Esxi Vulnerability Openslp
How to Disable/Enable the SLP Service on VMware ESXi (76372)
Last Updated: 09/12/2022Categories: SecurityTotal Views: 445999
161Language:
Learn how VMware Skyline Advisor and Skyline Health Diagnostics work together to provide proactive intelligence and self-service log analysis.
• Use Skyline Advisor to avoid issues before they occur across VCF, vSphere, vSAN, NSX, vROps & Horizon. Skyline Findings are based on top KBs, VMSAs/CVEs and design best practices.
• Use Skyline Health Diagnostics to root cause vSphere & vSAN logs when an issue occurs. Skyline Health Diagnostic Findings are based on top KBs and VMSA/CVEs. You can use the Skyline Health Diagnostics tool in online or offline mode.
• If you require additional help from technical support, please use Skyline Advisor to initiate a Log Assist to reduce time to upload logs. TSEs can also initiate logs to reduce effort.
Details
OpenSLP vulnerabilities have been disclosed that affect ESXi. These vulnerabilities and their impact on VMware products are documented in the following VMware Security Advisories (VMSAs), please review these before continuing as there may be considerations outside the scope of this document:
VMSA-2022-0030 (CVE-2022-31699)
VMSA-2021-0014 (CVE-2021-21995) - Click here for further information on the advisory
VMSA-2021-0002 (CVE-2021-21974)
VMSA-2020-0023 (CVE-2020-3992)
VMSA-2019-0022 (CVE-2019-5544)
The ESXi team has investigated these vulnerabilities and determined that the possibility of exploitation can be removed by performing the steps detailed in the resolution section of this article. This workaround is meant to be a temporary solution only and customers are advised to deploy the patches documented in the aforementioned VMSAs.
Warning:
This workaround is applicable ONLY to ESXi. Do not apply this workaround to other VMware products.
Functionality Impacts:
With the workaround, CIM clients which uses SLP to find CIM servers over port #427 will not be able to locate the service.
There is no requirement to reboot the ESXi host to disable/enable the service
Solution
Details on the available powercli options to disable the service are documented here
To implement the workaround perform the following steps:
1 Login to the ESXi hosts using an SSH session (such as putty) 2 Stop the SLP service on the ESXi host with this command:
/etc/init.d/slpd stop
Note: The SLP service can only be stopped when the service is not in use. Use the following command to view the operational state of Service Location Protocol Daemon:
esxcli system slp stats get
3 Run the following command to disable the SLP service:
esxcli network firewall ruleset set -r CIMSLP -e 0
To make this change persist across reboots:
chkconfig slpd off
To check if the change is applied across reboots:
chkconfig --list | grep slpd
output: slpd off
To remove the workaround perform the following steps:
- Run the following command to enable the ruleset of SLP service:
esxcli network firewall ruleset set -r CIMSLP -e 1
- Run the following command to change the current startup information of slpd service:
chkconfig slpd on
Run the following command to check if the change is applied after running the above step (Step 2#):
chkconfig --list | grep slpd
output: slpd on
- Run the following command to start the SLP service:
/etc/init.d/slpd start
- Disable and enable the CIM agent, see How to disable or enable the CIM agent on the ESX/ESXi host
Later versions of ESXi report the SLPD service in the vCenter GUI
- To check if you can update the SLP service via the vSphere client, login to the vCenter
2 Select the ESXi host and click on "Configure" -- "Services". Look for SLP in the list If SLP is not listed, then use the process detailed above
3 Select SLPD and click on "Stop" and then click "Ok"
4 Select " Edit Startup Policy" and select "Start and stop with host". Click Ok
5 Reverse the steps above to re-enable the service- Last Author
- mbh
- Last Edited
- Feb 6 2023, 9:54 AM