ESXi

 View Only
Expand all | Collapse all

Do we need the SLP Service on Port 427

  • 1.  Do we need the SLP Service on Port 427

    Posted Dec 11, 2014 09:18 AM

    Hi,

    our penetration test team criticizes a running SLP Service on Port 427 tcp/udp on all our ESXi hosts 5.0 (HP380G6-G8).

    Does someone know if this Service is needed on a standard ESXi host connectet to a vCenter (maby for the hardware tab)?

    We are NOT running any third party tools to monitor the hosts (HP agent e.g). But we have installed the CIM Provider for the vCenter integration.

    Just closing "CIM SLP" via firewall rules did not bring up any problems promptly as far as I see, but I want to be really sure.

    Any help would be appreciated.

    Chris



  • 2.  RE: Do we need the SLP Service on Port 427

    Posted Dec 11, 2014 07:39 PM

    Hi Chris,

    As far as I understand, this CIM SLP service is used by the vSphere client to discover hardware inventory on your hosts ... so unless you are using any plugins to monitor hardware, I would just verify that you still see all the right data in the hardware tab (including, verifying that the sensors still work). There is nothing special mentioned in the VMware hardening guides about this port or UDP service, so not too sure why security are keen on closing it down?

    Hope this helps?

    Cheers,

    Jon



  • 3.  RE: Do we need the SLP Service on Port 427

    Posted Dec 12, 2014 06:16 AM

    Hi Jon,

    thanks for your answer!

    This is what I thought too. It must be used for the vClient/vCenter to get the hardware informations from the hosts.

    But when disabling it the hardware infos are still shown in vClient. But the hardware tab has often an odd behaviour (not current/real values) and I struggle to trust it.

    So I hoped to find someone who can definitly say "you (don't) need it".

    Chris



  • 4.  RE: Do we need the SLP Service on Port 427
    Best Answer

    Posted Dec 12, 2014 10:41 AM

    Perhaps the best course of action would be to push back on the security recommendations and log a support call with VMware to confirm the impact of closing this down ... I'm always reluctant to make changes that I don't fully understand. In this case, security cant explain why they want this closed down and you don't know the impact to production if you do close it down.

    Cheers,

    Jon



  • 5.  RE: Do we need the SLP Service on Port 427

    Posted Dec 18, 2014 07:19 AM

    Thanks Jon,

    this might be the best way.

    Cheers, Chris



  • 6.  RE: Do we need the SLP Service on Port 427

    Posted Dec 06, 2019 02:46 PM

    You all realize that VMware support only accesses public documentation right?   and VMware has nothing published about what they are using SPL for and whether or not it should be disabled and what the impact would be if it was disabled..   I would not have marked this as the correct answer because it doesn't answer the question, it remains unanswered. 

    Here is the VMware KB that talks about disabling SLP and you can see there is nothing in it describing the impact of disabling the service..  I made certain to leave a feedback comment on the KB stating the person who QAs these KBs needs to be fired.. 

    VMware Knowledge Base

    I encourage others who read this KB to make a similar comment and submit feedback to let VMware know this is unacceptable.   This is a complete lack of customer focus and it leaves customers scrambling around the web trying to find more info about this to make an informed decision..  Shall we send an invoice over to VMware for the time spent trying to dig up the true details of this issue so we know the proper actions to take in an informed manner?  



  • 7.  RE: Do we need the SLP Service on Port 427

    Posted Dec 06, 2019 07:07 PM

    Well Said

    And here I am probably doing the same thing you are is researching the VMSA they released yesterday.

    [Security-announce] VMSA-2019-0022 VMware ESXi and Horizon DaaS updates address OpenSLP remote code execution vulnerability (CVE-2019-5544)

    :smileyhappy: :smileysad:

    I have opened a SR and will post what they tell me. Please do the same if you learn anything



  • 8.  RE: Do we need the SLP Service on Port 427

    Posted Dec 08, 2019 11:17 PM

    any further information from VMware on this?



