topic Re: PowerCLI - Workaround for OpenSLP security vulnerability in ESXi 6.x (CVE-2019-5544) / VMSA-2019 in VMware PowerCLI Discussions

PowerCLI - Workaround for OpenSLP security vulnerability in ESXi 6.x (CVE-2019-5544) / VMSA-2019-0022

Jakub__D — Wed, 11 Dec 2019 03:17:00 GMT

Hi!

I wonder if anyone already wrote script to implement workaround for OpenSLP security vulnerability in ESXi 6.x (CVE-2019-5544) / VMSA-2019-0022 ?
One to apply:
VMware Knowledge Base ?

I have asked VMware support same question but have not got any useful answer yet.

Re: PowerCLI - Workaround for OpenSLP security vulnerability in ESXi 6.x (CVE-2019-5544) / VMSA-2019-0022

scott28tt — Wed, 11 Dec 2019 07:36:20 GMT

Moderator: Moved to PowerCLI

Re: PowerCLI - Workaround for OpenSLP security vulnerability in ESXi 6.x (CVE-2019-5544) / VMSA-2019-0022

LucD — Wed, 11 Dec 2019 09:51:40 GMT

If you are allowed to enable SSH briefly and if you have installed/can install the Posh-SSH module, you could do

$esxName = 'MyEsx'

$esx = Get-VMHost -Name $esxName

$cmdsub = @'

/etc/init.d/slpd stop;

/etc/init.d/slpd status;

esxcli network firewall ruleset set -r CIMSLP -e 0;

chkconfig slpd off;

chkconfig --list | grep slpd;

$secPswd = ConvertTo-SecureString 'Welcome2019!' -AsPlainText -Force

$cred = New-Object System.Management.Automation.PSCredential ('root', $secPswd)

Get-VMHostService -VMHost $esx | where{$_.Key -eq 'TSM-SSH'} | Start-VMHostService -Confirm:$false | Out-Null

$session = New-SSHSession -ComputerName $esx.Name -Credential $cred –AcceptKey

Invoke-SSHCommand -SSHSession $session -Command $cmdSub | Select -ExpandProperty Output

Remove-SSHSession -SSHSession $session | Out-Null

Get-VMHostService -VMHost $esx | where{$_.Key -eq 'TSM-SSH'} | Stop-VMHostService -Confirm:$false | Out-Null

Re: PowerCLI - Workaround for OpenSLP security vulnerability in ESXi 6.x (CVE-2019-5544) / VMSA-2019

GeoPerkins — Thu, 19 Nov 2020 16:38:08 GMT

Thanks, this script worked as advertised.

Re: PowerCLI - Workaround for OpenSLP security vulnerability in ESXi 6.x (CVE-2019-5544) / VMSA-2019

szemmali — Thu, 25 Feb 2021 20:50:22 GMT

Ansible playbook to apply Workaround for OpenSLP security vulnerability in ESXi 6.x

https://gist.github.com/szemmali/6b2c257f8567cda1dbb92b8e92f3e06c

Re: PowerCLI - Workaround for OpenSLP security vulnerability in ESXi 6.x (CVE-2019-5544) / VMSA-2019

rachappachalmi — Fri, 26 Feb 2021 14:09:37 GMT

/Hi Luc,

Thanks for above script but can we do this same at vCenter level which dont ask for ESXi root password as we have different different root passwords for all the ESXi hosts to perform this CIMSLP actions ?

Re: PowerCLI - Workaround for OpenSLP security vulnerability in ESXi 6.x (CVE-2019-5544) / VMSA-2019

LucD — Fri, 26 Feb 2021 14:12:44 GMT

Not really, the commands need to be run on the ESXi node.
Except for the esxcli command, there is no alternative for these commands on the vCenter level

Re: PowerCLI - Workaround for OpenSLP security vulnerability in ESXi 6.x (CVE-2019-5544) / VMSA-2019

rachappachalmi — Mon, 01 Mar 2021 10:16:11 GMT

Hi Luc,

Oh ok, got it,

Actually we have around 2157 ESXi hosts and majority of them have same root passwords, hence I was looking for an option to apply this script once for all of them.

Re: PowerCLI - Workaround for OpenSLP security vulnerability in ESXi 6.x (CVE-2019-5544) / VMSA-2019

rachappachalmi — Mon, 01 Mar 2021 14:15:37 GMT

Hi Luc,

Will you be able to help me use this script for multiple hosts pls ?

Regards
Rachappa

Re: PowerCLI - Workaround for OpenSLP security vulnerability in ESXi 6.x (CVE-2019-5544) / VMSA-2019

LucD — Mon, 01 Mar 2021 15:07:46 GMT

Where and how do you provide the names of those ESXi nodes?

In a file?

Re: PowerCLI - Workaround for OpenSLP security vulnerability in ESXi 6.x (CVE-2019-5544) / VMSA-2019

LexCosta — Mon, 01 Mar 2021 16:55:49 GMT

Hello,

Can't this be set using:

$ESXi = Get-VMHost xpto
$slpd = $ESXi | Get-VMHostService | Where {$_.key -eq "slpd"}

if(($slpd.policy -eq "on") -or ($slpd.policy -eq "automatic"))
{
$slpd | set-VMHostService -Policy Off -Confirm:$false
}

if ($slpd.running)
{
$slpd | Stop-VMHostService -Confirm:$false
}

Thank you

Re: PowerCLI - Workaround for OpenSLP security vulnerability in ESXi 6.x (CVE-2019-5544) / VMSA-2019

LucD — Mon, 01 Mar 2021 17:23:30 GMT

I don't think that this will make the change persistent across reboots of the ESXi node.
That's what the chkconfig command is doing.

