PowerCLI

Hi!

I wonder if anyone already wrote script to implement workaround for OpenSLP security vulnerability in ESXi 6.x (CVE-2019-5544) / VMSA-2019-0022 ?
One to apply:
VMware Knowledge Base ?

I have asked VMware support same question but have not got any useful answer yet.

Moderator: Moved to PowerCLI

If you are allowed to enable SSH briefly and if you have installed/can install the Posh-SSH module, you could do

Thanks, this script worked as advertised. 

/Hi Luc,

Thanks for above script but can we do this same at vCenter level which dont ask for ESXi root password as we have different different root passwords for all the ESXi hosts to perform this CIMSLP actions ?

Not really, the commands need to be run on the ESXi node.
Except for the esxcli command, there is no alternative for these commands on the vCenter level

Hi Luc,

Oh ok, got it,

Actually we have around 2157 ESXi hosts and majority of them have same root passwords, hence I was looking for an option to apply this script once for all of them.

Hi Luc,

Will you be able to help me use this script for multiple hosts pls ?

Regards
Rachappa

Where and how do you provide the names of those ESXi nodes?

In a file?

Hi Luc,

Yes, if it takes from file also fine or if we need to mention in the script also fine, but need to do it for multiple hosts.

Hi Lucd 

CAn the script connects  the Vcenter and get all esxi host and apply this setings 

You can do this in a loop.
This assumes you have already connected to the VCSA and that the credentials for all ESXi nodes are the same.

$cmdsub = @'
/etc/init.d/slpd stop;
/etc/init.d/slpd status;
esxcli network firewall ruleset set -r CIMSLP -e 0;
chkconfig slpd off;
chkconfig --list | grep slpd;
'@

$secPswd = ConvertTo-SecureString 'Welcome2019!' -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential ('root', $secPswd)

Get-VMHost -PipelineVariable esx |
    ForEach-Object -Process {
        Get-VMHostService -VMHost $esx | where { $_.Key -eq 'TSM-SSH' } | Start-VMHostService -Confirm:$false | Out-Null

        $session = New-SSHSession -ComputerName $esx.Name -Credential $cred –AcceptKey
        Invoke-SSHCommand -SSHSession $session -Command $cmdSub | select -ExpandProperty Output
        Remove-SSHSession -SSHSession $session | Out-Null

        Get-VMHostService -VMHost $esx | where { $_.Key -eq 'TSM-SSH' } | Stop-VMHostService -Confirm:$false | Out-Null
    }

Hi Luc, Its working for me, thanks a lot for all your help as always

I am getting below error while executing script, I copied script as it is..

