Hi!
I wonder if anyone already wrote script to implement workaround for OpenSLP security vulnerability in ESXi 6.x (CVE-2019-5544) / VMSA-2019-0022 ?
One to apply:
VMware Knowledge Base ?
I have asked VMware support same question but have not got any useful answer yet.
Moderator: Moved to PowerCLI
If you are allowed to enable SSH briefly and if you have installed/can install the Posh-SSH module, you could do
$esx = Get-VMHost -Name $esxName
$cmdsub = @'
/etc/init.d/slpd stop;
/etc/init.d/slpd status;
esxcli network firewall ruleset set -r CIMSLP -e 0;
chkconfig slpd off;
chkconfig --list | grep slpd;
'@
$secPswd = ConvertTo-SecureString 'Welcome2019!' -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential ('root', $secPswd)
Get-VMHostService -VMHost $esx | where{$_.Key -eq 'TSM-SSH'} | Start-VMHostService -Confirm:$false | Out-Null
$session = New-SSHSession -ComputerName $esx.Name -Credential $cred –AcceptKey
Invoke-SSHCommand -SSHSession $session -Command $cmdSub | Select -ExpandProperty Output
Remove-SSHSession -SSHSession $session | Out-Null
Get-VMHostService -VMHost $esx | where{$_.Key -eq 'TSM-SSH'} | Stop-VMHostService -Confirm:$false | Out-Null
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
Thanks, this script worked as advertised.
Ansible playbook to apply Workaround for OpenSLP security vulnerability in ESXi 6.x
https://gist.github.com/szemmali/6b2c257f8567cda1dbb92b8e92f3e06c
/Hi Luc,
Thanks for above script but can we do this same at vCenter level which dont ask for ESXi root password as we have different different root passwords for all the ESXi hosts to perform this CIMSLP actions ?
Not really, the commands need to be run on the ESXi node.
Except for the esxcli command, there is no alternative for these commands on the vCenter level
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
Hi Luc,
Oh ok, got it,
Actually we have around 2157 ESXi hosts and majority of them have same root passwords, hence I was looking for an option to apply this script once for all of them.
Hi Luc,
Will you be able to help me use this script for multiple hosts pls ?
Regards
Rachappa
Where and how do you provide the names of those ESXi nodes?
In a file?
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
Hello,
Can't this be set using:
$ESXi = Get-VMHost xpto
$slpd = $ESXi | Get-VMHostService | Where {$_.key -eq "slpd"}
if(($slpd.policy -eq "on") -or ($slpd.policy -eq "automatic"))
{
$slpd | set-VMHostService -Policy Off -Confirm:$false
}
if ($slpd.running)
{
$slpd | Stop-VMHostService -Confirm:$false
}
Thank you
I don't think that this will make the change persistent across reboots of the ESXi node.
That's what the chkconfig command is doing.
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
Hi Luc ,
I have two requests to you.
1 - I am trying to use multiple hosts like below in your above script but its not working
$esxName = @("myesxi1","myesxi2")
$esx = Get-VMHost -Name $esxName
$cmdsub = @'
/etc/init.d/slpd stop;
/etc/init.d/slpd status;
esxcli network firewall ruleset set -r CIMSLP -e 0;
chkconfig slpd off;
chkconfig --list | grep slpd;
'@
$secPswd = ConvertTo-SecureString 'ESXI510U2' -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential ('root', $secPswd)
Get-VMHostService -VMHost $esx | where{$_.Key -eq 'TSM-SSH'} | Start-VMHostService -Confirm:$false | Out-Null
$session = New-SSHSession -ComputerName $esx.Name -Credential $cred –AcceptKey
Invoke-SSHCommand -SSHSession $session -Command $cmdSub | Select -ExpandProperty Output
Remove-SSHSession -SSHSession $session | Out-Null
Get-VMHostService -VMHost $esx | where{$_.Key -eq 'TSM-SSH'} | Stop-VMHostService -Confirm:$false | Out-Null
2 - We have standalone ESXi hosts around 178 and your original script is not working for them too, can you help on this as well (again password is same for all)
Hi Lex,
Sorry i am weak in scripting and i did not understand where to mention my ESXi list here in your script.
Hi Luc,
Yes, if it takes from file also fine or if we need to mention in the script also fine, but need to do it for multiple hosts.
Hi Lucd
CAn the script connects the Vcenter and get all esxi host and apply this setings
You can do this in a loop.
This assumes you have already connected to the VCSA and that the credentials for all ESXi nodes are the same.
$cmdsub = @'
/etc/init.d/slpd stop;
/etc/init.d/slpd status;
esxcli network firewall ruleset set -r CIMSLP -e 0;
chkconfig slpd off;
chkconfig --list | grep slpd;
'@
$secPswd = ConvertTo-SecureString 'Welcome2019!' -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential ('root', $secPswd)
Get-VMHost -PipelineVariable esx |
ForEach-Object -Process {
Get-VMHostService -VMHost $esx | where { $_.Key -eq 'TSM-SSH' } | Start-VMHostService -Confirm:$false | Out-Null
$session = New-SSHSession -ComputerName $esx.Name -Credential $cred –AcceptKey
Invoke-SSHCommand -SSHSession $session -Command $cmdSub | select -ExpandProperty Output
Remove-SSHSession -SSHSession $session | Out-Null
Get-VMHostService -VMHost $esx | where { $_.Key -eq 'TSM-SSH' } | Stop-VMHostService -Confirm:$false | Out-Null
}
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
Hi Luc, Its working for me, thanks a lot for all your help as always 🙂
Hi,
by setting up the policy to off the slpd service will not start after the esxi reboots, exactly the same way that ssh service doesn’t start after the esxi reboots if the policy is set to off on this service as well
HI Lucid
Am getting below errors can you suggest on this
New-SSHSession : Could not load file or assembly 'Renci.SshNet, Version=2016.1.0.0, Culture=neutral, PublicKeyToken=1cee9f8bde3db106' or one of its dependencies. The system cannot
find the file specified.
At line:16 char:20
+ ... $session = New-SSHSession -ComputerName $esx.Name -Credential $cred ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [New-SSHSession], FileNotFoundException
+ FullyQualifiedErrorId : System.IO.FileNotFoundException,SSH.NewSshSession
Invoke-SSHCommand : Cannot bind argument to parameter 'SSHSession' because it is null.
At line:17 char:39
+ Invoke-SSHCommand -SSHSession $session -Command $cmdSub | sel ...
+ ~~~~~~~~
+ CategoryInfo : InvalidData: (:) [Invoke-SSHCommand], ParameterBindingValidationException
+ FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,Invoke-SSHCommand