Skip to content

Instantly share code, notes, and snippets.

@szemmali

szemmali/ESXi-SLP-vulnerability.yml Secret

Created February 25, 2021 20:30
Show Gist options
  • Star 2 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save szemmali/6b2c257f8567cda1dbb92b8e92f3e06c to your computer and use it in GitHub Desktop.
Save szemmali/6b2c257f8567cda1dbb92b8e92f3e06c to your computer and use it in GitHub Desktop.
Download ZIP
Raw
ESXi-SLP-vulnerability.yml
---
- name: Workaround for OpenSLP security vulnerability in ESXi 6.7
hosts: all
tasks:
- name: Stopping the SLP service
shell: /etc/init.d/slpd stop
register: slpd_stop
- name: Print Stopping the SLP service
debug:
msg: "{{slpd_stop.stdout }}"
- name: Disable the SLP service
shell: esxcli network firewall ruleset set -r CIMSLP -e 0
- name: change persist across reboots
shell: chkconfig slpd off
- name: Check if the change is applied across reboots
shell: chkconfig --list | grep slpd
register: check_change
- name: Print the result of change
debug:
msg: "{{check_change.stdout }}"
@johnsondnz
Copy link

johnsondnz commented Mar 11, 2021
edited

Thanks for publishing this @szemmali.
For those using transient host architecture with autodeploy which cannot manage SLP and wish to periodically run this, we enhanced this playbook a little

- name: Workaround for OpenSLP security vulnerability in ESXi 6.7
  hosts: esx_hosts
  gather_facts: no

  tasks:
    - name: Check is slpd is running
      shell: /etc/init.d/slpd status
      changed_when: false
      # /etc/init.d/slpd always returns non-zero return code if the service is already stopped
      # so just ensure return_code has been received
      failed_when: slpd_state.rc is not defined
      register: slpd_state

    - name: Stopping the SLP service
      shell: /etc/init.d/slpd stop
      register: slpd_stop
      when: "'slpd is running' in slpd_state.stdout_lines[0]"

    - name: Test Stopping the SLP service
      assert:
        that: "slpd_stop.stdout == 'Stopping slpd'"
        success_msg: "[PASS] SLP stopped successfully"
        fail_msg : "[FAIL] SLP service did not stop as intended, manually remediation required"
      when: slpd_stop is changed

    - name: Disable the SLP service
      shell: esxcli network firewall ruleset set -r CIMSLP -e 0

    - name: Check CIMSLP firewall rule status
      shell: esxcli network firewall ruleset list | grep CIMSLP
      changed_when: false
      register: cimslp_status

    - name: Test CIMSLP firewall rule is false
      assert:
        that:
          - "'CIMSLP' in cimslp_status.stdout_lines[0]"
          - "'false' in cimslp_status.stdout_lines[0]"
        success_msg: "[PASS] CIMSLP firewall rule disablled successfully"
        fail_msg: "[FAIL] CIMSLP firewall rule is not disabled, manually remediation required"

    - name: change persist across reboots
      shell: chkconfig slpd off

    - name: Check if the change is applied across reboots
      shell: chkconfig --list | grep slpd
      changed_when: false
      register: check_change

    - name: Test that slpd service is now prevented from starting at boot-time
      assert:
        that:
          - "'slpd' in check_change.stdout_lines[0]"
          - "'off' in check_change.stdout_lines[0]"
        success_msg: "[PASS] slpd boot-time start stopped successfully"
        fail_msg : "[FAIL] slpd service boot-time setting did not take, manually remediation required"

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment