Jakub__D
Contributor
Contributor

PowerCLI - Workaround for OpenSLP security vulnerability in ESXi 6.x (CVE-2019-5544) / VMSA-2019-0022

Hi!

I wonder if anyone already wrote script to implement workaround for OpenSLP security vulnerability in ESXi 6.x (CVE-2019-5544) / VMSA-2019-0022 ?
One to apply:
VMware Knowledge Base ?

I have asked VMware support same question but have not got any useful answer yet.

46 Replies
scott28tt
VMware Employee
VMware Employee

Moderator: Moved to PowerCLI


-------------------------------------------------------------------------------------------------------------------------------------------------------------
VMware Training & Certification blog
0 Kudos
LucD
Leadership
Leadership

If you are allowed to enable SSH briefly and if you have installed/can install the Posh-SSH module, you could do

$esxName = 'MyEsx'

$esx = Get-VMHost -Name $esxName


$cmdsub = @'

/etc/init.d/slpd stop;

/etc/init.d/slpd status;

esxcli network firewall ruleset set -r CIMSLP -e 0;

chkconfig slpd off;

chkconfig --list | grep slpd;

'@


$secPswd = ConvertTo-SecureString 'Welcome2019!' -AsPlainText -Force

$cred = New-Object System.Management.Automation.PSCredential ('root', $secPswd)


Get-VMHostService -VMHost $esx | where{$_.Key -eq 'TSM-SSH'} | Start-VMHostService -Confirm:$false | Out-Null


$session = New-SSHSession -ComputerName $esx.Name -Credential $cred –AcceptKey

Invoke-SSHCommand -SSHSession $session -Command $cmdSub | Select -ExpandProperty Output

Remove-SSHSession -SSHSession $session | Out-Null


Get-VMHostService -VMHost $esx | where{$_.Key -eq 'TSM-SSH'} | Stop-VMHostService -Confirm:$false | Out-Null


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

GeoPerkins
Enthusiast
Enthusiast

Thanks, this script worked as advertised. 

0 Kudos
szemmali
Contributor
Contributor

Ansible playbook to apply Workaround for OpenSLP security vulnerability in ESXi 6.x

https://gist.github.com/szemmali/6b2c257f8567cda1dbb92b8e92f3e06c

Tags (2)
0 Kudos
rachappachalmi
Enthusiast
Enthusiast

/Hi Luc,

Thanks for above script but can we do this same at vCenter level which dont ask for ESXi root password as we have different different root passwords for all the ESXi hosts to perform this CIMSLP actions ?

0 Kudos
LucD
Leadership
Leadership

Not really, the commands need to be run on the ESXi node.
Except for the esxcli command, there is no alternative for these commands on the vCenter level


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

0 Kudos
rachappachalmi
Enthusiast
Enthusiast

Hi Luc,

Oh ok, got it,

Actually we have around 2157 ESXi hosts and majority of them have same root passwords, hence I was looking for an option to apply this script once for all of them.

 

0 Kudos
rachappachalmi
Enthusiast
Enthusiast

Hi Luc,

 

Will you be able to help me use this script for multiple hosts pls ?

 

Regards
Rachappa

Tags (1)
0 Kudos
LucD
Leadership
Leadership

Where and how do you provide the names of those ESXi nodes?

In a file?


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

0 Kudos
LexCosta
Contributor
Contributor

Hello,

Can't this be set using:

$ESXi = Get-VMHost xpto
$slpd = $ESXi | Get-VMHostService | Where {$_.key -eq "slpd"}

if(($slpd.policy -eq "on") -or ($slpd.policy -eq "automatic"))
{
$slpd | set-VMHostService -Policy Off -Confirm:$false
}

if ($slpd.running)
{
$slpd | Stop-VMHostService -Confirm:$false
}

Thank you

0 Kudos
LucD
Leadership
Leadership

I don't think that this will make the change persistent across reboots of the ESXi node.
That's what the chkconfig command is doing.


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

0 Kudos
rachappachalmi
Enthusiast
Enthusiast

Hi Luc ,

I have two requests to you.

