Control OpenSLP on ESXi hosts using PowerCLI

I light of recent security vulnerabilities found in the OpenSLP service on ESXi. A recommended workaround is to disable the OpenSLP service all together.

Vulnerability information: https://www.vmware.com/security/advisories/VMSA-2021-0002.html

Workaround KB: https://kb.vmware.com/s/article/82374

This powershell script will help you control the OpenSLP service.

Import VMware.PowerCLI

Function Disable-OpenSLP {
	param([VMware.VimAutomation.ViCore.Impl.V1.Inventory.VMHostImpl][Parameter(Mandatory=$true)]$VMHost)
	$service = $VMHost | Get-VMHostService | Where-Object { $_.Key -eq "slpd" }
	if ($service.length -ne 1) {
		throw("ERROR: OpenSLP Service not found on host: $VMHost")
	}

	$service | Stop-VMHostService -Confirm:$false -ErrorAction:Stop | Out-Null
	$service | Set-VMHostService -Policy:Off -ErrorAction:Stop | Out-Null

	$rule = $VMHost | Get-VMHostFirewallException -Name "CIM SLP"
	if ($rule.length -ne 1) {
		throw("ERROR: OpenSLP Firewall rule not found on host: $VMHost")
	}

	$rule | Set-VMHostFirewallException -Enabled $false -ErrorAction:Stop | Out-Null
	Write-Host "OpenSLP Service disabled for host: $VMHost"
}


Function Enable-OpenSLP {
	param([VMware.VimAutomation.ViCore.Impl.V1.Inventory.VMHostImpl][Parameter(Mandatory=$true)]$VMHost)
	$service = $VMHost | Get-VMHostService | Where-Object { $_.Key -eq "slpd" }
	if ($service.length -ne 1) {
		throw("ERROR: OpenSLP Service not found on host: $VMHost")
	}

	$service | Start-VMHostService -Confirm:$false -ErrorAction:Stop | Out-Null
	$service | Set-VMHostService -Policy:Automatic -ErrorAction:Stop | Out-Null

	$rule = $VMHost | Get-VMHostFirewallException -Name "CIM SLP"
	if ($rule.length -ne 1) {
		throw("ERROR: OpenSLP Firewall rule not found on host: $VMHost")
	}
	
	$rule | Set-VMHostFirewallException -Enabled $true -ErrorAction:Stop | Out-Null
	Write-Host "OpenSLP Service enabled for host: $VMHost"
}

Connect-VIServer <FQDN of vCenter Server>
$VMost = Get-VMHost <name of VMware ESXi host>

Disable-OpenSLP -VMHost $VMHostEnable-OpenSLP -VMHost $VMHost
Enable-OpenSLP -VMHost $VMHostEnable-OpenSLP -VMHost $VMHost

As always. Execute at your own risk. You should never run scripts that you do not fully understand.

Hope it helps someone. If it did, please let me know.

View Comments (2)

  • I obtain the following error message when i run this script, can you please help on it....
    Disable-OpenSLP : Cannot process argument transformation on parameter 'VMHost'. Cannot convert value "-OpenSLP" to type
    "VMware.VimAutomation.ViCore.Impl.V1.Inventory.VMHostImpl". Error: "One of the identified items was in an invalid format."
    At C:\Users\admin_gsskamba\Downloads\Servicedisable.ps1:43 char:25
    + Disable-OpenSLP -VMHost $VMHostEnable-OpenSLP -VMHost $VMHost
    + ~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : InvalidData: (:) [Disable-OpenSLP], ParameterBindingArgumentTransformationException
    + FullyQualifiedErrorId : ParameterArgumentTransformationError,Disable-OpenSLP

    • Difficult to conclude what went wrong there. Did you update your PowerCLI? Also I found that it only works on newer builds of ESXi, as the "slpd" service is not listed in older versions.

Related Post