At C:\Users\mishrad\Desktop\slpdtest.ps1:16 char:79
+ ... New-SSHSession -ComputerName $esx.Name -Credential $cred â?"AcceptKey
+ ~~~~~~~~~~
The string is missing the terminator: ".
At C:\Users\mishrad\Desktop\slpdtest.ps1:13 char:29
+ ForEach-Object -Process {
+ ~
Missing closing '}' in statement block or type definition.
+ CategoryInfo : ParserError: (:) [], ParseException
+ FullyQualifiedErrorId : TerminatorExpectedAtEndOfString

Looks like something went wrong during your copy-paste.
That funny character in front of AcceptKey should be a dash (-)

Thanks Lucd for quick reply.

It is only a dash character in from of Acceptkey, please find my complete script below

$cmdsub = @'
/etc/init.d/slpd stop;
/etc/init.d/slpd status;
esxcli network firewall ruleset set -r CIMSLP -e 0;
chkconfig slpd off;
chkconfig --list | grep slpd;
'@

$secPswd = ConvertTo-SecureString 'xxxxxxx' -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential ('root', $secPswd)
$esx = Get-Cluster xxxx | Get-VMHost

$esx |
ForEach-Object -Process{
Get-VMHostService -VMHost $esx | where { $_.Key -eq 'TSM-SSH' } | Start-VMHostService -Confirm:$false | Out-Null

$session = New-SSHSession -ComputerName $esx.Name -Credential $cred –AcceptKey
Invoke-SSHCommand -SSHSession $session -Command $cmdSub | select -ExpandProperty Output
Remove-SSHSession -SSHSession $session | Out-Null

Get-VMHostService -VMHost $esx | where { $_.Key -eq 'TSM-SSH' } | Stop-VMHostService -Confirm:$false | Out-Null
}

The errors are clear, one of the strings is missing a quote, and there is a closing curly brace missing.

Also, your code is not exactly a copy of earlier code.
If you want to limit to a specific cluster, you could do

$cmdsub = @'
/etc/init.d/slpd stop;
/etc/init.d/slpd status;
esxcli network firewall ruleset set -r CIMSLP -e 0;
chkconfig slpd off;
chkconfig --list | grep slpd;
'@

$secPswd = ConvertTo-SecureString 'Welcome2019!' -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential ('root', $secPswd)

Get-Cluster | Get-VMHost -PipelineVariable esx |
    ForEach-Object -Process {
        Get-VMHostService -VMHost $esx | where { $_.Key -eq 'TSM-SSH' } | Start-VMHostService -Confirm:$false | Out-Null

        $session = New-SSHSession -ComputerName $esx.Name -Credential $cred –AcceptKey
        Invoke-SSHCommand -SSHSession $session -Command $cmdSub | select -ExpandProperty Output
        Remove-SSHSession -SSHSession $session | Out-Null

        Get-VMHostService -VMHost $esx | where { $_.Key -eq 'TSM-SSH' } | Stop-VMHostService -Confirm:$false | Out-Null
    }

Thanks Lucd.

I exactly copied the same what you given but still same error.

At C:\Users\mishrad\Desktop\slpdtest.ps1:16 char:90
+ ... w-SSHSession -ComputerName $esx.Name -Credential $cred –"AcceptKey"
+ ~
The string is missing the terminator: ".
At C:\Users\mishrad\Desktop\slpdtest.ps1:13 char:29
+ ForEach-Object -Process {
+ ~
Missing closing '}' in statement block or type definition.
+ CategoryInfo : ParserError: (:) [], ParseException
+ FullyQualifiedErrorId : TerminatorExpectedAtEndOfString

Can you attach your script as a file?

Thanks Lucd for quick response.

I think notepad++ was causing some parameters difference, i copied it in notepad and now scipt started running fine but I am getting below error now. Now getting different error, please see below. I also attached the script file

New-SSHSession : A positional parameter cannot be found that accepts argument '–AcceptKey'.
At C:\Users\mishrad\Desktop\slpdtest1.ps1:16 char:20
+ ... $session = New-SSHSession -ComputerName $esx.Name -Credential $cred ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (:) [New-SSHSession], ParameterBindingException
+ FullyQualifiedErrorId : PositionalParameterNotFound,SSH.NewSshSession

Invoke-SSHCommand : Cannot bind argument to parameter 'SSHSession' because it is null.
At C:\Users\mishrad\Desktop\slpdtest1.ps1:17 char:39
+ Invoke-SSHCommand -SSHSession $session -Command $cmdSub | sel ...
+ ~~~~~~~~
+ CategoryInfo : InvalidData: (:) [Invoke-SSHCommand], ParameterBindingValidationException
+ FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,Invoke-SSHCommand

New-SSHSession : A positional parameter cannot be found that accepts argument '–AcceptKey'.
At C:\Users\mishrad\Desktop\slpdtest1.ps1:16 char:20
+ ... $session = New-SSHSession -ComputerName $esx.Name -Credential $cred ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (:) [New-SSHSession], ParameterBindingException
+ FullyQualifiedErrorId : PositionalParameterNotFound,SSH.NewSshSession

Invoke-SSHCommand : Cannot bind argument to parameter 'SSHSession' because it is null.
At C:\Users\mishrad\Desktop\slpdtest1.ps1:17 char:39
+ Invoke-SSHCommand -SSHSession $session -Command $cmdSub | sel ...
+ ~~~~~~~~
+ CategoryInfo : InvalidData: (:) [Invoke-SSHCommand], ParameterBindingValidationException
+ FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,Invoke-SSHCommand

Get-VMHostService : 3/11/2021 5:38:04 AM Get-VMHostService Object reference not set to an instance of an objec
At C:\Users\mishrad\Desktop\slpdtest1.ps1:14 char:9
+ Get-VMHostService -VMHost $esx | where { $_.Key -eq 'TSM-SSH' ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Get-VMHostService], VimException
+ FullyQualifiedErrorId : Core_BaseCmdlet_UnknownError,VMware.VimAutomation.ViCore.Cmdlets.Commands.Host.GetVMHostService

New-SSHSession : A positional parameter cannot be found that accepts argument '–AcceptKey'.
At C:\Users\mishrad\Desktop\slpdtest1.ps1:16 char:20
+ ... $session = New-SSHSession -ComputerName $esx.Name -Credential $cred ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (:) [New-SSHSession], ParameterBindingException
+ FullyQualifiedErrorId : PositionalParameterNotFound,SSH.NewSshSession

Invoke-SSHCommand : Cannot bind argument to parameter 'SSHSession' because it is null.
At C:\Users\mishrad\Desktop\slpdtest1.ps1:17 char:39
+ Invoke-SSHCommand -SSHSession $session -Command $cmdSub | sel ...
+ ~~~~~~~~
+ CategoryInfo : InvalidData: (:) [Invoke-SSHCommand], ParameterBindingValidationException
+ FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,Invoke-SSHCommand

