JDMils_Interact
Enthusiast
Enthusiast
‎02-14-2023 02:56 PM

Thanks for your response. I did see the PowerShell example from VMware stating you can shutdown the SLPD service using PowerCLI, however I initially tested the sample code on my ESXi hosts and some hosts, particularly those which were deemed vulnerable just by their build version, returned no result. Here is my testing results on an ESXi 6.7 host with SLPD service running:

Checked the SLPD service status via SSH:

[root@MyHost:~] /etc/init.d/slpd status

slpd is running

 

[root@MyHost:~] esxcli network firewall ruleset list -r CIMSLP

Name    Enabled

------  -------

CIMSLP     true

 

[root@MyHost:~] chkconfig --list | grep slpd

slpd                    on

 

OK, so the SSH commands all show the SLPD service is running, firewall is allowing connections and the service is set to restart on host restart.

Then I ran the VMware-recommended PowerShell script on the same host:

PS C:\Users\jmilano\Documents\Powershell_Scripts\Vulnerabilities> $VMHost = Get-VMHost -Name 'MyHost.MyDomain.com.au'

PS C:\Users\jmilano\Documents\Powershell_Scripts\Vulnerabilities> $service = $VMHost | Get-VMHostService | Where-Object { $_.Key -eq "slpd" }

PS C:\Users\jmilano\Documents\Powershell_Scripts\Vulnerabilities> $Service

PS C:\Users\jmilano\Documents\Powershell_Scripts\Vulnerabilities>

As you can see from displaying the value of the variable $Service, the PowerShell script returns no results. I checked the web GUI for this host and it only shows the CIM Server as a service, there is no SLPD service in the GUI. The hosts I tested this on are VMware ESXi, 6.7.0, 14320388.

 

I then checked the SLPD service from SSH again and nothing has changed:

[root@MyHost:~] /etc/init.d/slpd status

slpd is running

 

[root@MyHost:~] esxcli network firewall ruleset list -r CIMSLP

Name    Enabled

------  -------

CIMSLP     true

 

[root@MyHost:~] chkconfig --list | grep slpd

slpd                    on

 

From what I can determine, if you cannot see the SLPD service in the web GUI then you cannot turn it off using just straight PowerCLI. And this will most likely be the hosts which are ESXi 6.7 with a very low build value.

 

So if you want to be sure that you mitigate this vulnerability on ALL your hosts, you're better off running the "work around" commands supplied by VMware using SSH from PowerShell. This is for all those admins out there who have not upgraded their hosts to V7 yet. I guess if you have all V7 hosts then the VMware sample code will work fine.

 

*** Interesting note: All my vCenters are now V7 running ESXi 6.7 hosts atm as we are about to upgrade the hosts. No matter if I turn off the SLPD service from an SSH session, as per the VMware workaround instructions, or by using my custom PowerShell script (same thing really!), the service status as displayed in the web GUI does NOT change- so the SLPD service in the web GUI will show "Running" although it is not.

Using the VMware PowerShell script samples DOES change the Service status in the web GUI, and from what I can see it is because the PowerCLI commands create a task in vCenter/ESXi hosts, you can see the task popup in the Recent Tasks pane at the bottom of the web GUI when you run the VMware PowerShell samples, so this seems to trigger the vCenter server to update the web GUI service status.

Strange!

Reply
0 Kudos