VMware Cloud Community
kri-2
Hot Shot
Hot Shot
Jump to solution

Do we need the SLP Service on Port 427

Hi,

our penetration test team criticizes a running SLP Service on Port 427 tcp/udp on all our ESXi hosts 5.0 (HP380G6-G8).

Does someone know if this Service is needed on a standard ESXi host connectet to a vCenter (maby for the hardware tab)?

We are NOT running any third party tools to monitor the hosts (HP agent e.g). But we have installed the CIM Provider for the vCenter integration.

Just closing "CIM SLP" via firewall rules did not bring up any problems promptly as far as I see, but I want to be really sure.

Any help would be appreciated.

Chris

29 Replies
GeoPerkins
Enthusiast
Enthusiast
Jump to solution

This thread has become more important because of the newly announced vulnerabilities this month.

links to VMware advisories:

https://www.vmware.com/security/advisories/VMSA-2019-0022.html

https://www.vmware.com/security/advisories/VMSA-2020-0023.html

and workaround:

https://kb.vmware.com/s/article/76372

Does anyone have an update?

 

Disabling CIM because of the SLP vulnerablity (workaround) has what impacts on ESXi monitoring/management operations?

Reply
0 Kudos
GeoPerkins
Enthusiast
Enthusiast
Jump to solution

Our organization implemented the CIMSLP workaround without any adverse impacts. We are proceeding with patching and will remove the workaround when that's complete. Since we noted no downside to disabling SLPd on the ESXi hosts, we wonder what value it actually provides. Perhaps we do not use the orchestrator/automation that might otherwise use it.

Saaditani
Contributor
Contributor
Jump to solution

We will also apply the workaround as from this thread it will not effect running services/hardware monitoring.

Reply
0 Kudos
szemmali
Contributor
Contributor
Jump to solution

Ansible Playbook to apply Workaround for OpenSLP security vulnerability in ESXi 6.7

---
- name: Workaround for OpenSLP security vulnerability in ESXi 6.7
  hosts: all
  tasks:
    - name: Stopping the SLP service
      shell: /etc/init.d/slpd stop
      register: slpd_stop

    - name: Print Stopping the SLP service
      debug:
        msg: "{{slpd_stop.stdout }}"

    - name: Disable the SLP service
      shell: esxcli network firewall ruleset set -r CIMSLP -e 0

    - name: change persist across reboots
      shell: chkconfig slpd off

    - name: Check if the change is applied across reboots
      shell: chkconfig --list | grep slpd
      register: check_change

    - name: Print the result of change
      debug:
        msg: "{{check_change.stdout }}"
mhabiballa
Contributor
Contributor
Jump to solution

9 years later, they were absolutely correct to ask close this SLP port!.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21974

https://kb.vmware.com/s/article/76372

#EsxiArgs_ransomware

Reply
0 Kudos
pargit
Enthusiast
Enthusiast
Jump to solution

i'm just a question,

i am upgrading now to 7u3i. do i need to undo the workaround after the esxi is at 7u3i?

Reply
0 Kudos
ggeorgi5
Contributor
Contributor
Jump to solution

No, after ESXi 7.0 U2c the slpd service is stopped and set to manual start, by default:

The following ESXi versions are affected by CVE-2021–21974:

  • ESXi 7.x prior to ESXi70U1c-17325551
  • ESXi 6.7.x prior to ESXi670-202102401-SG
  • ESXi 6.5.x prior to ESXi650-202102101-SG

For a system to be vulnerable to CVE-2021–21974, the OpenSLP service needs to be running, and its associated port 427 needs to be reachable from the internet. According to VMware, this service is disabled by default on new installations since ESXi 7.0 U2c and ESXi 8.0 GA.

Source: https://www.recordedfuture.com/esxiargs-ransomware-targets-vmware-esxi-openslp-servers

Reply
0 Kudos
MattGoddard
Enthusiast
Enthusiast
Jump to solution

"For a system to be vulnerable to CVE-2021–21974, the OpenSLP service needs to be running, and its associated port 427 needs to be reachable from the internet."

 

Nitpick: for it to be vulnerable it just needs to be reachable, period. A malicious actor inside the network can exploit this even if 427 is unreachable from the internet side.

Marcelo_Pinto
Contributor
Contributor
Jump to solution

You can see how to explore this CVE in this video: https://www.youtube.com/watch?v=7FHX6ppYIXY

The firewall rule CIM SLP can block this attack.

NickDaGeekUK
Enthusiast
Enthusiast
Jump to solution

I don't know about needing it but I have found that I can't kill the sfcb service despite following the CLI given. It keeps restarting. CIM is showing stop in vsphere and is set to stop and start manually as per latest advisory.

Following the workarounds for both CIM 

How to disable or enable the SFCB service (CIM Server) on the ESX/ESXi host (1025757) (vmware.com)

and  OpenSlp 

How to Disable/Enable the SLP Service on VMware ESXi (76372)

I have tried to use CLI and can stop sfcb and slp but sfcb seems to restart shortly after despite this.

Am I missing something?

Kind regards,
Nick.
Reply
0 Kudos