VMware Cloud Community
Jakub__D
Contributor
Contributor
‎12-10-2019 07:17 PM

PowerCLI - Workaround for OpenSLP security vulnerability in ESXi 6.x (CVE-2019-5544) / VMSA-2019-0022

Hi!

I wonder if anyone already wrote script to implement workaround for OpenSLP security vulnerability in ESXi 6.x (CVE-2019-5544) / VMSA-2019-0022 ?
One to apply:
VMware Knowledge Base ?

I have asked VMware support same question but have not got any useful answer yet.

48 Replies
LucD
Leadership
Leadership
‎03-04-2021 05:49 AM

That seems to be a known issue with Posh-SSH on Windows 2019.
You could try the bypass described there


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

0 Kudos
Loagu
Contributor
Contributor
‎03-04-2021 06:15 AM

HI Lucid 

 

Can you pelase help on this where need to bypass this 

0 Kudos
mrottlander
VMware Employee
VMware Employee
‎03-10-2021 12:14 AM

The above PowerCLI example works well with persistently disabling the service.

$slpd | set-VMHostService -Policy Off -Confirm:$false

(which is the same as setting the service to manual in the vSphere client)

results into the service being disabled. If you check on the cli with chkconfig after executing the script, you can see that the service had been changed to "off".

From my point of view, this is a much better solution than enabling ssh and executing remote commands. Or do you see any other disadvantage?

Thanks!

0 Kudos
LucD
Leadership
Leadership
‎03-10-2021 12:18 AM

Since you work for VMware I assume you know best.
Perhaps ask internally to update KB76372?


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

0 Kudos
pkm2210
Contributor
Contributor
‎03-10-2021 07:52 AM

I am getting below error while executing script, I copied script as it is..

 

At C:\Users\mishrad\Desktop\slpdtest.ps1:16 char:79
+ ... New-SSHSession -ComputerName $esx.Name -Credential $cred â?"AcceptKey
+ ~~~~~~~~~~
The string is missing the terminator: ".
At C:\Users\mishrad\Desktop\slpdtest.ps1:13 char:29
+ ForEach-Object -Process {
+ ~
Missing closing '}' in statement block or type definition.
+ CategoryInfo : ParserError: (:) [], ParseException
+ FullyQualifiedErrorId : TerminatorExpectedAtEndOfString

0 Kudos
pkm2210
Contributor
Contributor
‎03-10-2021 07:54 AM

 am getting below error while executing script, I copied script as it is..

 

At C:\Users\mishrad\Desktop\slpdtest.ps1:16 char:79
+ ... New-SSHSession -ComputerName $esx.Name -Credential $cred â?"AcceptKey
+ ~~~~~~~~~~
The string is missing the terminator: ".
At C:\Users\mishrad\Desktop\slpdtest.ps1:13 char:29
+ ForEach-Object -Process {
+ ~
Missing closing '}' in statement block or type definition.
+ CategoryInfo : ParserError: (:) [], ParseException
+ FullyQualifiedErrorId : TerminatorExpectedAtEndOfString

0 Kudos
LucD
Leadership
Leadership
‎03-10-2021 08:51 AM

Looks like something went wrong during your copy-paste.
That funny character in front of AcceptKey should be a dash (-)


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

0 Kudos
pkm2210
Contributor
Contributor
‎03-10-2021 09:39 AM

Thanks Lucd for quick reply.

It is only a dash character in from of Acceptkey, please find my complete script below

$cmdsub = @'
/etc/init.d/slpd stop;
/etc/init.d/slpd status;
esxcli network firewall ruleset set -r CIMSLP -e 0;
chkconfig slpd off;
chkconfig --list | grep slpd;
'@

$secPswd = ConvertTo-SecureString 'xxxxxxx' -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential ('root', $secPswd)
$esx = Get-Cluster xxxx | Get-VMHost

$esx |
ForEach-Object -Process{
Get-VMHostService -VMHost $esx | where { $_.Key -eq 'TSM-SSH' } | Start-VMHostService -Confirm:$false | Out-Null

$session = New-SSHSession -ComputerName $esx.Name -Credential $cred –AcceptKey
Invoke-SSHCommand -SSHSession $session -Command $cmdSub | select -ExpandProperty Output
Remove-SSHSession -SSHSession $session | Out-Null

Get-VMHostService -VMHost $esx | where { $_.Key -eq 'TSM-SSH' } | Stop-VMHostService -Confirm:$false | Out-Null
}

0 Kudos
LucD
Leadership
Leadership
‎03-10-2021 09:44 AM

The errors are clear, one of the strings is missing a quote, and there is a closing curly brace missing.

