Powercli Options To Disable SFCB and SLP Services

Powercli Options To Disable SFCB and SLP Services

 

VMSA-2021-0014 documents a vulnerability in these services. Please see here for more information on this VMSA

The SFCB service can be disabled and enabled via a powercli script

Later versions of ESXi also expose the SLP service to allow for remote execution of a script

To determine which of the services can be disabled/enabled, login to your vCenter via the vSphere client

Select the host, and click on “Configure” – “Services”

The view below will be presented

 

osheehy_5-1626190642979.jpeg

 

The host reports both services – “CIM Server” =  sfcb service

This host only reports the “Cim Server” service – the slpd service will have be disabled/enabled manually

osheehy_1-1626190580208.jpeg

This output can also be determined via a powercli command -- Get-VMHostService

The command below lists the available services for a host named “esxi-1.gsslabs.org”

Note that slpd is not listed

Get-VMHost -name "esxi-1.gsslabs.org" | Get-VMHostService

osheehy_2-1626190580211.png

 

To set the services to off on all hosts, run the command below

 

Turn off SFCB

Get-VMHost | Get-VMHostService | Where {$_.Key –eq "sfcbd-watchdog”} | Stop-VMHostService -Confirm:$false

Turn off SLP

Get-VMHost | Get-VMHostService | Where {$_.Key –eq "slpd”} | Stop-VMHostService -Confirm:$false

 

osheehy_7-1626191911203.png

 


To set the “startup policy” to “Start and stop with host”

Get-VMHost | Get-VMHostService | Where {$_.Key –eq "sfcbd-watchdog”} | Set-VMHostService -Policy Off -Confirm:$false

Get-VMHost | Get-VMHostService | Where {$_.Key –eq "slpd”} | Set-VMHostService -Policy Off -Confirm:$false

 

osheehy_8-1626191937094.png

 


 

A sample script that can be used in your environment has been attached to this document

Please download and review this script prior to execution This is provided as an example only and should be tested in a non-production setup before running it in a production environment

The script will need to be modified by updating it with the correct vCenter

The username is set to "administrator@vsphere.local" and may need to be updated.

Executing the script will create a CSV file in the same directory as the powercli script. 

This will contain the results of running the script and will highlight any ESXi hosts that require manual intervention to disable the slpd service

 Filename :  Disable_slpad_and_sfcbd_on_Hosts_in_VC.zip

Attached Zip file contains, three PowerShell/PowerCLI scripts, following are the script details :

Disable_slpad_and_sfcbd_on_Hosts_in_VC.ps1 - This will help to Disable & Query slpd & sfcb Service on ESXi hosts and will highlight any ESXi hosts that require manual intervention to disable the slpd service, it will use Set-VMHostService Cmdlet in PowerCLI and enabling SSH on the Host is not required for performing the task.

Older versions of ESXi 6.5 /6.7 and 7.0 do not have an option to disable slpd service using PowerCLI CmdLet Set-VMHostService. In that situation, scripting the task to query or disable is only possible with SSH connection to the host using "plink.exe" utility, the other two scripts in the attachment can be used to automate the task using Plink.

Query_slpd_and_sfcbd_status_on_ESXi_in_VC_with_plink.ps1 - This will help to Query the Current Status of slpd & sfcb Services, it will enable SSH on the Host automatically and Disables it after querying the service status.

Disable_slpd_and_sfcbd_on_ESXi_in_VC_with_plink.ps1 - This script will help to Disable slpd & sfcb Services on all the hosts in vCenter Server, it will also enable SSH on the Host automatically and Disable it after performing the task.

 

Attachments
Comments

When you run below script - it just runs half the way collecting data from hosts and quits itself. Any advise ?

Query_slpd_and_sfcbd_status_on_ESXi_in_VC_with_plink.ps1 

Version history
Revision #:
4 of 4
Last update:
‎07-13-2021 12:30 PM
Updated by:
 
Contributors