ESXiArgs ransomware attacks – How to Disable SLP service on VMware ESXi

ESXiArgs ransomware attacks – How to Disable SLP service on VMware ESXi

img-blog-esxiargs-ransomware-attacks-how-to-disable-slp-service-on-vmware-esxi

VMware has alerted its customers to take immediate action in securing their systems by installing the newest security updates and disabling the OpenSLP service, which has been targeted in a widespread ransomware attack against Internet-accessible and vulnerable ESXi servers.

ESXiArgs ransomware, this malware has been deployed as part of a massive wave of ongoing attacks that has already impacted thousands of vulnerable targets worldwide (over 2,400 servers, according to current data from Censys).

Here's a useful guide to help you turn off the Service Location Protocol (SLP) service in VMware ESXi. Our VMware Support team is available to assist you with any questions or issues you may have.

The following VMware Security Advisories (VMSAs) document OpenSLP vulnerabilities that impact ESXi:

  • VMSA-2022-0030 (CVE-2022-31699)
  • VMSA-2021-0014 (CVE-2021-21995)
  • VMSA-2021-0002 (CVE-2021-21974)
  • VMSA-2020-0023 (CVE-2020-3992)
  • VMSA-2019-0022 (CVE-2019-5544)

It is important to review these VMSAs before proceeding, as there may be other considerations outside the scope of this document. ESXi team has assessed these vulnerabilities and determined that the risk of exploitation can be eliminated by following the steps outlined in the resolution section of this article. However, this is intended to be a temporary solution only and it is recommended to apply the patches specified in the VMSAs mentioned above.

How to Disable the SLP service on VMware ESXi

These steps provide instructions to implement a workaround to disable the Service Location Protocol (SLP) on an ESXi host using SSH.

  1. Log in to the ESXi host using an SSH client (e.g., putty)
  2. Stop the SLP service:
    a. Use the command: /etc/init.d/slpd stop
    b. Check the operational state of SLP using: esxcli system slp stats get
  3. Disable the SLP service:
    a. Use the command: esxcli network firewall ruleset set -r CIMSLP -e 0
  4. To make the change persist across reboots:
    a. Use the command: chkconfig slpd off
  5. To verify the change:
    a. Use the command: chkconfig --list | grep slpd
    b. The output should be: slpd off

slpd_comms.jpg

MSP Support Team demonstrated the procedure for disabling and enabling the Service Location Protocol (SLP) service on VMware ESXi hosts.

Sun IT Solutions is a premier managed IT services company located in Toronto, offering numerous solutions to support businesses in maintaining a competitive edge in the rapidly changing digital world. Specialize in VMware Support and Disaster Recovery services.