1 - I am trying to use multiple hosts like below in your above script but its not working 

$esxName = @("myesxi1","myesxi2") 

$esx = Get-VMHost -Name $esxName


$cmdsub = @'

/etc/init.d/slpd stop;

/etc/init.d/slpd status;

esxcli network firewall ruleset set -r CIMSLP -e 0;

chkconfig slpd off;

chkconfig --list | grep slpd;

'@


$secPswd = ConvertTo-SecureString 'ESXI510U2' -AsPlainText -Force

$cred = New-Object System.Management.Automation.PSCredential ('root', $secPswd)


Get-VMHostService -VMHost $esx | where{$_.Key -eq 'TSM-SSH'} | Start-VMHostService -Confirm:$false | Out-Null


$session = New-SSHSession -ComputerName $esx.Name -Credential $cred –AcceptKey

Invoke-SSHCommand -SSHSession $session -Command $cmdSub | Select -ExpandProperty Output

Remove-SSHSession -SSHSession $session | Out-Null


Get-VMHostService -VMHost $esx | where{$_.Key -eq 'TSM-SSH'} | Stop-VMHostService -Confirm:$false | Out-Null

 

2 - We have standalone ESXi hosts around 178 and your original script is not working for them too, can you help on this as well (again password is same for all)

0 Kudos
rachappachalmi
Enthusiast
Enthusiast

Hi Lex,

 

Sorry i am weak in scripting and i did not understand where to mention my ESXi list here in your script.

0 Kudos
rachappachalmi
Enthusiast
Enthusiast

Hi Luc,

Yes, if it takes from file also fine or if we need to mention in the script also fine, but need to do it for multiple hosts.

0 Kudos
Loagu
Contributor
Contributor

Hi Lucd 

CAn the script connects  the Vcenter and get all esxi host and apply this setings 

0 Kudos
LucD
Leadership
Leadership

You can do this in a loop.
This assumes you have already connected to the VCSA and that the credentials for all ESXi nodes are the same.

$cmdsub = @'
/etc/init.d/slpd stop;
/etc/init.d/slpd status;
esxcli network firewall ruleset set -r CIMSLP -e 0;
chkconfig slpd off;
chkconfig --list | grep slpd;
'@

$secPswd = ConvertTo-SecureString 'Welcome2019!' -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential ('root', $secPswd)

Get-VMHost -PipelineVariable esx |
    ForEach-Object -Process {
        Get-VMHostService -VMHost $esx | where { $_.Key -eq 'TSM-SSH' } | Start-VMHostService -Confirm:$false | Out-Null

        $session = New-SSHSession -ComputerName $esx.Name -Credential $cred –AcceptKey
        Invoke-SSHCommand -SSHSession $session -Command $cmdSub | select -ExpandProperty Output
        Remove-SSHSession -SSHSession $session | Out-Null

        Get-VMHostService -VMHost $esx | where { $_.Key -eq 'TSM-SSH' } | Stop-VMHostService -Confirm:$false | Out-Null
    }

 


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

rachappachalmi
Enthusiast
Enthusiast

Hi Luc, Its working for me, thanks a lot for all your help as always 🙂

 

0 Kudos
LexCosta
Contributor
Contributor

Hi,

by setting up the policy to off the slpd service will not start after the esxi reboots, exactly the same way that ssh service doesn’t start after the esxi reboots if the policy is set to off on this service as well

0 Kudos
Loagu
Contributor
Contributor

HI Lucid 

Am getting below errors can you suggest on this 

New-SSHSession : Could not load file or assembly 'Renci.SshNet, Version=2016.1.0.0, Culture=neutral, PublicKeyToken=1cee9f8bde3db106' or one of its dependencies. The system cannot
find the file specified.
At line:16 char:20
+ ... $session = New-SSHSession -ComputerName $esx.Name -Credential $cred ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [New-SSHSession], FileNotFoundException
+ FullyQualifiedErrorId : System.IO.FileNotFoundException,SSH.NewSshSession

Invoke-SSHCommand : Cannot bind argument to parameter 'SSHSession' because it is null.
At line:17 char:39
+ Invoke-SSHCommand -SSHSession $session -Command $cmdSub | sel ...
+ ~~~~~~~~
+ CategoryInfo : InvalidData: (:) [Invoke-SSHCommand], ParameterBindingValidationException
+ FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,Invoke-SSHCommand

0 Kudos