Hi,
our penetration test team criticizes a running SLP Service on Port 427 tcp/udp on all our ESXi hosts 5.0 (HP380G6-G8).
Does someone know if this Service is needed on a standard ESXi host connectet to a vCenter (maby for the hardware tab)?
We are NOT running any third party tools to monitor the hosts (HP agent e.g). But we have installed the CIM Provider for the vCenter integration.
Just closing "CIM SLP" via firewall rules did not bring up any problems promptly as far as I see, but I want to be really sure.
Any help would be appreciated.
Chris
This thread has become more important because of the newly announced vulnerabilities this month.
links to VMware advisories:
https://www.vmware.com/security/advisories/VMSA-2019-0022.html
https://www.vmware.com/security/advisories/VMSA-2020-0023.html
and workaround:
https://kb.vmware.com/s/article/76372
Does anyone have an update?
Disabling CIM because of the SLP vulnerablity (workaround) has what impacts on ESXi monitoring/management operations?
Our organization implemented the CIMSLP workaround without any adverse impacts. We are proceeding with patching and will remove the workaround when that's complete. Since we noted no downside to disabling SLPd on the ESXi hosts, we wonder what value it actually provides. Perhaps we do not use the orchestrator/automation that might otherwise use it.
We will also apply the workaround as from this thread it will not effect running services/hardware monitoring.
Ansible Playbook to apply Workaround for OpenSLP security vulnerability in ESXi 6.7
---
- name: Workaround for OpenSLP security vulnerability in ESXi 6.7
hosts: all
tasks:
- name: Stopping the SLP service
shell: /etc/init.d/slpd stop
register: slpd_stop
- name: Print Stopping the SLP service
debug:
msg: "{{slpd_stop.stdout }}"
- name: Disable the SLP service
shell: esxcli network firewall ruleset set -r CIMSLP -e 0
- name: change persist across reboots
shell: chkconfig slpd off
- name: Check if the change is applied across reboots
shell: chkconfig --list | grep slpd
register: check_change
- name: Print the result of change
debug:
msg: "{{check_change.stdout }}"
9 years later, they were absolutely correct to ask close this SLP port!.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21974
https://kb.vmware.com/s/article/76372
#EsxiArgs_ransomware
i'm just a question,
i am upgrading now to 7u3i. do i need to undo the workaround after the esxi is at 7u3i?
No, after ESXi 7.0 U2c the slpd service is stopped and set to manual start, by default:
The following ESXi versions are affected by CVE-2021–21974:
For a system to be vulnerable to CVE-2021–21974, the OpenSLP service needs to be running, and its associated port 427 needs to be reachable from the internet. According to VMware, this service is disabled by default on new installations since ESXi 7.0 U2c and ESXi 8.0 GA.
Source: https://www.recordedfuture.com/esxiargs-ransomware-targets-vmware-esxi-openslp-servers
"For a system to be vulnerable to CVE-2021–21974, the OpenSLP service needs to be running, and its associated port 427 needs to be reachable from the internet."
Nitpick: for it to be vulnerable it just needs to be reachable, period. A malicious actor inside the network can exploit this even if 427 is unreachable from the internet side.
You can see how to explore this CVE in this video: https://www.youtube.com/watch?v=7FHX6ppYIXY
The firewall rule CIM SLP can block this attack.
I don't know about needing it but I have found that I can't kill the sfcb service despite following the CLI given. It keeps restarting. CIM is showing stop in vsphere and is set to stop and start manually as per latest advisory.
Following the workarounds for both CIM
How to disable or enable the SFCB service (CIM Server) on the ESX/ESXi host (1025757) (vmware.com)
and OpenSlp
How to Disable/Enable the SLP Service on VMware ESXi (76372)
I have tried to use CLI and can stop sfcb and slp but sfcb seems to restart shortly after despite this.
Am I missing something?