How to Disable/Enable the SLP Service on VMware ESXi
search cancel

How to Disable/Enable the SLP Service on VMware ESXi

book

Article ID: 318790

calendar_today

Updated On:

Products

VMware vSphere ESXi

Issue/Introduction

OpenSLP vulnerabilities have been disclosed that affect ESXi. These vulnerabilities and their impact on VMware products are documented in the following VMware Security Advisories (VMSAs), please review these before continuing as there may be considerations outside the scope of this document:

VMSA-2022-0030 (CVE-2022-31699)
VMSA-2021-0014 (CVE-2021-21995) - Click here for further information on the advisory
VMSA-2021-0002 (CVE-2021-21974)
VMSA-2020-0023 (CVE-2020-3992)
VMSA-2019-0022 (CVE-2019-5544)

The ESXi team has investigated these vulnerabilities and determined that the possibility of exploitation can be removed by performing the steps detailed in the resolution section of this article. This workaround is meant to be a temporary solution only and customers are advised to deploy the patches documented in the aforementioned VMSAs.

Warning:

This workaround is applicable ONLY to ESXi. Do not apply this workaround to other VMware products.

Functionality Impacts:

With the workaround, CIM clients which uses SLP to find CIM servers over port #427 will not be able to locate the service.

There is no requirement to reboot the ESXi host to disable/enable the service


Environment

VMware vSphere ESXi 7.0.0
VMware vSphere ESXi 6.0
VMware vSphere ESXi 6.5
VMware vSphere ESXi 6.7

Resolution

Details on the available powercli options to disable the service are documented here

To implement the workaround perform the following steps:

       1 Login to the ESXi hosts using an SSH session (such as putty)

       2 Stop the SLP service on the ESXi host with this command:
/etc/init.d/slpd stop
 
 
Note: The SLP service can only be stopped when the service is not in use. Use the following command to view the operational state of Service Location Protocol Daemon:

esxcli system slp stats get
 

       3 Run the following command to disable the SLP service:
esxcli network firewall ruleset set -r CIMSLP -e 0
 
To make this change persist across reboots:

chkconfig slpd off

To check if the change is applied across reboots:

chkconfig --list | grep slpd

output: slpd off

slpd_comms.jpg
  

To remove the workaround perform the following steps:
  1. Run the following command to enable the ruleset of SLP service:
esxcli network firewall ruleset set -r CIMSLP -e 1
  1. Run the following command to change the current startup information of slpd service:
chkconfig slpd on

Run the following command to check if the change is applied after running the above step (Step 2#):

chkconfig --list | grep slpd

output: slpd on

  1. Run the following command to start the SLP service:
/etc/init.d/slpd start
  1. Disable and enable the CIM agent, see How to disable or enable the CIM agent on the ESX/ESXi host

Later versions of ESXi report the SLPD service in the vCenter GUI

        1. To check if you can update the SLP service via the vSphere client, login to the vCenter

        2 Select the ESXi host and click on "Configure"  -- "Services". Look for SLP in the list
            If SLP is not listed, then use the process detailed above

slpd_check.jpg

        3 Select SLPD and click on "Stop" and then click "Ok"

slp_stop.jpg
           4 Select " Edit Startup Policy" and select "Start and stop manually". Click Ok


slpd_policy.jpg 
                 
             5 Reverse the steps above to re-enable the service

Additional Information

VMware Skyline Health Diagnostics for vSphere - FAQ
For up-to-date information on these vulnerabilities as well as future security information please sign up for our VMSA mailing list .

Powered by Wolken Software