Also, your code is not exactly a copy of earlier code.
If you want to limit to a specific cluster, you could do

$cmdsub = @'
/etc/init.d/slpd stop;
/etc/init.d/slpd status;
esxcli network firewall ruleset set -r CIMSLP -e 0;
chkconfig slpd off;
chkconfig --list | grep slpd;
'@

$secPswd = ConvertTo-SecureString 'Welcome2019!' -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential ('root', $secPswd)

Get-Cluster | Get-VMHost -PipelineVariable esx |
    ForEach-Object -Process {
        Get-VMHostService -VMHost $esx | where { $_.Key -eq 'TSM-SSH' } | Start-VMHostService -Confirm:$false | Out-Null

        $session = New-SSHSession -ComputerName $esx.Name -Credential $cred –AcceptKey
        Invoke-SSHCommand -SSHSession $session -Command $cmdSub | select -ExpandProperty Output
        Remove-SSHSession -SSHSession $session | Out-Null

        Get-VMHostService -VMHost $esx | where { $_.Key -eq 'TSM-SSH' } | Stop-VMHostService -Confirm:$false | Out-Null
    }

 


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

0 Kudos
pkm2210
Contributor
Contributor
‎03-11-2021 02:24 AM

Thanks Lucd.

I exactly copied the same what you given but still same error.

 

At C:\Users\mishrad\Desktop\slpdtest.ps1:16 char:90
+ ... w-SSHSession -ComputerName $esx.Name -Credential $cred –"AcceptKey"
+ ~
The string is missing the terminator: ".
At C:\Users\mishrad\Desktop\slpdtest.ps1:13 char:29
+ ForEach-Object -Process {
+ ~
Missing closing '}' in statement block or type definition.
+ CategoryInfo : ParserError: (:) [], ParseException
+ FullyQualifiedErrorId : TerminatorExpectedAtEndOfString

0 Kudos
LucD
Leadership
Leadership
‎03-11-2021 02:43 AM

Can you attach your script as a file?


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

0 Kudos
pkm2210
Contributor
Contributor
‎03-11-2021 03:40 AM

Thanks Lucd for quick response.

I think notepad++ was causing some parameters difference, i copied it in notepad and now scipt started running fine but I am getting below error now. Now getting different error, please see below. I also attached the script file

 

New-SSHSession : A positional parameter cannot be found that accepts argument '–AcceptKey'.
At C:\Users\mishrad\Desktop\slpdtest1.ps1:16 char:20
+ ... $session = New-SSHSession -ComputerName $esx.Name -Credential $cred ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (:) [New-SSHSession], ParameterBindingException
+ FullyQualifiedErrorId : PositionalParameterNotFound,SSH.NewSshSession

Invoke-SSHCommand : Cannot bind argument to parameter 'SSHSession' because it is null.
At C:\Users\mishrad\Desktop\slpdtest1.ps1:17 char:39
+ Invoke-SSHCommand -SSHSession $session -Command $cmdSub | sel ...
+ ~~~~~~~~
+ CategoryInfo : InvalidData: (:) [Invoke-SSHCommand], ParameterBindingValidationException
+ FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,Invoke-SSHCommand

New-SSHSession : A positional parameter cannot be found that accepts argument '–AcceptKey'.
At C:\Users\mishrad\Desktop\slpdtest1.ps1:16 char:20
+ ... $session = New-SSHSession -ComputerName $esx.Name -Credential $cred ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (:) [New-SSHSession], ParameterBindingException
+ FullyQualifiedErrorId : PositionalParameterNotFound,SSH.NewSshSession

Invoke-SSHCommand : Cannot bind argument to parameter 'SSHSession' because it is null.
At C:\Users\mishrad\Desktop\slpdtest1.ps1:17 char:39
+ Invoke-SSHCommand -SSHSession $session -Command $cmdSub | sel ...
+ ~~~~~~~~
+ CategoryInfo : InvalidData: (:) [Invoke-SSHCommand], ParameterBindingValidationException
+ FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,Invoke-SSHCommand

Get-VMHostService : 3/11/2021 5:38:04 AM Get-VMHostService Object reference not set to an instance of an objec
At C:\Users\mishrad\Desktop\slpdtest1.ps1:14 char:9
+ Get-VMHostService -VMHost $esx | where { $_.Key -eq 'TSM-SSH' ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Get-VMHostService], VimException
+ FullyQualifiedErrorId : Core_BaseCmdlet_UnknownError,VMware.VimAutomation.ViCore.Cmdlets.Commands.Host.GetVMHostService

New-SSHSession : A positional parameter cannot be found that accepts argument '–AcceptKey'.
At C:\Users\mishrad\Desktop\slpdtest1.ps1:16 char:20
+ ... $session = New-SSHSession -ComputerName $esx.Name -Credential $cred ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (:) [New-SSHSession], ParameterBindingException
+ FullyQualifiedErrorId : PositionalParameterNotFound,SSH.NewSshSession

