Hi!
I wonder if anyone already wrote script to implement workaround for OpenSLP security vulnerability in ESXi 6.x (CVE-2019-5544) / VMSA-2019-0022 ?
One to apply:
VMware Knowledge Base ?
I have asked VMware support same question but have not got any useful answer yet.
That seems to be a known issue with Posh-SSH on Windows 2019.
You could try the bypass described there
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
HI Lucid
Can you pelase help on this where need to bypass this
The above PowerCLI example works well with persistently disabling the service.
$slpd | set-VMHostService -Policy Off -Confirm:$false
(which is the same as setting the service to manual in the vSphere client)
results into the service being disabled. If you check on the cli with chkconfig after executing the script, you can see that the service had been changed to "off".
From my point of view, this is a much better solution than enabling ssh and executing remote commands. Or do you see any other disadvantage?
Thanks!
Since you work for VMware I assume you know best.
Perhaps ask internally to update KB76372?
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
I am getting below error while executing script, I copied script as it is..
At C:\Users\mishrad\Desktop\slpdtest.ps1:16 char:79
+ ... New-SSHSession -ComputerName $esx.Name -Credential $cred â?"AcceptKey
+ ~~~~~~~~~~
The string is missing the terminator: ".
At C:\Users\mishrad\Desktop\slpdtest.ps1:13 char:29
+ ForEach-Object -Process {
+ ~
Missing closing '}' in statement block or type definition.
+ CategoryInfo : ParserError: (:) [], ParseException
+ FullyQualifiedErrorId : TerminatorExpectedAtEndOfString
am getting below error while executing script, I copied script as it is..
At C:\Users\mishrad\Desktop\slpdtest.ps1:16 char:79
+ ... New-SSHSession -ComputerName $esx.Name -Credential $cred â?"AcceptKey
+ ~~~~~~~~~~
The string is missing the terminator: ".
At C:\Users\mishrad\Desktop\slpdtest.ps1:13 char:29
+ ForEach-Object -Process {
+ ~
Missing closing '}' in statement block or type definition.
+ CategoryInfo : ParserError: (:) [], ParseException
+ FullyQualifiedErrorId : TerminatorExpectedAtEndOfString
Looks like something went wrong during your copy-paste.
That funny character in front of AcceptKey should be a dash (-)
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
Thanks Lucd for quick reply.
It is only a dash character in from of Acceptkey, please find my complete script below
$cmdsub = @'
/etc/init.d/slpd stop;
/etc/init.d/slpd status;
esxcli network firewall ruleset set -r CIMSLP -e 0;
chkconfig slpd off;
chkconfig --list | grep slpd;
'@
$secPswd = ConvertTo-SecureString 'xxxxxxx' -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential ('root', $secPswd)
$esx = Get-Cluster xxxx | Get-VMHost
$esx |
ForEach-Object -Process{
Get-VMHostService -VMHost $esx | where { $_.Key -eq 'TSM-SSH' } | Start-VMHostService -Confirm:$false | Out-Null
$session = New-SSHSession -ComputerName $esx.Name -Credential $cred –AcceptKey
Invoke-SSHCommand -SSHSession $session -Command $cmdSub | select -ExpandProperty Output
Remove-SSHSession -SSHSession $session | Out-Null
Get-VMHostService -VMHost $esx | where { $_.Key -eq 'TSM-SSH' } | Stop-VMHostService -Confirm:$false | Out-Null
}
The errors are clear, one of the strings is missing a quote, and there is a closing curly brace missing.
Also, your code is not exactly a copy of earlier code.
