OpenSLP vulnerabilities have been disclosed that affect ESXi. These vulnerabilities and their impact on VMware products are documented in the following VMware Security Advisories (VMSAs), please review these before continuing as there may be considerations outside the scope of this document:

VMSA-2022-0030 (CVE-2022-31699)

VMSA-2021-0014 (CVE-2021-21995) – Click here for further information on the advisory

VMSA-2021-0002 (CVE-2021-21974)

VMSA-2020-0023 (CVE-2020-3992)

VMSA-2019-0022 (CVE-2019-5544)

The ESXi team has investigated these vulnerabilities and determined that the possibility of exploitation can be removed by performing the steps detailed in the resolution section of this article. This workaround is meant to be a temporary solution only and customers are advised to deploy the patches documented in the aforementioned VMSAs.

Warning:

This workaround is applicable ONLY to ESXi. Do not apply this workaround to other VMware products.

Functionality Impacts:

With the workaround, CIM clients which uses SLP to find CIM servers over port #427 will not be able to locate the service.

There is no requirement to reboot the ESXi host to disable/enable the service

Solution
Details on the available powercli options to disable the service are documented here

To implement the workaround perform the following steps:

1 Login to the ESXi hosts using an SSH session (such as putty)

2 Stop the SLP service on the ESXi host with this command:

/etc/init.d/slpd stop

Note: The SLP service can only be stopped when the service is not in use. Use the following command to view the operational state of Service Location Protocol Daemon:

esxcli system slp stats get

3 Run the following command to disable the SLP service:

esxcli network firewall ruleset set -r CIMSLP -e 0

To make this change persist across reboots:

chkconfig slpd off

To check if the change is applied across reboots:

chkconfig --list | grep slpd
output: slpd off

To remove the workaround perform the following steps:

1. Run the following command to enable the ruleset of SLP service:

esxcli network firewall ruleset set -r CIMSLP -e 1

2. Run the following command to change the current startup information of slpd service:

chkconfig slpd on

Run the following command to check if the change is applied after running the above step (Step 2#):

chkconfig --list | grep slpd
output: slpd on

3. Run the following command to start the SLP service:

/etc/init.d/slpd start

4. Disable and enable the CIM agent, see How to disable or enable the CIM agent on the ESX/ESXi host

Later versions of ESXi report the SLPD service in the vCenter GUI

1. To check if you can update the SLP service via the vSphere client, login to the vCenter

2. Select the ESXi host and click on “Configure” — “Services”. Look for SLP in the list
If SLP is not listed, then use the process detailed above

3. Select SLPD and click on “Stop” and then click “Ok”

4. Select ” Edit Startup Policy” and select “Start and stop with host”. Click Ok

5. Reverse the steps above to re-enable the service

If you need help with server administration, you can order the Server Administration service from Unihost