I light of recent security vulnerabilities found in the OpenSLP service on ESXi. A recommended workaround is to disable the OpenSLP service all together.
Vulnerability information: https://www.vmware.com/security/advisories/VMSA-2021-0002.html
Workaround KB: https://kb.vmware.com/s/article/82374
This powershell script will help you control the OpenSLP service.
Import VMware.PowerCLI
Function Disable-OpenSLP {
param([VMware.VimAutomation.ViCore.Impl.V1.Inventory.VMHostImpl][Parameter(Mandatory=$true)]$VMHost)
$service = $VMHost | Get-VMHostService | Where-Object { $_.Key -eq "slpd" }
if ($service.length -ne 1) {
throw("ERROR: OpenSLP Service not found on host: $VMHost")
}
$service | Stop-VMHostService -Confirm:$false -ErrorAction:Stop | Out-Null
$service | Set-VMHostService -Policy:Off -ErrorAction:Stop | Out-Null
$rule = $VMHost | Get-VMHostFirewallException -Name "CIM SLP"
if ($rule.length -ne 1) {
throw("ERROR: OpenSLP Firewall rule not found on host: $VMHost")
}
$rule | Set-VMHostFirewallException -Enabled $false -ErrorAction:Stop | Out-Null
Write-Host "OpenSLP Service disabled for host: $VMHost"
}
Function Enable-OpenSLP {
param([VMware.VimAutomation.ViCore.Impl.V1.Inventory.VMHostImpl][Parameter(Mandatory=$true)]$VMHost)
$service = $VMHost | Get-VMHostService | Where-Object { $_.Key -eq "slpd" }
if ($service.length -ne 1) {
throw("ERROR: OpenSLP Service not found on host: $VMHost")
}
$service | Start-VMHostService -Confirm:$false -ErrorAction:Stop | Out-Null
$service | Set-VMHostService -Policy:Automatic -ErrorAction:Stop | Out-Null
$rule = $VMHost | Get-VMHostFirewallException -Name "CIM SLP"
if ($rule.length -ne 1) {
throw("ERROR: OpenSLP Firewall rule not found on host: $VMHost")
}
$rule | Set-VMHostFirewallException -Enabled $true -ErrorAction:Stop | Out-Null
Write-Host "OpenSLP Service enabled for host: $VMHost"
}
Connect-VIServer <FQDN of vCenter Server>
$VMost = Get-VMHost <name of VMware ESXi host>
Disable-OpenSLP -VMHost $VMHostEnable-OpenSLP -VMHost $VMHost
Enable-OpenSLP -VMHost $VMHostEnable-OpenSLP -VMHost $VMHost
As always. Execute at your own risk. You should never run scripts that you do not fully understand.
Hope it helps someone. If it did, please let me know.
I obtain the following error message when i run this script, can you please help on it….
Disable-OpenSLP : Cannot process argument transformation on parameter ‘VMHost’. Cannot convert value “-OpenSLP” to type
“VMware.VimAutomation.ViCore.Impl.V1.Inventory.VMHostImpl”. Error: “One of the identified items was in an invalid format.”
At C:\Users\admin_gsskamba\Downloads\Servicedisable.ps1:43 char:25
+ Disable-OpenSLP -VMHost $VMHostEnable-OpenSLP -VMHost $VMHost
+ ~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidData: (:) [Disable-OpenSLP], ParameterBindingArgumentTransformationException
+ FullyQualifiedErrorId : ParameterArgumentTransformationError,Disable-OpenSLP
Difficult to conclude what went wrong there. Did you update your PowerCLI? Also I found that it only works on newer builds of ESXi, as the “slpd” service is not listed in older versions.