I light of recent security vulnerabilities found in the OpenSLP service on ESXi. A recommended workaround is to disable the OpenSLP service all together.
Vulnerability information: https://www.vmware.com/security/advisories/VMSA-2021-0002.html
Workaround KB: https://kb.vmware.com/s/article/82374
This powershell script will help you control the OpenSLP service.
Import VMware.PowerCLI
Function Disable-OpenSLP {
param([VMware.VimAutomation.ViCore.Impl.V1.Inventory.VMHostImpl][Parameter(Mandatory=$true)]$VMHost)
$service = $VMHost | Get-VMHostService | Where-Object { $_.Key -eq "slpd" }
if ($service.length -ne 1) {
throw("ERROR: OpenSLP Service not found on host: $VMHost")
}
$service | Stop-VMHostService -Confirm:$false -ErrorAction:Stop | Out-Null
$service | Set-VMHostService -Policy:Off -ErrorAction:Stop | Out-Null
$rule = $VMHost | Get-VMHostFirewallException -Name "CIM SLP"
if ($rule.length -ne 1) {
throw("ERROR: OpenSLP Firewall rule not found on host: $VMHost")
}
$rule | Set-VMHostFirewallException -Enabled $false -ErrorAction:Stop | Out-Null
Write-Host "OpenSLP Service disabled for host: $VMHost"
}
Function Enable-OpenSLP {
param([VMware.VimAutomation.ViCore.Impl.V1.Inventory.VMHostImpl][Parameter(Mandatory=$true)]$VMHost)
$service = $VMHost | Get-VMHostService | Where-Object { $_.Key -eq "slpd" }
if ($service.length -ne 1) {
throw("ERROR: OpenSLP Service not found on host: $VMHost")
}
$service | Start-VMHostService -Confirm:$false -ErrorAction:Stop | Out-Null
$service | Set-VMHostService -Policy:Automatic -ErrorAction:Stop | Out-Null
$rule = $VMHost | Get-VMHostFirewallException -Name "CIM SLP"
if ($rule.length -ne 1) {
throw("ERROR: OpenSLP Firewall rule not found on host: $VMHost")
}
$rule | Set-VMHostFirewallException -Enabled $true -ErrorAction:Stop | Out-Null
Write-Host "OpenSLP Service enabled for host: $VMHost"
}
Connect-VIServer <FQDN of vCenter Server>
$VMost = Get-VMHost <name of VMware ESXi host>
Disable-OpenSLP -VMHost $VMHostEnable-OpenSLP -VMHost $VMHost
Enable-OpenSLP -VMHost $VMHostEnable-OpenSLP -VMHost $VMHost
As always. Execute at your own risk. You should never run scripts that you do not fully understand.
Hope it helps someone. If it did, please let me know.
View Comments (2)
I obtain the following error message when i run this script, can you please help on it....
Disable-OpenSLP : Cannot process argument transformation on parameter 'VMHost'. Cannot convert value "-OpenSLP" to type
"VMware.VimAutomation.ViCore.Impl.V1.Inventory.VMHostImpl". Error: "One of the identified items was in an invalid format."
At C:\Users\admin_gsskamba\Downloads\Servicedisable.ps1:43 char:25
+ Disable-OpenSLP -VMHost $VMHostEnable-OpenSLP -VMHost $VMHost
+ ~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidData: (:) [Disable-OpenSLP], ParameterBindingArgumentTransformationException
+ FullyQualifiedErrorId : ParameterArgumentTransformationError,Disable-OpenSLP
Difficult to conclude what went wrong there. Did you update your PowerCLI? Also I found that it only works on newer builds of ESXi, as the "slpd" service is not listed in older versions.