If you want to limit to a specific cluster, you could do
$cmdsub = @'
/etc/init.d/slpd stop;
/etc/init.d/slpd status;
esxcli network firewall ruleset set -r CIMSLP -e 0;
chkconfig slpd off;
chkconfig --list | grep slpd;
'@
$secPswd = ConvertTo-SecureString 'Welcome2019!' -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential ('root', $secPswd)
Get-Cluster | Get-VMHost -PipelineVariable esx |
ForEach-Object -Process {
Get-VMHostService -VMHost $esx | where { $_.Key -eq 'TSM-SSH' } | Start-VMHostService -Confirm:$false | Out-Null
$session = New-SSHSession -ComputerName $esx.Name -Credential $cred –AcceptKey
Invoke-SSHCommand -SSHSession $session -Command $cmdSub | select -ExpandProperty Output
Remove-SSHSession -SSHSession $session | Out-Null
Get-VMHostService -VMHost $esx | where { $_.Key -eq 'TSM-SSH' } | Stop-VMHostService -Confirm:$false | Out-Null
}
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
Thanks Lucd.
I exactly copied the same what you given but still same error.
At C:\Users\mishrad\Desktop\slpdtest.ps1:16 char:90
+ ... w-SSHSession -ComputerName $esx.Name -Credential $cred –"AcceptKey"
+ ~
The string is missing the terminator: ".
At C:\Users\mishrad\Desktop\slpdtest.ps1:13 char:29
+ ForEach-Object -Process {
+ ~
Missing closing '}' in statement block or type definition.
+ CategoryInfo : ParserError: (:) [], ParseException
+ FullyQualifiedErrorId : TerminatorExpectedAtEndOfString
Can you attach your script as a file?
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
Thanks Lucd for quick response.
I think notepad++ was causing some parameters difference, i copied it in notepad and now scipt started running fine but I am getting below error now. Now getting different error, please see below. I also attached the script file
New-SSHSession : A positional parameter cannot be found that accepts argument '–AcceptKey'.
At C:\Users\mishrad\Desktop\slpdtest1.ps1:16 char:20
+ ... $session = New-SSHSession -ComputerName $esx.Name -Credential $cred ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (:) [New-SSHSession], ParameterBindingException
+ FullyQualifiedErrorId : PositionalParameterNotFound,SSH.NewSshSession
Invoke-SSHCommand : Cannot bind argument to parameter 'SSHSession' because it is null.
At C:\Users\mishrad\Desktop\slpdtest1.ps1:17 char:39
+ Invoke-SSHCommand -SSHSession $session -Command $cmdSub | sel ...
+ ~~~~~~~~
+ CategoryInfo : InvalidData: (:) [Invoke-SSHCommand], ParameterBindingValidationException
+ FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,Invoke-SSHCommand
New-SSHSession : A positional parameter cannot be found that accepts argument '–AcceptKey'.
At C:\Users\mishrad\Desktop\slpdtest1.ps1:16 char:20
+ ... $session = New-SSHSession -ComputerName $esx.Name -Credential $cred ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (:) [New-SSHSession], ParameterBindingException
+ FullyQualifiedErrorId : PositionalParameterNotFound,SSH.NewSshSession
Invoke-SSHCommand : Cannot bind argument to parameter 'SSHSession' because it is null.
At C:\Users\mishrad\Desktop\slpdtest1.ps1:17 char:39
+ Invoke-SSHCommand -SSHSession $session -Command $cmdSub | sel ...
+ ~~~~~~~~
+ CategoryInfo : InvalidData: (:) [Invoke-SSHCommand], ParameterBindingValidationException
+ FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,Invoke-SSHCommand
Get-VMHostService : 3/11/2021 5:38:04 AM Get-VMHostService Object reference not set to an instance of an objec
At C:\Users\mishrad\Desktop\slpdtest1.ps1:14 char:9
+ Get-VMHostService -VMHost $esx | where { $_.Key -eq 'TSM-SSH' ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Get-VMHostService], VimException
+ FullyQualifiedErrorId : Core_BaseCmdlet_UnknownError,VMware.VimAutomation.ViCore.Cmdlets.Commands.Host.GetVMHostService
New-SSHSession : A positional parameter cannot be found that accepts argument '–AcceptKey'.
At C:\Users\mishrad\Desktop\slpdtest1.ps1:16 char:20
+ ... $session = New-SSHSession -ComputerName $esx.Name -Credential $cred ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (:) [New-SSHSession], ParameterBindingException
+ FullyQualifiedErrorId : PositionalParameterNotFound,SSH.NewSshSession
Invoke-SSHCommand : Cannot bind argument to parameter 'SSHSession' because it is null.
