonstrating arbitrary host code execution on VMware Workstation. Today, VMware is releasing updated versions of VMware vSphere ESXi, VMware Fusion, and VMware Workstation to address these vulnerabilities. VMSA-2017-0006 contains details on impacted versions and the releases which contain fixes.
No active exploitation
VMware is not aware of any active exploitation of the vulnerabilities revealed in this competition. Though the vulnerabilities seem to apply to all VMware virtual platforms (ESXi, Fusion, and Workstation), demonstration exploit code appears to exist only for VMware Workstation for Windows.
...
VMware also recommends examining the vSphere Hardening Guide and
vSphere Security Guide. Among the recommendations in the guides is to remove unnecessary virtual hardware.
...
Customers should consider the need to update for a full mitigation, the absence of active exploitation, the pace at which updates can safely be deployed, and any other risk mitigations (like IDS applications) which may protect their environments. At this point VMware’s recommendation is that customers expedite updating, though need not take emergency measures like taking environments offline.

ESXi 6.5.0a, Build 5224934 released 2017-03-28

VMware Security Advisory

• VMSA-2017-0006 - VMware ESXi, Workstation and Fusion updates address critical and moderate security issues

  ESXi, Workstation, Fusion have a heap buffer overflow and uninitialized stack memory usage in SVGA. These issues may allow a guest to execute code on the host.

  VMware would like to thank ZDI and Team 360 Security from Qihoo for reporting these issues to us.

  The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifiers CVE-2017-4902 (heap issue) and CVE-2017-4903 (stack issue) to these issues.

• kb.vmware.com/kb/2149572 Patch Release ESXi650-201703002
• kb.vmware.com/kb/2149573 Patch ESXi650-201703410-SG: Updates esx-base, vsanhealth, vsan VIBs

ESXI 6.5.0a (most recent-release of ESXi in ISO format as of Mar 31 2017)

VMware Release Notes for ESXi 6.5.0a | 02 FEB 2017 | ISO Build 4887370

Warning:

1. vCenter/VCSA 6.x should be upgraded to 6.5.0a before upgrading your host(s) to ESXi 6.5.0a Build 5224934, see:
   How to easily update your VMware vCenter Server Appliance from VCSA 6.5 to 6.5.0a
   Feb 07 2017
2. I have only tested this method when upgrading from 6.5.0a Build 4887370 to Build 5224934, your experience from earlier 6.x versions may vary.
3. This is not official VMware documentation, it's merely a convenient upgrade technique that may help in lab tests, it's up to you to adhere to the backup-first advice detailed below.

Why esxcli?

If you're in production, beware, this just came out 3 days ago. This article is for the lab, where you may want to give this critical patch a try. All the background story on how this easy ESXCLI upgrade method came about was covered in my earlier articles about updating 6.0 U2 and 6.5.

Benefits

1. No new license needed to go from 6.0.x or 6.5.0a Build 4887370 l to 6.5.0a Build 5224934
2. Users of the free hypervisor and folks who can't download the GA Offline bundle now have a path forward as well, without needing to read TinkerTry's My VMware's "You either are not entitled or do not have permissions to download this product." error, and what to do about it.

Prerequisites

Once you've completed ALL of the following preparation steps:

1. upgraded to VCSA 6.5.0a
2. ensured your ESXi 6.5.x host has a working internet connection
3. reviewed the release notes
4. reviewed this VMSA-2017-0006 patch
5. reviewed How to easily update your VMware Hypervisor to ESXi 6.0 Update 2 for the full back story that includes some warnings about potential gotchas/driver issues
6. backed up the ESXi 6.5.x you've already got, using something like one of the home-lab-friendly techniques such as using USB Image Tools, as detailed by Florian Grehl here

you can now continue with this simple approach to upgrading your lab environment. Unsupported, at your own risk, see the full disclaimer at below left.

What's nice about this ESXCLI upgrade method is that its super simple and you don't have to worry about requesting a trial to be able to log into My VMware to download your ESXi 6.5.0a ISO:

Name: VMware-VMvisor-Installer-201701001-4887370.x86_64.iso
Release Date: 2017-02-02
Build Number: 4887370

Upgrade

Download and upgrade to 6.5.0a plus the VMSA-2017-0006 update using the patch directly from the VMware Online Depot

The entire process including reboot is usually well under 10 minutes. Triple-clicking on a line of code below highlights the whole thing, to right-click, copy into your clipboard:

1. Open an SSH session (eg. PuTTY) to your ESXi 6.0.x server
   (if you forgot to enable SSH, here's how)
2. Turn on maintenance mode, or ensure you've set your ESXi host to automatically gracefully shutdown all VMs upon host reboot, or shutdown all the VMs gracefully that you care about, including VCSA.
3. Firewall allow outbound http requests - Paste the one line below into into your SSH session, then press enter:

   esxcli network firewall ruleset set -e true -r httpClient

   More details about the firewall here.