Re: PowerCLI - Workaround for OpenSLP security vulnerability in ESXi 6.x (CVE-2019-5544) / VMSA-2019

rachappachalmi — Tue, 02 Mar 2021 08:42:20 GMT

Hi Luc ,

I have two requests to you.

1 - I am trying to use multiple hosts like below in your above script but its not working

$esxName = @("myesxi1","myesxi2")

$esx = Get-VMHost -Name $esxName

$cmdsub = @'

/etc/init.d/slpd stop;

/etc/init.d/slpd status;

esxcli network firewall ruleset set -r CIMSLP -e 0;

chkconfig slpd off;

chkconfig --list | grep slpd;

$secPswd = ConvertTo-SecureString 'ESXI510U2' -AsPlainText -Force

$cred = New-Object System.Management.Automation.PSCredential ('root', $secPswd)

Get-VMHostService -VMHost $esx | where{$_.Key -eq 'TSM-SSH'} | Start-VMHostService -Confirm:$false | Out-Null

$session = New-SSHSession -ComputerName $esx.Name -Credential $cred –AcceptKey

Invoke-SSHCommand -SSHSession $session -Command $cmdSub | Select -ExpandProperty Output

Remove-SSHSession -SSHSession $session | Out-Null

Get-VMHostService -VMHost $esx | where{$_.Key -eq 'TSM-SSH'} | Stop-VMHostService -Confirm:$false | Out-Null

2 - We have standalone ESXi hosts around 178 and your original script is not working for them too, can you help on this as well (again password is same for all)

Re: PowerCLI - Workaround for OpenSLP security vulnerability in ESXi 6.x (CVE-2019-5544) / VMSA-2019

rachappachalmi — Tue, 02 Mar 2021 08:44:23 GMT

Hi Lex,

Sorry i am weak in scripting and i did not understand where to mention my ESXi list here in your script.

Re: PowerCLI - Workaround for OpenSLP security vulnerability in ESXi 6.x (CVE-2019-5544) / VMSA-2019

rachappachalmi — Tue, 02 Mar 2021 08:49:25 GMT

Hi Luc,

Yes, if it takes from file also fine or if we need to mention in the script also fine, but need to do it for multiple hosts.

Re: PowerCLI - Workaround for OpenSLP security vulnerability in ESXi 6.x (CVE-2019-5544) / VMSA-2019

Loagu — Tue, 02 Mar 2021 16:39:28 GMT

Hi Lucd

CAn the script connects the Vcenter and get all esxi host and apply this setings

Re: PowerCLI - Workaround for OpenSLP security vulnerability in ESXi 6.x (CVE-2019-5544) / VMSA-2019

LucD — Tue, 02 Mar 2021 17:17:18 GMT

You can do this in a loop.
This assumes you have already connected to the VCSA and that the credentials for all ESXi nodes are the same.

$cmdsub = @' /etc/init.d/slpd stop; /etc/init.d/slpd status; esxcli network firewall ruleset set -r CIMSLP -e 0; chkconfig slpd off; chkconfig --list | grep slpd; '@ $secPswd = ConvertTo-SecureString 'Welcome2019!' -AsPlainText -Force $cred = New-Object System.Management.Automation.PSCredential ('root', $secPswd) Get-VMHost -PipelineVariable esx | ForEach-Object -Process { Get-VMHostService -VMHost $esx | where { $_.Key -eq 'TSM-SSH' } | Start-VMHostService -Confirm:$false | Out-Null $session = New-SSHSession -ComputerName $esx.Name -Credential $cred –AcceptKey Invoke-SSHCommand -SSHSession $session -Command $cmdSub | select -ExpandProperty Output Remove-SSHSession -SSHSession $session | Out-Null Get-VMHostService -VMHost $esx | where { $_.Key -eq 'TSM-SSH' } | Stop-VMHostService -Confirm:$false | Out-Null }

Re: PowerCLI - Workaround for OpenSLP security vulnerability in ESXi 6.x (CVE-2019-5544) / VMSA-2019

rachappachalmi — Wed, 03 Mar 2021 06:03:30 GMT

Hi Luc, Its working for me, thanks a lot for all your help as always

Re: PowerCLI - Workaround for OpenSLP security vulnerability in ESXi 6.x (CVE-2019-5544) / VMSA-2019

LexCosta — Wed, 03 Mar 2021 22:52:26 GMT

Hi,

by setting up the policy to off the slpd service will not start after the esxi reboots, exactly the same way that ssh service doesn’t start after the esxi reboots if the policy is set to off on this service as well

Re: PowerCLI - Workaround for OpenSLP security vulnerability in ESXi 6.x (CVE-2019-5544) / VMSA-2019

Loagu — Thu, 04 Mar 2021 13:32:31 GMT

HI Lucid

Am getting below errors can you suggest on this

New-SSHSession : Could not load file or assembly 'Renci.SshNet, Version=2016.1.0.0, Culture=neutral, PublicKeyToken=1cee9f8bde3db106' or one of its dependencies. The system cannot
find the file specified.
At line:16 char:20
+ ... $session = New-SSHSession -ComputerName $esx.Name -Credential $cred ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [New-SSHSession], FileNotFoundException
+ FullyQualifiedErrorId : System.IO.FileNotFoundException,SSH.NewSshSession

Invoke-SSHCommand : Cannot bind argument to parameter 'SSHSession' because it is null.
At line:17 char:39
+ Invoke-SSHCommand -SSHSession $session -Command $cmdSub | sel ...
+ ~~~~~~~~
+ CategoryInfo : InvalidData: (:) [Invoke-SSHCommand], ParameterBindingValidationException
+ FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,Invoke-SSHCommand