Mitigate OpenSLP and SFCB vulnerabilities in ESXi : Syneto

Description

This document describes mitigation measures that need to be taken to avoid impact from vulnerabilities in OpenSLP and SFCB on ESXi as they are documented in CVE-2021-21972, CVE-2021-21973, CVE-2021-21974 and VMware knowledge base.

For further details, please consult the following KB articles from VMware:

https://kb.vmware.com/s/article/76372

SynetoOS is using CIMServer services internally for management of the boot disks.

Affected products and versions

ESXi versions 7.x prior to ESXi70U1c-17325551
ESXi versions 6.7.x prior to ESXi670-202102401-SG
ESXi versions 6.5.x prior to ESXi650-202102101-SG

The latest release of ESXi (6.7 and 7.x) released by Syneto is not affected by the vulnerability.

Remediations

There are two methods to mitigate the situation.

The immediate fix, that does not require a reboot:

1. Modify the ESXi firewall rules to permit connections on the affected ports only from the internal SynetoOS network. This change can be performed from the command line or from the ESXi Web Client.

Access to the vulnerable services will be permitted ONLY from the SynetoOS internal IP address (172.16.254.2). The changes can be performed from the ESXi command line or from the ESXi GUI:

From the ESXi GUI:

Go to Networking -> Firewall rules. Filter with the word "CIM". Select each of the three services, click on Edit settings and permit only the SynetoOS internal IP address - 172.16.254.2

From the ESXi command line, run the following commands.

To disable access to OpenSLP (port 427)

esxcli network firewall ruleset set --ruleset-id CIMSLP --allowed-all false
esxcli network firewall ruleset allowedip add --ruleset-id CIMSLP --ip-address 172.16.254.2

To disable access to CIMServer (port 5988 for http, port 5989 for https)

esxcli network firewall ruleset set --ruleset-id CIMHttpServer --allowed-all false
esxcli network firewall ruleset allowedip add --ruleset-id CIMHttpServer --ip-address 172.16.254.2

esxcli network firewall ruleset set --ruleset-id CIMHttpsServer --allowed-all false
esxcli network firewall ruleset allowedip add --ruleset-id CIMHttpsServer --ip-address 172.16.254.2

The permanent fix for the problem.

2. Upgrade to the SynetoOS version of VMware ESXi available that includes the patch.

Version 7.x

https://helpdesk.syneto.eu/a/solutions/articles/11000109448?lang=en

Product: VMware ESXi
 Version: 7.0.3
   Build: Releasebuild-19193900
   Update: 3
   Patch: 20

Version 6.7.x

https://helpdesk.syneto.eu/a/solutions/articles/11000067843?lang=en

Product: VMware ESXi
   Version: 6.7.0
   Build: Releasebuild-17499825
   Update: 3
   Patch: 134

Verify your version of ESXi from GUI or SSH

SSH

esxcli system version get

Mitigate OpenSLP and SFCB vulnerabilities in ESXi

Related Articles