Response To VMSA-2021-0014
https://www.vmware.com/security/advisories/VMSA-2021-0014.html
ESXi SFCB improper authentication vulnerability (CVE-2021-21994)
ESXi OpenSLP denial-of-service vulnerability (CVE-2021-21995)
To protect against these vulnerabilities, update your ESXi hosts to the versions below
The 7.0 and 6.7 versions which protect against this vulnerability were released earlier this year and you may have already upgraded to these versions.
If you are running these versions (or later), then you are already protected
If you are running an earlier version, then please proceed to upgrade to the versions detailed below
ESXi Version | Fixed Version | Build Number | Release Date | Release Notes | Additional Information |
7.0 | ESXi 7.0 U2 | 17630552 | March 9th 2021 | See Important note below | |
6.7 | ESXi 6.7 P05 | 17700523
| March 18th 2021 |
| |
6.5 | ESX6.5 EP24 | 18071574 | July 13th 2021 |
|
https://docs.vmware.com/en/VMware-vSphere/7.0/rn/vsphere-esxi-70u2a-release-notes.html
IMPORTANT: VMware removed the ESXi 7.0 Update 2 offline and online depots from all sites on March 12, 2021 due to an upgrade-impacting issue. Build 17867351 for ESXi 7.0 Update 2a replaces build 17630552 for ESXi 7.0 Update 2. All Components and Bulletins in the ESXi 7.0 Update 2a build are updated and replace the Components and Bulletins from the ESXi 7.0 Update 2 build.
To upgrade to a fixed version with vShere Lifecycle Manager or with an offline depot, use ESXi 7.0U2a (Build 17867351)
Note: You might have to perform "Sync Updates" in LifeCycle Manager (7.x) or "Download Now" in Update Manager (6.x) to update the Patch metadata if the 6.5 latest patch EP24 (18071574) is not showing in Updates (screenshot below).
If you are not able to update your ESXi hosts at this time, the workarounds detailed in KB 1025757and KB 76372 can be applied to all your ESXi hosts
(Please see this article relating to possible VMware PowerCli automation of these workarounds)
If you have any further questions, please post them here and we will ensure that they are answered for you
Important Information For Workaround for CVE-2021-21994
Disable sfcb service
https://kb.vmware.com/s/article/1025757
SFCB stands for “Small footprint cim broker” and is used to provide hardware health information for the ESXi host in the vSphere client and the ESXi UI
This service is disabled by default.
However, 3rd party custom ISOs can include CIM vibs, which result in the service been enabled.
Manual installation of a CIM agent will also enable the service.
This means that the status of the service depends on the installation method used.
Disabling SFCB will prevent vCenter from reporting Storage sensor information (see screenshots below).
However, the individual vendor monitoring and management systems will continue to function – the only loss of functionality is reporting via the vSphere client and the ESXi host client
To check if the service is running or not, you can use the vSphere Client
Select the ESXi Host – Configure – Services
The SFCB service is reported as CIM Server (listed as sfcbd-watchdog in older versions)
The above is taken from a host installed via the default VMware ISO.
The service is at the default setting of Stopped” and “Start and stop manually”
If your host reports the above, then there is no need for further action
The screenshot below shows the view from a host where the service is running.
As such, the host is exposed to this vulnerability (Unless you have upgraded to one of the versions detailed above)
Follow the steps in KB 1025757 to stop the service (No reboot required)
The status of the service can also be checked by running the “/etc/init.d/sfcbd-watchdog status” command
Login to the host via an SSH session (putty) and execute the command above
Important Information For Workaround for CVE-2021-21995
ESXi OpenSLP denial-of-service vulnerability (CVE-2021-21995)
This is the 4th advisory that relates to this service
VMSA-2021-0014 (1. CVE-2021-21994 & CVE-2021-21995)
VMSA-2021-0002 (CVE-2021-21974)
VMSA-2020-0023 (CVE-2020-3992)
VMSA-2019-0022 (CVE-2019-5544)
To protect the ESXi host from the latest vulnerability, you must update to the version documented above.
The workaround is the same as for the previous advisories
As such you may already have disabled this service to mitigate these issues.
Depending on your product version, the slpd service may be listed in the vCenter client
The screenshot below shows the service running
This needs to be stopped to protect against this issue
Refer to KB 76372 for details (No reboot required to disable the service)
When slpd is disabled, CIM clients which uses SLP to find CIM servers over port #427 will not be able to locate the service.
If the service is not listed above, you will need to check the status via an SSH session (putty)
Login and run the command “/etc/init.d/slpd status”
