PowerShell – Disable SLP on ESXi firewall – VMSA-2019-0022 (CVE-2019-5544), VMSA-2020-0023 (CVE-2020-3992) and VMSA-2021-0002 (CVE-2021-21974).

OpenSLP vulnerabilities have been disclosed that affect ESXi. The possibility of exploitation can be removed by performing the steps detailed in this article

I will show you a quick little snippet to disable SLP on the ESXi firewall in response to:

VMSA-2019-0022 (CVE-2019-5544),   VMSA-2020-0023 (CVE-2020-3992) and VMSA-2021-0002 (CVE-2021-21974)

NOTE: I have NOT notice any impact for VMware native functionality. Also I have NOT notice any impact on third party tools like OMIVV, however please test it first in your Dev environment to make sure it won’t brake anything.

Let’s start by connecting to our VCs:

$vCenterServers = "your_cv_name","your_next_vc_name"
connect-viserver $vCenterServers

disconnect-viserver – I like to use it just to make sure I will not have duplicate sessions.

Let’s prepare our host. I am interested in hosts which are connected and powered on only:

$vmhosts = get-vmhost | where {$_.State -eq "Connected" -or $_.State -eq "Maintenance"}

Let’s execute workaround:

foreach($v in $vmhosts){
$esxcli = Get-EsxCli -VMHost $v -V2
$esxcli.network.firewall.ruleset.set.Invoke(@{rulesetid='CIMSLP'; enabled=$false})

Now let’s stop the SLP and make sure the change will survive the reboot:

$esxislpd = $vmhosts | get-vmhostservice | where-object {$_.key -eq "slpd"}
$slpdon = $esxislpd | where {$_.Running -eq "True"}
$slpdon | stop-vmhostservice -confirm:$false
$slpdon | set-vmhostservice -policy "Off" -Confirm:$false

That is it.

If you need explanation or you do have any questions related to this script, please do not hesitate to leave the comment.

Visit my FB page: https://www.facebook.com/AngrySysOps

Subscribe to my YouTube channel: https://www.youtube.com/channel/UCRTcKGl0neismSRpDMK_M4A

Please leave the comment