4. Pull down ESXi Image Profile using https and run patch script - Paste the line below into into your SSH session, then hit enter and wait while nothing seems to happen, taking somewhere between roughly 3 to 10 minutes before the completion screen (sample below) appears:

   esxcli software profile install -p ESXi-6.5.0-20170304101-standard -d https://hostupdate.vmware.com/software/VUM/PRODUCTION/main/vmw-depot-index.xml

   Wait time depending mostly on the the speed of the ESXi's connection to the internet, and a little on the speed of the storage media that ESXi is installed on.

5. Firewall disallow outbound http requests - Paste the line below into into your SSH session:

   esxcli network firewall ruleset set -e false -r httpClient

6. If you turned on maintenance mode earlier, remember to turn maintenance mode off.
7. If you normally leave SSH access off, go ahead and disable it now.
8. Type reboot and hit return (to restart your ESXi server), or use your favorite ESXi UI to restart the host.
9. After the reboot is done, it would be a good idea to test login using ESXi host client, pointing your browser to the IP or hostname of your just-graded server, to be sure everthing seems to be working right.

You're done!

Special thanks to VMware ESXi Patch Tracker by Andreas Peetz at the VMware Front Experience Blog. This upgrade test was performed on a TinkerTry'd VMware HCL system. Yes, on both the very popular 8 core and the rather special 12 core version of the beloved Supermicro SuperServer SYS-5028D-TN4T system.

That's it! When the reboot is complete, you'll see for yourself that you now have the latest ESXi, Build 5224529, as pictured above. Now you have more spare time to read more TinkerTry articles!

Potential gotchas

1. Depending upon your ESXi firewall configuration, if the above command results in a network related error such as:
   'NoneType' object has no attribute 'close'
   then you skipped the firewall configuration step above, try again!

2. Notice that the command recommended you use when clicking on the ESXi-6.5.0-20170304101-standard link at VMware ESXi Patch Tracker:

   esxcli software profile update -p ESXi-6.5.0-20170304101-standard -d https://hostupdate.vmware.com/software/VUM/PRODUCTION/main/vmw-depot-index.xml

   doesn't work, says:
   Message: Host is not changed.
   but simply changing from update to install worked for me, but your results may vary. See also the interesting comment below.

   

Potential SATA and Realtek NIC gotcha

1. If you find some of your SATA/AHCI datastores disappear from view after this upgrade, worry not, the VMFS datastores are still there, you just can't see them. This article should still save you:
   For ESXi 6.0, those ESXi 5.1 VIBs for ASMedia SATA ports and Realtek NICs still seem to be working (but unsupported)
   Mar 04 2015

Closing Thoughts

Alternatively, you could have used VMware Update Manager on a Windows system or VM, but for one-off upgrades typical in a small home lab, pasting these 3 lines of code is pretty darn easy.

Looking ahead, since VUM is now built into VCSA 6.5, this will add another way to do future upgrades and patches, even in a small home lab environment.

Video

Apr 01 2017 Update

For ESXi 6.0 users who don't wish to move to 6.5, there are also patches for this issue, but those are not the focus of this article. See:

• kb.vmware.com/kb/2149569 Patch ESXi600-201703401-SG: Updates esx-base, vsan, vsanhealth
• kb.vmware.com/kb/2149568 Patch Release ESXi600-201703001

See also at TinkerTry

• Order a TinkerTry'd Supermicro SuperServer Bundle - powerful and efficient home virtualization lab solutions

• VMware vSphere Taskbar Shortcuts Unleashed - profile switcher isolated and uncluttered Chrome Browser UIs act like native Windows apps!

