Control OpenSLP on ESXi hosts using PowerCLI

I light of recent security vulnerabilities found in the OpenSLP service on ESXi. A recommended workaround is to disable the OpenSLP service all together.

Vulnerability information: https://www.vmware.com/security/advisories/VMSA-2021-0002.html

Workaround KB: https://kb.vmware.com/s/article/82374

This powershell script will help you control the OpenSLP service.

Import VMware.PowerCLI

Function Disable-OpenSLP {
	param([VMware.VimAutomation.ViCore.Impl.V1.Inventory.VMHostImpl][Parameter(Mandatory=$true)]$VMHost)
	$service = $VMHost | Get-VMHostService | Where-Object { $_.Key -eq "slpd" }
	if ($service.length -ne 1) {
		throw("ERROR: OpenSLP Service not found on host: $VMHost")
	}

	$service | Stop-VMHostService -Confirm:$false -ErrorAction:Stop | Out-Null
	$service | Set-VMHostService -Policy:Off -ErrorAction:Stop | Out-Null

	$rule = $VMHost | Get-VMHostFirewallException -Name "CIM SLP"
	if ($rule.length -ne 1) {
		throw("ERROR: OpenSLP Firewall rule not found on host: $VMHost")
	}

	$rule | Set-VMHostFirewallException -Enabled $false -ErrorAction:Stop | Out-Null
	Write-Host "OpenSLP Service disabled for host: $VMHost"
}


Function Enable-OpenSLP {
	param([VMware.VimAutomation.ViCore.Impl.V1.Inventory.VMHostImpl][Parameter(Mandatory=$true)]$VMHost)
	$service = $VMHost | Get-VMHostService | Where-Object { $_.Key -eq "slpd" }
	if ($service.length -ne 1) {
		throw("ERROR: OpenSLP Service not found on host: $VMHost")
	}

	$service | Start-VMHostService -Confirm:$false -ErrorAction:Stop | Out-Null
	$service | Set-VMHostService -Policy:Automatic -ErrorAction:Stop | Out-Null

	$rule = $VMHost | Get-VMHostFirewallException -Name "CIM SLP"
	if ($rule.length -ne 1) {
		throw("ERROR: OpenSLP Firewall rule not found on host: $VMHost")
	}
	
	$rule | Set-VMHostFirewallException -Enabled $true -ErrorAction:Stop | Out-Null
	Write-Host "OpenSLP Service enabled for host: $VMHost"
}

Connect-VIServer <FQDN of vCenter Server>
$VMost = Get-VMHost <name of VMware ESXi host>

Disable-OpenSLP -VMHost $VMHostEnable-OpenSLP -VMHost $VMHost
Enable-OpenSLP -VMHost $VMHostEnable-OpenSLP -VMHost $VMHost

As always. Execute at your own risk. You should never run scripts that you do not fully understand.

Hope it helps someone. If it did, please let me know.

2 thoughts on “Control OpenSLP on ESXi hosts using PowerCLI”

  1. I obtain the following error message when i run this script, can you please help on it….
    Disable-OpenSLP : Cannot process argument transformation on parameter ‘VMHost’. Cannot convert value “-OpenSLP” to type
    “VMware.VimAutomation.ViCore.Impl.V1.Inventory.VMHostImpl”. Error: “One of the identified items was in an invalid format.”
    At C:\Users\admin_gsskamba\Downloads\Servicedisable.ps1:43 char:25
    + Disable-OpenSLP -VMHost $VMHostEnable-OpenSLP -VMHost $VMHost
    + ~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : InvalidData: (:) [Disable-OpenSLP], ParameterBindingArgumentTransformationException
    + FullyQualifiedErrorId : ParameterArgumentTransformationError,Disable-OpenSLP

    Reply

    1. Difficult to conclude what went wrong there. Did you update your PowerCLI? Also I found that it only works on newer builds of ESXi, as the “slpd” service is not listed in older versions.

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *