This document describes mitigation measures that need to be taken to avoid impact from vulnerabilities in OpenSLP and SFCB on ESXi as they are documented in CVE-2021-21972, CVE-2021-21973, CVE-2021-21974 and VMware knowledge base.
SynetoOS is using CIMServer services internally for management of the boot disks.
Affected products and versions
The latest release of ESXi (6.7 and 7.x) released by Syneto is not affected by the vulnerability.
There are two methods to mitigate the situation.
The immediate fix, that does not require a reboot:
1. Modify the ESXi firewall rules to permit connections on the affected ports only from the internal SynetoOS network. This change can be performed from the command line or from the ESXi Web Client.
Access to the vulnerable services will be permitted ONLY from the SynetoOS internal IP address (172.16.254.2). The changes can be performed from the ESXi command line or from the ESXi GUI:
From the ESXi GUI:
Go to Networking -> Firewall rules. Filter with the word "CIM". Select each of the three services, click on Edit settings and permit only the SynetoOS internal IP address - 172.16.254.2
From the ESXi command line, run the following commands.
To disable access to OpenSLP (port 427)
esxcli network firewall ruleset set --ruleset-id CIMSLP --allowed-all false esxcli network firewall ruleset allowedip add --ruleset-id CIMSLP --ip-address 172.16.254.2
To disable access to CIMServer (port 5988 for http, port 5989 for https)
esxcli network firewall ruleset set --ruleset-id CIMHttpServer --allowed-all false esxcli network firewall ruleset allowedip add --ruleset-id CIMHttpServer --ip-address 172.16.254.2
esxcli network firewall ruleset set --ruleset-id CIMHttpsServer --allowed-all false esxcli network firewall ruleset allowedip add --ruleset-id CIMHttpsServer --ip-address 172.16.254.2
The permanent fix for the problem.
2. Upgrade to the SynetoOS version of VMware ESXi available that includes the patch.
Product: VMware ESXi
Product: VMware ESXi
Verify your version of ESXi from GUI or SSH
esxcli system version get