See also

• ESXi 6.5 Release Notes for free license and white box users
  Nov 24 2016 by Andreas Peetz at VMware Front Experience

• VMware ESXi Patch Tracker
  Nov 24 2016 by Andreas Peetz at VMware Front Experience

• VMware vSphere 6.5 Documentation Center - Upgrade or Update a Host with Image Profiles
  VMware

Upgrade Log

Below, I've pasted the full text of my upgrade, helps you see what drivers were touched, use the horizonal scroll bar or shift + mousewheel to look around, Ctrl+F works as needed too:

[root@xd-1541-5028d:~] esxcli software profile install -p ESXi-6.5.0-20170304101-standard -d https://hostupdate.vmware.com/software/VUM/PRODUCTION/main/vmw-depot-index.xml
Installation Result
   Message: The update completed successfully, but the system needs to be rebooted for the changes to be effective.
   Reboot Required: true
   VIBs Installed: VMW_bootbank_ehci-ehci-hcd_1.0-4vmw.650.0.14.5146846, VMW_bootbank_ixgben_1.0.0.0-9vmw.650.0.14.5146846, VMW_bootbank_misc-drivers_6.5.0-0.14.5146846, VMW_bootbank_ne1000_0.8.0-11vmw.650.0.14.5146846, VMW_bootbank_net-ixgbe_3.7.13.7.14iov-20vmw.650.0.0.4564106, VMW_bootbank_vmkusb_0.1-1vmw.650.0.14.5146846, VMW_bootbank_vmw-ahci_1.0.0-34vmw.650.0.14.5146846, VMware_bootbank_esx-base_6.5.0-0.15.5224529, VMware_bootbank_esx-ui_1.15.0-5069532, VMware_bootbank_vsan_6.5.0-0.15.5224529, VMware_bootbank_vsanhealth_6.5.0-0.15.5224529
   VIBs Removed: INT_bootbank_net-ixgbe_4.4.1-1OEM.600.0.0.2159203, VMW_bootbank_ehci-ehci-hcd_1.0-3vmw.650.0.0.4564106, VMW_bootbank_ixgben_1.0.0.0-8vmw.650.0.0.4564106, VMW_bootbank_misc-drivers_6.5.0-0.0.4564106, VMW_bootbank_ne1000_0.8.0-9vmw.650.0.0.4564106, VMW_bootbank_vmkusb_0.1-1vmw.650.0.0.4564106, VMW_bootbank_vmw-ahci_1.0.0-32vmw.650.0.0.4564106, VMware_bootbank_esx-base_6.5.0-0.9.4887370, VMware_bootbank_esx-ui_1.8.0-4516221, VMware_bootbank_vsan_6.5.0-0.9.4887370, VMware_bootbank_vsanhealth_6.5.0-0.9.4887370
   VIBs Skipped: VMW_bootbank_ata-libata-92_3.00.9.2-16vmw.650.0.0.4564106, VMW_bootbank_ata-pata-amd_0.3.10-3vmw.650.0.0.4564106, VMW_bootbank_ata-pata-atiixp_0.4.6-4vmw.650.0.0.4564106, VMW_bootbank_ata-pata-cmd64x_0.2.5-3vmw.650.0.0.4564106, VMW_bootbank_ata-pata-hpt3x2n_0.3.4-3vmw.650.0.0.4564106, VMW_bootbank_ata-pata-pdc2027x_1.0-3vmw.650.0.0.4564106, VMW_bootbank_ata-pata-serverworks_0.4.3-3vmw.650.0.0.4564106, VMW_bootbank_ata-pata-sil680_0.4.8-3vmw.650.0.0.4564106, VMW_bootbank_ata-pata-via_0.3.3-2vmw.650.0.0.4564106, VMW_bootbank_block-cciss_3.6.14-10vmw.650.0.0.4564106, VMW_bootbank_char-random_1.0-3vmw.650.0.0.4564106, VMW_bootbank_elxnet_11.1.91.0-1vmw.650.0.0.4564106, VMW_bootbank_hid-hid_1.0-3vmw.650.0.0.4564106, VMW_bootbank_i40en_1.1.0-1vmw.650.0.0.4564106, VMW_bootbank_igbn_0.1.0.0-12vmw.650.0.0