At C:\Users\mishrad\Desktop\slpdtest1.ps1:17 char:39
+ Invoke-SSHCommand -SSHSession $session -Command $cmdSub | sel ...
+ ~~~~~~~~
+ CategoryInfo : InvalidData: (:) [Invoke-SSHCommand], ParameterBindingValidationException
+ FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,Invoke-SSHCommand
Get-VMHostService : 3/11/2021 5:38:04 AM Get-VMHostService Object reference not set to an instance of an objec
At C:\Users\mishrad\Desktop\slpdtest1.ps1:20 char:9
+ Get-VMHostService -VMHost $esx | where { $_.Key -eq 'TSM-SSH' ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Get-VMHostService], VimException
+ FullyQualifiedErrorId : Core_BaseCmdlet_UnknownError,VMware.VimAutomation.ViCore.Cmdlets.Commands.Host.GetVMHostService
New-SSHSession : A positional parameter cannot be found that accepts argument '–AcceptKey'.
At C:\Users\mishrad\Desktop\slpdtest1.ps1:16 char:20
+ ... $session = New-SSHSession -ComputerName $esx.Name -Credential $cred ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (:) [New-SSHSession], ParameterBindingException
+ FullyQualifiedErrorId : PositionalParameterNotFound,SSH.NewSshSession
Invoke-SSHCommand : Cannot bind argument to parameter 'SSHSession' because it is null.
At C:\Users\mishrad\Desktop\slpdtest1.ps1:17 char:39
+ Invoke-SSHCommand -SSHSession $session -Command $cmdSub | sel ...
+ ~~~~~~~~
+ CategoryInfo : InvalidData: (:) [Invoke-SSHCommand], ParameterBindingValidationException
+ FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,Invoke-SSHCommand
Looks like some lines got split.
Attached my original version
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
Thanks a ton Lucd, it helped !!!
I am getting error for some of hosts but don't know which host having that error, is there anyway to get host name in output so that we can know where it executed sucessfully.
You could add a Write-Host in the loop.
ForEach-Object -Process {
Write-Host "Looking at $($esx.Name)"
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
LucD,
Script is working for 6.x ESXi hosts, but not for 7.x. It throws an error at the below line -
$session = New-SSHSession -ComputerName $esx.Name -Credential $cred –AcceptKey
New-SSHSession : An established connection was aborted by the server.
At C:\Scripts\SLPD\slpd.ps1:12 char:12
+ $session = New-SSHSession -ComputerName $esx.Name -Credential $cred – ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : SecurityError: (Renci.SshNet.SshClient:SshClient) [New-SSHSession], SshConnectionException
Looks like the ESXi refuses the SSH connection.
That could be that the service is not running or that there are FW rules that prohibit it.
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
SSH service is getting started. There is no issue with that. However, the same script is working on ESXi host 6.5 -
$esxName = 'MyEsx'
$esx = Get-VMHost -Name $esxName
$cmdsub = @'
/etc/init.d/slpd stop;
/etc/init.d/slpd status;
esxcli network firewall ruleset set -r CIMSLP -e 0;
chkconfig slpd off;
chkconfig --list | grep slpd;
'@
$cred = get-credential
Get-VMHostService -VMHost $esx | where{$_.Key -eq 'TSM-SSH'} | Start-VMHostService -Confirm:$false | Out-Null
$session = New-SSHSession -ComputerName $esx.Name -Credential $cred –AcceptKey
Invoke-SSHCommand -SSHSession $session -Command $cmdSub | Select -ExpandProperty Output
Remove-SSHSession -SSHSession $session | Out-Null
Get-VMHostService -VMHost $esx | where{$_.Key -eq 'TSM-SSH'} | Stop-VMHostService -Confirm:$false | Out-Null
Did you check the Lockdown Mode under Security Profile for those ESXi 7 nodes?
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
Hi Lucd,
Can you please make the same script to work for multiple ESXi servers having different credentials, we can also import the ESXi server details and its credentials from a CSV/txt file.