VMware Cloud Community
DaveMitchell201
Enthusiast
Enthusiast
‎10-20-2020 02:57 AM

Script for CVE-2020-3992

Hi all

Is anyone able to share a ps script to impliment the work around described in https://kb.vmware.com/s/article/76372  ?

I have quite a few hosts so will take long while to do manually

Thanks

12 Replies
scott28tt
VMware Employee
VMware Employee
‎10-20-2020 03:24 AM

Moderator: Thread moved to the PowerCLI area.


-------------------------------------------------------------------------------------------------------------------------------------------------------------

Although I am a VMware employee I contribute to VMware Communities voluntarily (ie. not in any official capacity)
VMware Training & Certification blog
0 Kudos
LucD
Leadership
Leadership
‎10-20-2020 03:53 AM

Besides running the commands from KB76372 via an SSH session on the ESXi nodes, I don't think there are any possibilities with PowerCLI cmdlets or API methods.

So if SSH is not an option, then I don't think there is a way to automate this.


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

AlbertWT
Virtuoso
Virtuoso
‎10-28-2020 04:27 AM

Is this the same as Get-CimInstance (CimCmdlets) - PowerShell | Microsoft Docs?

/* Please feel free to provide any comments or input you may have. */
0 Kudos
LucD
Leadership
Leadership
‎10-28-2020 04:51 AM

I'm not sure I understand the link with the Get-CimInstance cmdlet.


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

Andy90
Enthusiast
Enthusiast
‎11-02-2020 04:50 AM

You can use this script to implement the Workaround of CVE-2020-3992 for all VMhosts in your enviroment

$cmdsub = @'

/etc/init.d/slpd stop;

/etc/init.d/slpd status;

esxcli network firewall ruleset set -r CIMSLP -e 0;

chkconfig slpd off;

chkconfig --list | grep slpd;

'@


$secPswd = ConvertTo-SecureString 'YourRootPassword' -AsPlainText -Force

$cred = New-Object System.Management.Automation.PSCredential ('root', $secPswd)


$ESXHosts = Get-VMHost

foreach($ESXHost in $ESXHosts)

{

    Get-VMHostService -VMHost $ESXHost | where{$_.Key -eq 'TSM-SSH'} | Start-VMHostService -Confirm:$false | Out-Null

    $session = New-SSHSession -ComputerName $ESXHost.Name -Credential $cred –AcceptKey

    Invoke-SSHCommand -SSHSession $session -Command $cmdSub | Select -ExpandProperty Output


    Remove-SSHSession -SSHSession $session | Out-Null

    Get-VMHostService -VMHost $ESXHost | where{$_.Key -eq 'TSM-SSH'} | Stop-VMHostService -Confirm:$false | Out-Null

}

0 Kudos
marcionicko
Contributor
Contributor
‎11-11-2020 10:40 AM

Hi Guys, 

I have a question. 

Why the Esxi 5.5.X version is not in this scope? 

Do I have to apply this in esxi 5.5.X?

Thanks all

0 Kudos
Andy90
Enthusiast
Enthusiast
‎11-17-2020 12:36 AM

Maybe because the version ESXi 5.5 is no longer supported since 2020-09-19? So VMware may assume that is makes no sense to mention the older/unsupported versions within the KB-articles.

0 Kudos
Bean78
Contributor
Contributor
‎04-28-2021 04:26 PM

Thanks for the script, Can you please provide me with the script to apply the same changes on multiple ESXi servers having different passwords.

0 Kudos
Andy90
Enthusiast
Enthusiast
‎04-29-2021 01:05 AM

Hello Bean78,

try this code:

$ESXArray = @(
    New-Object PSObject -Property @{Hostname = 'ServerNameONE';  Password = 'Passw0rd1'}
    New-Object PSObject -Property @{Hostname = 'ServerNameTWO';  Password = 'Passw0rd2'}
    New-Object PSObject -Property @{Hostname = 'ServerNameThree';  Password = 'Passw0rd3'}
)

$cmdsub = @'
/etc/init.d/slpd stop;
/etc/init.d/slpd status;
esxcli network firewall ruleset set -r CIMSLP -e 0;
chkconfig slpd off;
chkconfig --list | grep slpd;
'@

foreach($ESXHostObject in $ESXArray)
{
    $secPswd = ConvertTo-SecureString $($ESXHostObject.Password) -AsPlainText -Force
    $cred = New-Object System.Management.Automation.PSCredential ('root', $secPswd)
    $ESXHost = Get-VMHost -Name $ESXHostObject.Hostname