.4564106, VMW_bootbank_ima-qla4xxx_2.02.18-1vmw.650.0.0.4564106, VMW_bootbank_ipmi-ipmi-devintf_39.1-4vmw.650.0.0.4564106, VMW_bootbank_ipmi-ipmi-msghandler_39.1-4vmw.650.0.0.4564106, VMW_bootbank_ipmi-ipmi-si-drv_39.1-4vmw.650.0.0.4564106, VMW_bootbank_lpfc_11.1.0.6-1vmw.650.0.0.4564106, VMW_bootbank_lsi-mr3_6.910.18.00-1vmw.650.0.0.4564106, VMW_bootbank_lsi-msgpt2_20.00.01.00-3vmw.650.0.0.4564106, VMW_bootbank_lsi-msgpt3_12.00.02.00-11vmw.650.0.0.4564106, VMW_bootbank_misc-cnic-register_1.78.75.v60.7-1vmw.650.0.0.4564106, VMW_bootbank_mtip32xx-native_3.9.5-1vmw.650.0.0.4564106, VMW_bootbank_nenic_1.0.0.2-1vmw.650.0.0.4564106, VMW_bootbank_net-bnx2_2.2.4f.v60.10-2vmw.650.0.0.4564106, VMW_bootbank_net-bnx2x_1.78.80.v60.12-1vmw.650.0.0.4564106, VMW_bootbank_net-cdc-ether_1.0-3vmw.650.0.0.4564106, VMW_bootbank_net-cnic_1.78.76.v60.13-2vmw.650.0.0.4564106, VMW_bootbank_net-e1000_8.0.3.1-5vmw.650.0.0.4564106, VMW_bootbank_net-e1000e_3.2.2.1-2vmw.650.0.0.4564106, VMW_bootbank_net-enic_2.1.2.38-2vmw.650.0.0.4564106, VMW_bootbank_net-fcoe_1.0.29.9.3-7vmw.650.0.0.4564106, VMW_bootbank_net-forcedeth_0.61-2vmw.650.0.0.4564106, VMW_bootbank_net-igb_5.0.5.1.1-5vmw.650.0.0.4564106, VMW_bootbank_net-libfcoe-92_1.0.24.9.4-8vmw.650.0.0.4564106, VMW_bootbank_net-mlx4-core_1.9.7.0-1vmw.650.0.0.4564106, VMW_bootbank_net-mlx4-en_1.9.7.0-1vmw.650.0.0.4564106, VMW_bootbank_net-nx-nic_5.0.621-5vmw.650.0.0.4564106, VMW_bootbank_net-tg3_3.131d.v60.4-2vmw.650.0.0.4564106, VMW_bootbank_net-usbnet_1.0-3vmw.650.0.0.4564106, VMW_bootbank_net-vmxnet3_1.1.3.0-3vmw.650.0.0.4564106, VMW_bootbank_nhpsa_2.0.6-3vmw.650.0.0.4564106, VMW_bootbank_nmlx4-core_3.16.0.0-1vmw.650.0.0.4564106, VMW_bootbank_nmlx4-en_3.16.0.0-1vmw.650.0.0.4564106, VMW_bootbank_nmlx4-rdma_3.16.0.0-1vmw.650.0.0.4564106, VMW_bootbank_nmlx5-core_4.16.0.0-1vmw.650.0.0.4564106, VMW_bootbank_ntg3_4.1.0.0-1vmw.650.0.0.4564106, VMW_bootbank_nvme_1.2.0.32-2vmw.650.0.0.4564106, VMW_bootbank_nvmxnet3_2.0.0.22-1vmw.650.0.0.4564106, VMW_bootbank_ohci-usb-ohci_1.0-3vmw.650.0.0.4564106, VMW_bootbank_pvscsi_0.1-1vmw.650.0.0.4564106, VMW_bootbank_qedentv_2.0.3.29-1vmw.650.0.0.4564106, VMW_bootbank_qfle3_1.0.2.7-1vmw.650.0.0.4564106, VMW_bootbank_qflge_1.1.0.3-1vmw.650.0.0.4564106, VMW_bootbank_qlnativefc_2.1.30.0-11vmw.650.0.0.4564106, VMW_bootbank_sata-ahci_3.0-22vmw.650.0.0.4564106, VMW_bootbank_sata-ata-piix_2.12-10vmw.650.0.0.4564106, VMW_bootbank_sata-sata-nv_3.5-4vmw.650.0.0.4564106, VMW_bootbank_sata-sata-promise_2.12-3vmw.650.0.0.4564106, VMW_bootbank_sata-sata-sil24_1.1-1vmw.650.0.0.4564106, VMW_bootbank_sata-sata-sil_2.3-4vmw.650.0.0.4564106, VMW_bootbank_sata-sata-svw_2.3-3vmw.650.0.0.4564106, VMW_bootbank_scsi-aacraid_1.1.5.1-9vmw.650.0.0.4564106, VMW_bootbank_scsi-adp94