PowerFlex: OpenSLP vulnerabilities to disable SLP service not present on newly added nodes
Summary: If SLP service is disabled on ESXi hosts due to OpenSLP vulnerabilities, subsequent PFxM node adds will not have the SLP service disabled, it must be manually disabled after the node add. ...
This article applies to
This article does not apply to
This article is not tied to any specific product.
Not all product versions are identified in this article.
Symptoms
OpenSLP vulnerabilities have been disclosed that affect ESXi. These vulnerabilities and their impact on VMware products are documented in the following VMware Security Advisories (VMSAs):
VMSA-2021-0002 (CVE-2021-21972, CVE-2021-21973, CVE-2021-21974)
VMSA-2020-0023 (CVE-2020-3981, CVE-2020-3982, CVE-2020-3992, CVE-2020-3993, CVE-2020-3994, CVE-2020-3995)
VMSA-2019-0022 (CVE-2019-5544)
CVE-2021-21974, VMware KB https://kb.vmware.com/s/article/76372, suggests disabling SLP service as a workaround until the patch can be applied. Disabling SLP service will result in CIM clients not being able to locate the service over port #427.
*Note: Disabling SLP service on ESXi hosts should not have any negative affect on PowerFlex Manager (PFxM) functionality.
VMSA-2021-0002 (CVE-2021-21972, CVE-2021-21973, CVE-2021-21974)
VMSA-2020-0023 (CVE-2020-3981, CVE-2020-3982, CVE-2020-3992, CVE-2020-3993, CVE-2020-3994, CVE-2020-3995)
VMSA-2019-0022 (CVE-2019-5544)
CVE-2021-21974, VMware KB https://kb.vmware.com/s/article/76372, suggests disabling SLP service as a workaround until the patch can be applied. Disabling SLP service will result in CIM clients not being able to locate the service over port #427.
*Note: Disabling SLP service on ESXi hosts should not have any negative affect on PowerFlex Manager (PFxM) functionality.
- PFxM does not use SLP service for monitoring, inventory, or any other operations
- In limited lab testing, there was no observed impact of disabling the SLP service on ESXi hosts in an HCI service
Cause
- When PFxM Node add is performed and an existing node (resource) is duplicated, or new template is used, the ESXi hosts will have the default setting of SLP service enabled.
- PFxM does not duplicate settings at the level that this service is running at.
Resolution
- If the wanted result is to have the SLP service disabled, (adding a node to an existing service OR newly deployed service) you must perform manual steps to disable the SLP service after the node add is complete.
- Refer to steps in CVE-2021-21974, VMware KB https://kb.vmware.com/s/article/76372
1) Stop the SLP service on the ESXi host with this command:
/etc/init.d/slpd stop
Note: The SLP service can only be stopped when the service is not in use. Use the following command to view the operational state of the Service Location Protocol Daemon:
esxcli system slp stats get
2) Run the following command to disable the SLP service:
esxcli network firewall ruleset set -r CIMSLP -e 0
To make this change, persist across reboots:
chkconfig slpd off
To check if the change is applied across reboots:
chkconfig --list | grep slpd
Output: slpd off
Affected Products
PowerFlex rack, Security, PowerFlex ApplianceArticle Properties
Article Number: 000183755
Article Type: Solution
Last Modified: 19 Nov 2025
Version: 6
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.