Get-VMHostService : 3/11/2021 5:38:04 AM Get-VMHostService Object reference not set to an instance of an objec
At C:\Users\mishrad\Desktop\slpdtest1.ps1:20 char:9
+ Get-VMHostService -VMHost $esx | where { $_.Key -eq 'TSM-SSH' ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Get-VMHostService], VimException
+ FullyQualifiedErrorId : Core_BaseCmdlet_UnknownError,VMware.VimAutomation.ViCore.Cmdlets.Commands.Host.GetVMHostService

New-SSHSession : A positional parameter cannot be found that accepts argument '–AcceptKey'.
At C:\Users\mishrad\Desktop\slpdtest1.ps1:16 char:20
+ ... $session = New-SSHSession -ComputerName $esx.Name -Credential $cred ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (:) [New-SSHSession], ParameterBindingException
+ FullyQualifiedErrorId : PositionalParameterNotFound,SSH.NewSshSession

Invoke-SSHCommand : Cannot bind argument to parameter 'SSHSession' because it is null.
At C:\Users\mishrad\Desktop\slpdtest1.ps1:17 char:39
+ Invoke-SSHCommand -SSHSession $session -Command $cmdSub | sel ...
+ ~~~~~~~~
+ CategoryInfo : InvalidData: (:) [Invoke-SSHCommand], ParameterBindingValidationException
+ FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,Invoke-SSHCommand

Looks like some lines got split.
Attached my original version

Thanks a ton Lucd, it helped !!!

I am getting error for some of hosts but don't know which host having that error, is there anyway to get host name in output so that we can know where it executed sucessfully.

You could add a Write-Host in the loop.

    ForEach-Object -Process {
        Write-Host "Looking at $($esx.Name)"

HI Lucid 

Am getting below errors can you suggest on this 

New-SSHSession : Could not load file or assembly 'Renci.SshNet, Version=2016.1.0.0, Culture=neutral, PublicKeyToken=1cee9f8bde3db106' or one of its dependencies. The system cannot
find the file specified.
At line:16 char:20
+ ... $session = New-SSHSession -ComputerName $esx.Name -Credential $cred ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [New-SSHSession], FileNotFoundException
+ FullyQualifiedErrorId : System.IO.FileNotFoundException,SSH.NewSshSession

Invoke-SSHCommand : Cannot bind argument to parameter 'SSHSession' because it is null.
At line:17 char:39
+ Invoke-SSHCommand -SSHSession $session -Command $cmdSub | sel ...
+ ~~~~~~~~
+ CategoryInfo : InvalidData: (:) [Invoke-SSHCommand], ParameterBindingValidationException
+ FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,Invoke-SSHCommand

That seems to be a known issue with Posh-SSH on Windows 2019.
You could try the bypass described there

HI Lucid 

Can you pelase help on this where need to bypass this 

Did you check the Lockdown Mode under Security Profile for those ESXi 7 nodes?

Hi Lucd,

Can you please  make the same script to work for multiple ESXi servers having different credentials, we can also import the ESXi server details and its credentials from a CSV/txt file. 

Please don't cross-post

Lucd, can you please provide me with single script which address Openspl on multiple ESXi servers and to track the ESXi servers names on which the script did not perform the task (Note - All my ESXi servers have different credentials) 

Any help to have a consolidated script to address Openspl on multiple ESXi servers and to track the ESXi servers names on which the script did not perform the task (Note - All my ESXi servers have different credentials) 

Hello Bean78,

I'm usually not like that, but a THANK YOU might be appropriate instead of always asking for immediate help!!

