kri-2
Hot Shot
Hot Shot

Do we need the SLP Service on Port 427

Jump to solution

Hi,

our penetration test team criticizes a running SLP Service on Port 427 tcp/udp on all our ESXi hosts 5.0 (HP380G6-G8).

Does someone know if this Service is needed on a standard ESXi host connectet to a vCenter (maby for the hardware tab)?

We are NOT running any third party tools to monitor the hosts (HP agent e.g). But we have installed the CIM Provider for the vCenter integration.

Just closing "CIM SLP" via firewall rules did not bring up any problems promptly as far as I see, but I want to be really sure.

Any help would be appreciated.

Chris

23 Replies
GeoPerkins
Enthusiast
Enthusiast

This thread has become more important because of the newly announced vulnerabilities this month.

links to VMware advisories:

https://www.vmware.com/security/advisories/VMSA-2019-0022.html

https://www.vmware.com/security/advisories/VMSA-2020-0023.html

and workaround:

https://kb.vmware.com/s/article/76372

Does anyone have an update?

 

Disabling CIM because of the SLP vulnerablity (workaround) has what impacts on ESXi monitoring/management operations?

0 Kudos
GeoPerkins
Enthusiast
Enthusiast

Our organization implemented the CIMSLP workaround without any adverse impacts. We are proceeding with patching and will remove the workaround when that's complete. Since we noted no downside to disabling SLPd on the ESXi hosts, we wonder what value it actually provides. Perhaps we do not use the orchestrator/automation that might otherwise use it.

Saaditani
Contributor
Contributor

We will also apply the workaround as from this thread it will not effect running services/hardware monitoring.

0 Kudos
szemmali
Contributor
Contributor

Ansible Playbook to apply Workaround for OpenSLP security vulnerability in ESXi 6.7

---
- name: Workaround for OpenSLP security vulnerability in ESXi 6.7
  hosts: all
  tasks:
    - name: Stopping the SLP service
      shell: /etc/init.d/slpd stop
      register: slpd_stop

    - name: Print Stopping the SLP service
      debug:
        msg: "{{slpd_stop.stdout }}"

    - name: Disable the SLP service
      shell: esxcli network firewall ruleset set -r CIMSLP -e 0

    - name: change persist across reboots
      shell: chkconfig slpd off

    - name: Check if the change is applied across reboots
      shell: chkconfig --list | grep slpd
      register: check_change

    - name: Print the result of change
      debug:
        msg: "{{check_change.stdout }}"