Invoke-SSHCommand : Cannot bind argument to parameter 'SSHSession' because it is null.
At C:\Users\mishrad\Desktop\slpdtest1.ps1:17 char:39
+ Invoke-SSHCommand -SSHSession $session -Command $cmdSub | sel ...
+ ~~~~~~~~
+ CategoryInfo : InvalidData: (:) [Invoke-SSHCommand], ParameterBindingValidationException
+ FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,Invoke-SSHCommand

Get-VMHostService : 3/11/2021 5:38:04 AM Get-VMHostService Object reference not set to an instance of an objec
At C:\Users\mishrad\Desktop\slpdtest1.ps1:20 char:9
+ Get-VMHostService -VMHost $esx | where { $_.Key -eq 'TSM-SSH' ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Get-VMHostService], VimException
+ FullyQualifiedErrorId : Core_BaseCmdlet_UnknownError,VMware.VimAutomation.ViCore.Cmdlets.Commands.Host.GetVMHostService

New-SSHSession : A positional parameter cannot be found that accepts argument '–AcceptKey'.
At C:\Users\mishrad\Desktop\slpdtest1.ps1:16 char:20
+ ... $session = New-SSHSession -ComputerName $esx.Name -Credential $cred ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (:) [New-SSHSession], ParameterBindingException
+ FullyQualifiedErrorId : PositionalParameterNotFound,SSH.NewSshSession

Invoke-SSHCommand : Cannot bind argument to parameter 'SSHSession' because it is null.
At C:\Users\mishrad\Desktop\slpdtest1.ps1:17 char:39
+ Invoke-SSHCommand -SSHSession $session -Command $cmdSub | sel ...
+ ~~~~~~~~
+ CategoryInfo : InvalidData: (:) [Invoke-SSHCommand], ParameterBindingValidationException
+ FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,Invoke-SSHCommand

Preview file
55 KB
0 Kudos
LucD
Leadership
Leadership
‎03-11-2021 04:03 AM

Looks like some lines got split.
Attached my original version


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

script.zip
0 Kudos
pkm2210
Contributor
Contributor
‎03-11-2021 04:24 AM

Thanks a ton Lucd, it helped !!!

I am getting error for some of hosts but don't know which host having that error, is there anyway to get host name in output so that we can know where it executed sucessfully.

0 Kudos
LucD
Leadership
Leadership
‎03-11-2021 04:33 AM

You could add a Write-Host in the loop.

    ForEach-Object -Process {
        Write-Host "Looking at $($esx.Name)"


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

Mallik7
Enthusiast
Enthusiast
‎04-11-2021 10:15 AM

LucD,

Script is working for 6.x ESXi hosts, but not for 7.x. It throws an error at the below line -

$session = New-SSHSession -ComputerName $esx.Name -Credential $cred –AcceptKey

 

New-SSHSession : An established connection was aborted by the server.

At C:\Scripts\SLPD\slpd.ps1:12 char:12

+ $session = New-SSHSession -ComputerName $esx.Name -Credential $cred – ...

+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

+ CategoryInfo : SecurityError: (Renci.SshNet.SshClient:SshClient) [New-SSHSession], SshConnectionException

0 Kudos
LucD
Leadership
Leadership
‎04-11-2021 11:16 AM

Looks like the ESXi refuses the SSH connection.
That could be that the service is not running or that there are FW rules that prohibit it.


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

0 Kudos
Mallik7
Enthusiast
Enthusiast
‎04-11-2021 07:00 PM

SSH service is getting started. There is no issue with that. However, the same script is working on ESXi host 6.5 -

$esxName = 'MyEsx'
$esx = Get-VMHost -Name $esxName
$cmdsub = @'
/etc/init.d/slpd stop;
/etc/init.d/slpd status;
esxcli network firewall ruleset set -r CIMSLP -e 0;
chkconfig slpd off;
chkconfig --list | grep slpd;
'@
$cred = get-credential
Get-VMHostService -VMHost $esx | where{$_.Key -eq 'TSM-SSH'} | Start-VMHostService -Confirm:$false | Out-Null
$session = New-SSHSession -ComputerName $esx.Name -Credential $cred –AcceptKey
Invoke-SSHCommand -SSHSession $session -Command $cmdSub | Select -ExpandProperty Output
Remove-SSHSession -SSHSession $session | Out-Null
Get-VMHostService -VMHost $esx | where{$_.Key -eq 'TSM-SSH'} | Stop-VMHostService -Confirm:$false | Out-Null

0 Kudos
LucD
Leadership
Leadership
‎04-12-2021 01:52 AM

Did you check the Lockdown Mode under Security Profile for those ESXi 7 nodes?


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

Tags (1)
0 Kudos
Bean78
Contributor
Contributor
‎04-28-2021 04:53 PM

Hi Lucd,

Can you please  make the same script to work for multiple ESXi servers having different credentials, we can also import the ESXi server details and its credentials from a CSV/txt file. 

0 Kudos