Hi all
Is anyone able to share a ps script to impliment the work around described in https://kb.vmware.com/s/article/76372 ?
I have quite a few hosts so will take long while to do manually
Thanks
Moderator: Thread moved to the PowerCLI area.
Besides running the commands from KB76372 via an SSH session on the ESXi nodes, I don't think there are any possibilities with PowerCLI cmdlets or API methods.
So if SSH is not an option, then I don't think there is a way to automate this.
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
Is this the same as Get-CimInstance (CimCmdlets) - PowerShell | Microsoft Docs?
I'm not sure I understand the link with the Get-CimInstance cmdlet.
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
You can use this script to implement the Workaround of CVE-2020-3992 for all VMhosts in your enviroment
/etc/init.d/slpd stop;
/etc/init.d/slpd status;
esxcli network firewall ruleset set -r CIMSLP -e 0;
chkconfig slpd off;
chkconfig --list | grep slpd;
'@
$secPswd = ConvertTo-SecureString 'YourRootPassword' -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential ('root', $secPswd)
$ESXHosts = Get-VMHost
foreach($ESXHost in $ESXHosts)
{
Get-VMHostService -VMHost $ESXHost | where{$_.Key -eq 'TSM-SSH'} | Start-VMHostService -Confirm:$false | Out-Null
$session = New-SSHSession -ComputerName $ESXHost.Name -Credential $cred –AcceptKey
Invoke-SSHCommand -SSHSession $session -Command $cmdSub | Select -ExpandProperty Output
Remove-SSHSession -SSHSession $session | Out-Null
Get-VMHostService -VMHost $ESXHost | where{$_.Key -eq 'TSM-SSH'} | Stop-VMHostService -Confirm:$false | Out-Null
}
Hi Guys,
I have a question.
Why the Esxi 5.5.X version is not in this scope?
Do I have to apply this in esxi 5.5.X?
Thanks all
Maybe because the version ESXi 5.5 is no longer supported since 2020-09-19? So VMware may assume that is makes no sense to mention the older/unsupported versions within the KB-articles.
Thanks for the script, Can you please provide me with the script to apply the same changes on multiple ESXi servers having different passwords.
Hello Bean78,
try this code:
$ESXArray = @(
New-Object PSObject -Property @{Hostname = 'ServerNameONE'; Password = 'Passw0rd1'}
New-Object PSObject -Property @{Hostname = 'ServerNameTWO'; Password = 'Passw0rd2'}
New-Object PSObject -Property @{Hostname = 'ServerNameThree'; Password = 'Passw0rd3'}
)
$cmdsub = @'
/etc/init.d/slpd stop;
/etc/init.d/slpd status;
esxcli network firewall ruleset set -r CIMSLP -e 0;
chkconfig slpd off;
chkconfig --list | grep slpd;
'@
foreach($ESXHostObject in $ESXArray)
{
$secPswd = ConvertTo-SecureString $($ESXHostObject.Password) -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential ('root', $secPswd)
$ESXHost = Get-VMHost -Name $ESXHostObject.Hostname
Get-VMHostService -VMHost $ESXHost | where{$_.Key -eq 'TSM-SSH'} | Start-VMHostService -Confirm:$false | Out-Null
$session = New-SSHSession -ComputerName $ESXHost.Name -Credential $cred –AcceptKey
Invoke-SSHCommand -SSHSession $session -Command $cmdSub | Select -ExpandProperty Output
Remove-SSHSession -SSHSession $session | Out-Null
Get-VMHostService -VMHost $ESXHost | where{$_.Key -eq 'TSM-SSH'} | Stop-VMHostService -Confirm:$false | Out-Null
}
Thanks Andy, can you edit the script to track which ESXi hosts has undergone the change and which did not make it. So we can perform them manually.
$ESXArray = @(
New-Object PSObject -Property @{Hostname = 'ServerNameONE'; Password = 'Passw0rd1'}
New-Object PSObject -Property @{Hostname = 'ServerNameTWO'; Password = 'Passw0rd2'}
New-Object PSObject -Property @{Hostname = 'ServerNameThree'; Password = 'Passw0rd3'}
)
$cmdsub = @'
/etc/init.d/slpd stop;
/etc/init.d/slpd status;
esxcli network firewall ruleset set -r CIMSLP -e 0;
chkconfig slpd off;
chkconfig --list | grep slpd;
'@
foreach($ESXHostObject in $ESXArray)
{
Write-Host "Processing $($ESXHostObject.Hostname)"
$secPswd = ConvertTo-SecureString $($ESXHostObject.Password) -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential ('root', $secPswd)
$ESXHost = Get-VMHost -Name $ESXHostObject.Hostname
Get-VMHostService -VMHost $ESXHost | where{$_.Key -eq 'TSM-SSH'} | Start-VMHostService -Confirm:$false | Out-Null
$session = New-SSHSession -ComputerName $ESXHost.Name -Credential $cred –AcceptKey
Invoke-SSHCommand -SSHSession $session -Command $cmdSub | Select -ExpandProperty Output
Remove-SSHSession -SSHSession $session | Out-Null
Get-VMHostService -VMHost $ESXHost | where{$_.Key -eq 'TSM-SSH'} | Stop-VMHostService -Confirm:$false | Out-Null
}
i obtain the following error, when i run this script
Get-VMHostService : Cannot bind parameter 'VMHost'. Cannot convert the "" value of type "System.Management.Automation.PSCustomObject" to type
"VMware.VimAutomation.ViCore.Types.V1.Inventory.VMHost".
At line:20 char:31
+ Get-VMHostService -VMHost $ESXHostObject | where{$_.Key -eq 'TSM- ...
+ ~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (:) [Get-VMHostService], ParameterBindingException
+ FullyQualifiedErrorId : CannotConvertArgumentNoMessage,VMware.VimAutomation.ViCore.Cmdlets.Commands.Host.GetVMHostService
New-SSHSession : No connection could be made because the target machine actively refused it
At line:21 char:16
+ ... $session = New-SSHSession -ComputerName $ESXHost.Name -Credential $c ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (Renci.SshNet.SshClient:SshClient) [New-SSHSession], SocketException
+ FullyQualifiedErrorId : SSH.NewSshSession
Invoke-SSHCommand : Cannot bind argument to parameter 'SSHSession' because it is null.
At line:22 char:35
+ Invoke-SSHCommand -SSHSession $session -Command $cmdSub | Select ...
+ ~~~~~~~~
+ CategoryInfo : InvalidData: (:) [Invoke-SSHCommand], ParameterBindingValidationException
+ FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,Invoke-SSHCommand