Description


This document describes mitigation measures that need to be taken to avoid impact from vulnerabilities in OpenSLP and SFCB on ESXi as they are documented in CVE-2021-21972, CVE-2021-21973, CVE-2021-21974 and VMware knowledge base. 


For further details, please consult the following KB articles from VMware:

https://kb.vmware.com/s/article/76372


SynetoOS is using CIMServer services internally for management of the boot disks.



Affected products and versions


  • ESXi versions 7.x prior to ESXi70U1c-17325551
  • ESXi versions 6.7.x prior to ESXi670-202102401-SG
  • ESXi versions 6.5.x  prior to ESXi650-202102101-SG



The latest release of ESXi (6.7 and 7.x) released by Syneto is not affected by the vulnerability. 



Remediations


There are two methods to mitigate the situation.


The immediate fix, that does not require a reboot:


1. Modify the ESXi firewall rules to permit connections on the affected ports only from the internal SynetoOS network. This change can be performed from the command line or from the ESXi Web Client. 


Access to the vulnerable services will be permitted ONLY from the SynetoOS internal IP address (172.16.254.2). The changes can be performed from the ESXi command line or from the ESXi GUI:


From the ESXi GUI:


Go to Networking -> Firewall rules. Filter with the word "CIM". Select each of the three services, click on Edit settings and permit only the SynetoOS internal IP address - 172.16.254.2










From the ESXi command line, run the following commands. 

To disable access to OpenSLP (port 427)

esxcli network firewall ruleset set --ruleset-id CIMSLP --allowed-all false
esxcli network firewall ruleset allowedip add --ruleset-id CIMSLP --ip-address 172.16.254.2


To disable access to CIMServer (port 5988 for http, port 5989 for https)

esxcli network firewall ruleset set --ruleset-id CIMHttpServer --allowed-all false
esxcli network firewall ruleset allowedip add --ruleset-id CIMHttpServer --ip-address 172.16.254.2


esxcli network firewall ruleset set --ruleset-id CIMHttpsServer --allowed-all false
esxcli network firewall ruleset allowedip add --ruleset-id CIMHttpsServer --ip-address 172.16.254.2


The permanent fix for the problem.


2. Upgrade to the SynetoOS version of VMware ESXi available that includes the patch.


Version 7.x


 https://helpdesk.syneto.eu/a/solutions/articles/11000109448?lang=en


Product: VMware ESXi
Version: 7.0.3
Build: Releasebuild-19193900
Update: 3
   Patch: 20


Version 6.7.x


https://helpdesk.syneto.eu/a/solutions/articles/11000067843?lang=en


Product: VMware ESXi
Version: 6.7.0
Build: Releasebuild-17499825
Update: 3
Patch: 134



Verify your version of ESXi from GUI or SSH




SSH


esxcli system version get