Did you connect to your vCenter server beforehand? Before you run the script, please issue the command "Connect-VIServer -Server YourvCenterName -User YourUsername". Then please execute the following commands to test what the problem is with you:

Sorry about, thankyou and excellent support for your guidance and your help. The script worked as expected.

$ESXArray = @(
    New-Object PSObject -Property @{Hostname = 'ServerNameONE';  Password = 'Passw0rd1'}
    New-Object PSObject -Property @{Hostname = 'ServerNameTWO';  Password = 'Passw0rd2'}
    New-Object PSObject -Property @{Hostname = 'ServerNameThree';  Password = 'Passw0rd3'}
)

$cmdsub = @'
/etc/init.d/slpd stop;
/etc/init.d/slpd status;
esxcli network firewall ruleset set -r CIMSLP -e 0;
chkconfig slpd off;
chkconfig --list | grep slpd;
'@

foreach($ESXHostObject in $ESXArray)
{
    Write-Host "Processing $($ESXHostObject.Hostname)"
    $secPswd = ConvertTo-SecureString $($ESXHostObject.Password) -AsPlainText -Force
    $cred = New-Object System.Management.Automation.PSCredential ('root', $secPswd)
    $ESXHost = Get-VMHost -Name $ESXHostObject.Hostname
    Get-VMHostService -VMHost $ESXHost | where{$_.Key -eq 'TSM-SSH'} | Start-VMHostService -Confirm:$false | Out-Null
    $session = New-SSHSession -ComputerName $ESXHost.Name -Credential $cred –AcceptKey
    Invoke-SSHCommand -SSHSession $session -Command $cmdSub | Select -ExpandProperty Output
    Remove-SSHSession -SSHSession $session | Out-Null
    Get-VMHostService -VMHost $ESXHost | where{$_.Key -eq 'TSM-SSH'} | Stop-VMHostService -Confirm:$false | Out-Null
}

i obtain the following error, when i run this script, can you please help..

Get-VMHostService : Cannot bind parameter 'VMHost'. Cannot convert the "" value of type "System.Management.Automation.PSCustomObject" to type
"VMware.VimAutomation.ViCore.Types.V1.Inventory.VMHost".
At line:20 char:31
+ Get-VMHostService -VMHost $ESXHostObject | where{$_.Key -eq 'TSM- ...
+ ~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (:) [Get-VMHostService], ParameterBindingException
+ FullyQualifiedErrorId : CannotConvertArgumentNoMessage,VMware.VimAutomation.ViCore.Cmdlets.Commands.Host.GetVMHostService

New-SSHSession : No connection could be made because the target machine actively refused it
At line:21 char:16
+ ... $session = New-SSHSession -ComputerName $ESXHost.Name -Credential $c ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (Renci.SshNet.SshClient:SshClient) [New-SSHSession], SocketException
+ FullyQualifiedErrorId : SSH.NewSshSession