xx_1.0.8.12-6vmw.650.0.0.4564106, VMW_bootbank_scsi-aic79xx_3.1-5vmw.650.0.0.4564106, VMW_bootbank_scsi-bnx2fc_1.78.78.v60.8-1vmw.650.0.0.4564106, VMW_bootbank_scsi-bnx2i_2.78.76.v60.8-1vmw.650.0.0.4564106, VMW_bootbank_scsi-fnic_1.5.0.45-3vmw.650.0.0.4564106, VMW_bootbank_scsi-hpsa_6.0.0.84-1vmw.650.0.0.4564106, VMW_bootbank_scsi-ips_7.12.05-4vmw.650.0.0.4564106, VMW_bootbank_scsi-iscsi-linux-92_1.0.0.2-3vmw.650.0.0.4564106, VMW_bootbank_scsi-libfc-92_1.0.40.9.3-5vmw.650.0.0.4564106, VMW_bootbank_scsi-megaraid-mbox_2.20.5.1-6vmw.650.0.0.4564106, VMW_bootbank_scsi-megaraid-sas_6.603.55.00-2vmw.650.0.0.4564106, VMW_bootbank_scsi-megaraid2_2.00.4-9vmw.650.0.0.4564106, VMW_bootbank_scsi-mpt2sas_19.00.00.00-1vmw.650.0.0.4564106, VMW_bootbank_scsi-mptsas_4.23.01.00-10vmw.650.0.0.4564106, VMW_bootbank_scsi-mptspi_4.23.01.00-10vmw.650.0.0.4564106, VMW_bootbank_scsi-qla4xxx_5.01.03.2-7vmw.650.0.0.4564106, VMW_bootbank_shim-iscsi-linux-9-2-1-0_6.5.0-0.0.4564106, VMW_bootbank_shim-iscsi-linux-9-2-2-0_6.5.0-0.0.4564106, VMW_bootbank_shim-libata-9-2-1-0_6.5.0-0.0.4564106, VMW_bootbank_shim-libata-9-2-2-0_6.5.0-0.0.4564106, VMW_bootbank_shim-libfc-9-2-1-0_6.5.0-0.0.4564106, VMW_bootbank_shim-libfc-9-2-2-0_6.5.0-0.0.4564106, VMW_bootbank_shim-libfcoe-9-2-1-0_6.5.0-0.0.4564106, VMW_bootbank_shim-libfcoe-9-2-2-0_6.5.0-0.0.4564106, VMW_bootbank_shim-vmklinux-9-2-1-0_6.5.0-0.0.4564106, VMW_bootbank_shim-vmklinux-9-2-2-0_6.5.0-0.0.4564106, VMW_bootbank_shim-vmklinux-9-2-3-0_6.5.0-0.0.4564106, VMW_bootbank_uhci-usb-uhci_1.0-3vmw.650.0.0.4564106, VMW_bootbank_usb-storage-usb-storage_1.0-3vmw.650.0.0.4564106, VMW_bootbank_usbcore-usb_1.0-3vmw.650.0.0.4564106, VMW_bootbank_vmkata_0.1-1vmw.650.0.0.4564106, VMW_bootbank_vmkplexer-vmkplexer_6.5.0-0.0.4564106, VMW_bootbank_xhci-xhci_1.0-3vmw.650.0.0.4564106, VMware_bootbank_cpu-microcode_6.5.0-0.0.4564106, VMware_bootbank_emulex-esx-elxnetcli_11.1.28.0-0.0.4564106, VMware_bootbank_esx-dvfilter-generic-fastpath_6.5.0-0.0.4564106, VMware_bootbank_esx-tboot_6.5.0-0.0.4564106, VMware_bootbank_esx-xserver_6.5.0-0.0.4564106, VMware_bootbank_lsu-hp-hpsa-plugin_2.0.0-3vmw.650.0.0.4564106, VMware_bootbank_lsu-lsi-lsi-mr3-plugin_1.0.0-7vmw.650.0.0.4564106, VMware_bootbank_lsu-lsi-lsi-msgpt3-plugin_1.0.0-6vmw.650.0.0.4564106, VMware_bootbank_lsu-lsi-megaraid-sas-plugin_1.0.0-7vmw.650.0.0.4564106, VMware_bootbank_lsu-lsi-mpt2sas-plugin_2.0.0-5vmw.650.0.0.4564106, VMware_bootbank_native-misc-drivers_6.5.0-0.0.4564106, VMware_bootbank_rste_2.0.2.0088-4vmw.650.0.0.4564106, VMware_bootbank_vmware-esx-esxcli-nvme-plugin_1.2.0.10-0.0.4564106, VMware_locker_tools-light_6.5.0-0.0.4564106
[root@xd-1541-5028d:~] esxcli network firewall ruleset set -e false -r httpClient
[root@xd-1541-5028d:~] reboot