  • 9.  RE: Do we need the SLP Service on Port 427

    Posted Dec 09, 2019 04:43 PM

    Hi All,

    This is the text of the VMware SR I opened and their response is below:

    This is a question about the vulnerability announcement sent today: [Security-announce] VMSA-2019-0022 VMware ESXi and Horizon DaaS updates address OpenSLP remote code execution vulnerability (CVE-2019-5544)

    Due to constraints in our environment we are not able to update to the recommended build of:

    Product:ESXi (Embedded and Installable) 6.7.0 -  ESXi670-201912001 - 12/05/2019 - 15160138

    Prior to performing the workaround per KB76372 on our ESXi hosts we need to know if any vSphere applications will be affected by applying the workaround to include the vRealize Suite vRA, vCO, vRB, Loginsight, vRNI, vROPS, NSX, etc....

    VMware response:

    . When performing the workaround as described in https://kb.vmware.com/s/article/76372 we will lose access to hardware health monitoring at the vCenter level. However none of the other vSphere products you mentioned should be affected by performing this workaround.

    In a second question I asked if Proactive HA would be affected. They said no.

    It does not appear that ESXi or any apps use port 427 with the exception of Hardware Health. So if you're relying on hardware health you may have an issue.

    I am waiting for a response to see if this wil affect Hardware Alerts like ‘host memory’, Host processor’, host hardware voltage’ etc….

    Update from VMware support:

    . In this case yes by disabling SLP and port 427 we will limit if not remove the ability to receive alerts for hardware health from the vCenter level.

    If you have out of band management solutions like iDRAC, ILO, UCS, etc then you should still have some access to hardware health monitoring.




  • 10.  RE: Do we need the SLP Service on Port 427

    Posted Feb 06, 2023 06:47 AM

    9 years later, they were absolutely correct to ask close this SLP port!.

    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21974

    https://kb.vmware.com/s/article/76372

    #EsxiArgs_ransomware



  • 11.  RE: Do we need the SLP Service on Port 427

    Posted Feb 06, 2023 11:42 AM

    i'm just a question,

    i am upgrading now to 7u3i. do i need to undo the workaround after the esxi is at 7u3i?



  • 12.  RE: Do we need the SLP Service on Port 427

    Posted Feb 08, 2023 02:47 PM

    No, after ESXi 7.0 U2c the slpd service is stopped and set to manual start, by default:

    The following ESXi versions are affected by CVE-2021–21974:

    • ESXi 7.x prior to ESXi70U1c-17325551
    • ESXi 6.7.x prior to ESXi670-202102401-SG
    • ESXi 6.5.x prior to ESXi650-202102101-SG

    For a system to be vulnerable to CVE-2021–21974, the OpenSLP service needs to be running, and its associated port 427 needs to be reachable from the internet. According to VMware, this service is disabled by default on new installations since ESXi 7.0 U2c and ESXi 8.0 GA.

    Source: https://www.recordedfuture.com/esxiargs-ransomware-targets-vmware-esxi-openslp-servers



  • 13.  RE: Do we need the SLP Service on Port 427

    Posted Feb 10, 2023 09:08 PM

    "For a system to be vulnerable to CVE-2021–21974, the OpenSLP service needs to be running, and its associated port 427 needs to be reachable from the internet."

     

    Nitpick: for it to be vulnerable it just needs to be reachable, period. A malicious actor inside the network can exploit this even if 427 is unreachable from the internet side.



  • 14.  RE: Do we need the SLP Service on Port 427

    Posted Dec 09, 2019 10:08 PM

    We have decided to apply the workaround for this vulnerbility. We have other tools in place to monitor harward



  • 15.  RE: Do we need the SLP Service on Port 427

    Posted Dec 11, 2019 12:57 AM

    has anyone worked out a way to script the workaround via powercli?



  • 16.  RE: Do we need the SLP Service on Port 427

    Posted Dec 11, 2019 04:06 PM

    I'm going to work on a powershell script using Posh-SSH as I get time. I will  try topost once completed



  • 17.  RE: Do we need the SLP Service on Port 427



  • 18.  RE: Do we need the SLP Service on Port 427

    Posted Dec 11, 2019 10:43 PM

    Scott Thanks for posting.

    Saved me some work, greatly appreciated.



