Control OpenSLP on ESXi hosts using PowerCLI

I light of recent security vulnerabilities found in the OpenSLP service on ESXi. A recommended workaround is to disable the OpenSLP service all together.

Vulnerability information: https://www.vmware.com/security/advisories/VMSA-2021-0002.html

Workaround KB: https://kb.vmware.com/s/article/82374

This powershell script will help you control the OpenSLP service.

Import VMware.PowerCLI

Function Disable-OpenSLP {
	param([VMware.VimAutomation.ViCore.Impl.V1.Inventory.VMHostImpl][Parameter(Mandatory=$true)]$VMHost)
	$service = $VMHost | Get-VMHostService | Where-Object { $_.Key -eq "slpd" }
	if ($service.length -ne 1) {
		throw("ERROR: OpenSLP Service not found on host: $VMHost")
	}

	$service | Stop-VMHostService -Confirm:$false -ErrorAction:Stop | Out-Null
	$service | Set-VMHostService -Policy:Off -ErrorAction:Stop | Out-Null

	$rule = $VMHost | Get-VMHostFirewallException -Name "CIM SLP"
	if ($rule.length -ne 1) {
		throw("ERROR: OpenSLP Firewall rule not found on host: $VMHost")
	}

	$rule | Set-VMHostFirewallException -Enabled $false -ErrorAction:Stop | Out-Null
	Write-Host "OpenSLP Service disabled for host: $VMHost"
}


Function Enable-OpenSLP {
	param([VMware.VimAutomation.ViCore.Impl.V1.Inventory.VMHostImpl][Parameter(Mandatory=$true)]$VMHost)
	$service = $VMHost | Get-VMHostService | Where-Object { $_.Key -eq "slpd" }
	if ($service.length -ne 1) {
		throw("ERROR: OpenSLP Service not found on host: $VMHost")
	}

	$service | Start-VMHostService -Confirm:$false -ErrorAction:Stop | Out-Null
	$service | Set-VMHostService -Policy:Automatic -ErrorAction:Stop | Out-Null

	$rule = $VMHost | Get-VMHostFirewallException -Name "CIM SLP"
	if ($rule.length -ne 1) {
		throw("ERROR: OpenSLP Firewall rule not found on host: $VMHost")
	}
	
	$rule | Set-VMHostFirewallException -Enabled $true -ErrorAction:Stop | Out-Null
	Write-Host "OpenSLP Service enabled for host: $VMHost"
}

Connect-VIServer <FQDN of vCenter Server>
$VMost = Get-VMHost <name of VMware ESXi host>

Disable-OpenSLP -VMHost $VMHostEnable-OpenSLP -VMHost $VMHost
Enable-OpenSLP -VMHost $VMHostEnable-OpenSLP -VMHost $VMHost

As always. Execute at your own risk. You should never run scripts that you do not fully understand.

Hope it helps someone. If it did, please let me know.

View Comments (2)

  • I obtain the following error message when i run this script, can you please help on it....
    Disable-OpenSLP : Cannot process argument transformation on parameter 'VMHost'. Cannot convert value "-OpenSLP" to type
    "VMware.VimAutomation.ViCore.Impl.V1.Inventory.VMHostImpl". Error: "One of the identified items was in an invalid format."
    At C:\Users\admin_gsskamba\Downloads\Servicedisable.ps1:43 char:25
    + Disable-OpenSLP -VMHost $VMHostEnable-OpenSLP -VMHost $VMHost
    + ~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : InvalidData: (:) [Disable-OpenSLP], ParameterBindingArgumentTransformationException
    + FullyQualifiedErrorId : ParameterArgumentTransformationError,Disable-OpenSLP

    • Difficult to conclude what went wrong there. Did you update your PowerCLI? Also I found that it only works on newer builds of ESXi, as the "slpd" service is not listed in older versions.

Leave a Comment
CVE-2021-21972CVE-2021-21973CVE-2021-21974Disable ServiceESXiOpenSLPPowerCliPowershellVMSA-2021-0002VMware
Related Post
  1. Diagnose Network Problems In A Container Using The Filesystem

    So you need to figure out why you application is not working, but your toolset…

  2. List VMs with Secure Boot enabled on Windows Server 2022

    Since Microsoft released: KB5022842 a lot of customers has experienced Windows Server 2022 not being…

  3. How To Make vRO Execute Python Code Blocks

    vRealize Orchestrator (vRO) is a powerful automation platform that enables you to automate and orchestrate…