    Get-VMHostService -VMHost $ESXHost | where{$_.Key -eq 'TSM-SSH'} | Start-VMHostService -Confirm:$false | Out-Null
    $session = New-SSHSession -ComputerName $ESXHost.Name -Credential $cred –AcceptKey
    Invoke-SSHCommand -SSHSession $session -Command $cmdSub | Select -ExpandProperty Output
    Remove-SSHSession -SSHSession $session | Out-Null
    Get-VMHostService -VMHost $ESXHost | where{$_.Key -eq 'TSM-SSH'} | Stop-VMHostService -Confirm:$false | Out-Null
}
0 Kudos
Bean78
Contributor
Contributor
‎04-29-2021 03:29 AM

Thanks Andy, can you  edit the script to track which ESXi hosts has undergone the change and which did not make it. So we can perform them manually.

0 Kudos
Andy90
Enthusiast
Enthusiast
‎04-29-2021 04:41 AM 

$ESXArray = @(
    New-Object PSObject -Property @{Hostname = 'ServerNameONE';  Password = 'Passw0rd1'}
    New-Object PSObject -Property @{Hostname = 'ServerNameTWO';  Password = 'Passw0rd2'}
    New-Object PSObject -Property @{Hostname = 'ServerNameThree';  Password = 'Passw0rd3'}
)

$cmdsub = @'
/etc/init.d/slpd stop;
/etc/init.d/slpd status;
esxcli network firewall ruleset set -r CIMSLP -e 0;
chkconfig slpd off;
chkconfig --list | grep slpd;
'@

foreach($ESXHostObject in $ESXArray)
{
    Write-Host "Processing $($ESXHostObject.Hostname)"
    $secPswd = ConvertTo-SecureString $($ESXHostObject.Password) -AsPlainText -Force
    $cred = New-Object System.Management.Automation.PSCredential ('root', $secPswd)
    $ESXHost = Get-VMHost -Name $ESXHostObject.Hostname
    Get-VMHostService -VMHost $ESXHost | where{$_.Key -eq 'TSM-SSH'} | Start-VMHostService -Confirm:$false | Out-Null
    $session = New-SSHSession -ComputerName $ESXHost.Name -Credential $cred –AcceptKey
    Invoke-SSHCommand -SSHSession $session -Command $cmdSub | Select -ExpandProperty Output
    Remove-SSHSession -SSHSession $session | Out-Null
    Get-VMHostService -VMHost $ESXHost | where{$_.Key -eq 'TSM-SSH'} | Stop-VMHostService -Confirm:$false | Out-Null
}
0 Kudos
Bean78
Contributor
Contributor
‎04-29-2021 03:33 PM

i obtain the following error, when i run this script

Get-VMHostService : Cannot bind parameter 'VMHost'. Cannot convert the "" value of type "System.Management.Automation.PSCustomObject" to type
"VMware.VimAutomation.ViCore.Types.V1.Inventory.VMHost".
At line:20 char:31
+ Get-VMHostService -VMHost $ESXHostObject | where{$_.Key -eq 'TSM- ...
+ ~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (:) [Get-VMHostService], ParameterBindingException
+ FullyQualifiedErrorId : CannotConvertArgumentNoMessage,VMware.VimAutomation.ViCore.Cmdlets.Commands.Host.GetVMHostService

New-SSHSession : No connection could be made because the target machine actively refused it
At line:21 char:16
+ ... $session = New-SSHSession -ComputerName $ESXHost.Name -Credential $c ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (Renci.SshNet.SshClient:SshClient) [New-SSHSession], SocketException
+ FullyQualifiedErrorId : SSH.NewSshSession

Invoke-SSHCommand : Cannot bind argument to parameter 'SSHSession' because it is null.
At line:22 char:35
+ Invoke-SSHCommand -SSHSession $session -Command $cmdSub | Select ...
+ ~~~~~~~~
+ CategoryInfo : InvalidData: (:) [Invoke-SSHCommand], ParameterBindingValidationException
+ FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,Invoke-SSHCommand

0 Kudos