  • 19.  RE: Do we need the SLP Service on Port 427

    Posted Dec 11, 2019 08:03 PM

    Hi all,

    I applied the workaround, but the Last update field continues to report to vcenter hardware sensor activity.

    Does anyone really know the impact of applying the workaround?

    Thanks in advanced.



  • 20.  RE: Do we need the SLP Service on Port 427

    Posted Dec 11, 2019 10:42 PM

    I have not seen any negative impact of applying this change. NOTE I have only tested on one host for 5 hours or so.

    This is a response to virtually the same question we asked VMware Support

    "In relation to the SLP being disabled i researched on it and found the below mentioned information.

    SLP isn’t used by the vCenter to discover which ports the CIM agents are using on the ESXi (it just knows)

    o All the hardware monitoring we see in the vCenter will remain (disk issues, battery problems, thermals, etc.)

    · external systems that might want to talk to the ESXi CIM agents could be relying on SLP to discover them and so might not work.

    KB article to disable SLP - https://kb.vmware.com/s/article/76372 "



  • 21.  RE: Do we need the SLP Service on Port 427

    Posted Dec 12, 2019 02:02 PM

    Wow even worse then I expected... a complete contradiction



  • 22.  RE: Do we need the SLP Service on Port 427

    Posted Dec 16, 2019 02:27 PM

    Would it not be possible to edit the CIM SLP service's allowed IP Addresses and manually enter our vcenter server ip?  Would this not be a more sane work-around?



  • 23.  RE: Do we need the SLP Service on Port 427

    Posted Dec 16, 2019 04:11 PM

    You could probably use esxcli to create firewall rules.

    ESXi ESXCLI Firewall Commands



  • 24.  RE: Do we need the SLP Service on Port 427

    Posted Jun 04, 2020 12:30 PM

    Did anyone experience any issues after enabling the workaround described in KB 76372 to fix the problem with SLP?

    I would appreciate if anyone could share their experience.



  • 25.  RE: Do we need the SLP Service on Port 427

    Posted Nov 18, 2020 03:52 PM

    This thread has become more important because of the newly announced vulnerabilities this month.

    links to VMware advisories:

    https://www.vmware.com/security/advisories/VMSA-2019-0022.html

    https://www.vmware.com/security/advisories/VMSA-2020-0023.html

    and workaround:

    https://kb.vmware.com/s/article/76372

    Does anyone have an update?

     

    Disabling CIM because of the SLP vulnerablity (workaround) has what impacts on ESXi monitoring/management operations?



  • 26.  RE: Do we need the SLP Service on Port 427

    Posted Nov 19, 2020 04:47 PM

    Our organization implemented the CIMSLP workaround without any adverse impacts. We are proceeding with patching and will remove the workaround when that's complete. Since we noted no downside to disabling SLPd on the ESXi hosts, we wonder what value it actually provides. Perhaps we do not use the orchestrator/automation that might otherwise use it.



  • 27.  RE: Do we need the SLP Service on Port 427

    Posted Feb 03, 2021 09:50 AM

    We will also apply the workaround as from this thread it will not effect running services/hardware monitoring.



  • 28.  RE: Do we need the SLP Service on Port 427

    Posted Feb 25, 2021 08:30 PM

    Ansible Playbook to apply Workaround for OpenSLP security vulnerability in ESXi 6.7



  • 29.  RE: Do we need the SLP Service on Port 427

    Posted Feb 12, 2023 03:24 PM

    You can see how to explore this CVE in this video: https://www.youtube.com/watch?v=7FHX6ppYIXY

    The firewall rule CIM SLP can block this attack.



  • 30.  RE: Do we need the SLP Service on Port 427

    Posted Feb 14, 2023 03:38 PM

    I don't know about needing it but I have found that I can't kill the sfcb service despite following the CLI given. It keeps restarting. CIM is showing stop in vsphere and is set to stop and start manually as per latest advisory.

    Following the workarounds for both CIM 

    How to disable or enable the SFCB service (CIM Server) on the ESX/ESXi host (1025757) (vmware.com)

    and  OpenSlp 

    How to Disable/Enable the SLP Service on VMware ESXi (76372)

    I have tried to use CLI and can stop sfcb and slp but sfcb seems to restart shortly after despite this.

    Am I missing something?