Invoke-SSHCommand : Cannot bind argument to parameter 'SSHSession' because it is null.
At line:22 char:35
+ Invoke-SSHCommand -SSHSession $session -Command $cmdSub | Select ...
+ ~~~~~~~~
+ CategoryInfo : InvalidData: (:) [Invoke-SSHCommand], ParameterBindingValidationException
+ FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,Invoke-SSHCommand

Hi Lucd,

How to check the status SLP on multiple ESXI host's using script or single command.

Regards,

Kumar.

Have a look at Solved: Re: SLPD service - Show a list of host and if the ... - VMware Technology Network VMTN

Hello,

Can't this be set using:

$ESXi = Get-VMHost xpto
$slpd = $ESXi | Get-VMHostService | Where {$_.key -eq "slpd"}

if(($slpd.policy -eq "on") -or ($slpd.policy -eq "automatic"))
{
$slpd | set-VMHostService -Policy Off -Confirm:$false
}

if ($slpd.running)
{
$slpd | Stop-VMHostService -Confirm:$false
}

Thank you

I don't think that this will make the change persistent across reboots of the ESXi node.
That's what the chkconfig command is doing.

Hi Luc ,

I have two requests to you.

1 - I am trying to use multiple hosts like below in your above script but its not working 

$esxName = @("myesxi1","myesxi2") 

$esx = Get-VMHost -Name $esxName

$cmdsub = @'

/etc/init.d/slpd stop;

/etc/init.d/slpd status;

esxcli network firewall ruleset set -r CIMSLP -e 0;

chkconfig slpd off;

chkconfig --list | grep slpd;

'@

$secPswd = ConvertTo-SecureString 'ESXI510U2' -AsPlainText -Force

$cred = New-Object System.Management.Automation.PSCredential ('root', $secPswd)

Get-VMHostService -VMHost $esx | where{$_.Key -eq 'TSM-SSH'} | Start-VMHostService -Confirm:$false | Out-Null

$session = New-SSHSession -ComputerName $esx.Name -Credential $cred –AcceptKey

Invoke-SSHCommand -SSHSession $session -Command $cmdSub | Select -ExpandProperty Output

Remove-SSHSession -SSHSession $session | Out-Null

Get-VMHostService -VMHost $esx | where{$_.Key -eq 'TSM-SSH'} | Stop-VMHostService -Confirm:$false | Out-Null

2 - We have standalone ESXi hosts around 178 and your original script is not working for them too, can you help on this as well (again password is same for all)

Hi,

by setting up the policy to off the slpd service will not start after the esxi reboots, exactly the same way that ssh service doesn’t start after the esxi reboots if the policy is set to off on this service as well

The above PowerCLI example works well with persistently disabling the service.

$slpd | set-VMHostService -Policy Off -Confirm:$false

(which is the same as setting the service to manual in the vSphere client)

results into the service being disabled. If you check on the cli with chkconfig after executing the script, you can see that the service had been changed to "off".

From my point of view, this is a much better solution than enabling ssh and executing remote commands. Or do you see any other disadvantage?

Thanks!

Since you work for VMware I assume you know best.
Perhaps ask internally to update KB76372?

 am getting below error while executing script, I copied script as it is..

At C:\Users\mishrad\Desktop\slpdtest.ps1:16 char:79
+ ... New-SSHSession -ComputerName $esx.Name -Credential $cred â?"AcceptKey
+ ~~~~~~~~~~
The string is missing the terminator: ".
At C:\Users\mishrad\Desktop\slpdtest.ps1:13 char:29
+ ForEach-Object -Process {
+ ~
Missing closing '}' in statement block or type definition.
+ CategoryInfo : ParserError: (:) [], ParseException
+ FullyQualifiedErrorId : TerminatorExpectedAtEndOfString

Hi Lex,

Sorry i am weak in scripting and i did not understand where to mention my ESXi list here in your script.

LucD,

Script is working for 6.x ESXi hosts, but not for 7.x. It throws an error at the below line -

$session = New-SSHSession -ComputerName $esx.Name -Credential $cred –AcceptKey

New-SSHSession : An established connection was aborted by the server.

At C:\Scripts\SLPD\slpd.ps1:12 char:12

+ $session = New-SSHSession -ComputerName $esx.Name -Credential $cred – ...

+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

+ CategoryInfo : SecurityError: (Renci.SshNet.SshClient:SshClient) [New-SSHSession], SshConnectionException

Looks like the ESXi refuses the SSH connection.
That could be that the service is not running or that there are FW rules that prohibit it.

SSH service is getting started. There is no issue with that. However, the same script is working on ESXi host 6.5 -

$esxName = 'MyEsx'
$esx = Get-VMHost -Name $esxName
$cmdsub = @'
/etc/init.d/slpd stop;
/etc/init.d/slpd status;
esxcli network firewall ruleset set -r CIMSLP -e 0;
chkconfig slpd off;
chkconfig --list | grep slpd;
'@
$cred = get-credential
Get-VMHostService -VMHost $esx | where{$_.Key -eq 'TSM-SSH'} | Start-VMHostService -Confirm:$false | Out-Null
$session = New-SSHSession -ComputerName $esx.Name -Credential $cred –AcceptKey
Invoke-SSHCommand -SSHSession $session -Command $cmdSub | Select -ExpandProperty Output
Remove-SSHSession -SSHSession $session | Out-Null
Get-VMHostService -VMHost $esx | where{$_.Key -eq 'TSM-SSH'} | Stop-VMHostService -Confirm:$false | Out-Null

Ansible playbook to apply Workaround for OpenSLP security vulnerability in ESXi 6.x

https://gist.github.com/szemmali/6b2c257f8567cda1dbb92b8e92f3e06c