LEARN – Disabling ESXi OpenSLP heap-overflow vulnerability (CVE-2021-21974)

Description –

OpenSLP as used in ESXi has a heap-overflow vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 8.8.

Functionality Impacts –

With the workaround, CIM clients which uses SLP to find CIM servers over port #427 will not be able to locate the service.
There is no requirement to reboot the ESXi host to disable/enable the service

Solution
Details on the available powercli options to disable the service are documented here

To implement the workaround perform the following steps:

1 Login to the ESXi hosts using an SSH session (such as putty)

2 Stop the SLP service on the ESXi host with this command:
/etc/init.d/slpd stop
3 Run the following command to disable the SLP service:
esxcli network firewall ruleset set -r CIMSLP -e 0
To make this change persist across reboots:
chkconfig slpd off
To check if the change is applied across reboots:
chkconfig –list | grep slpd
output: slpd off