Notes of a scripter

How to Disable SFCB Service with PowerShell

It seems like a new security exploit is being discovered and release weekly for some most products. I get it that some people have a lot of time on their hands these days. The newest exploit, VMSA-2021-0014, if you aren’t looking to upgrade again after the previous exploit then the workaround is your best solution to keeping your environment safe for now.

So for this workaround as stated by the VMware KB (1025757), you just need to disable the SFCB (Small Footprint CIM Broker) service on your ESXi hosts. This in itself is quite straight forward. Query the VMhost for the services, find the correct name of the SFCB service, then stop and disable the policy.

Get-VMhost | Select -First 1 | Get-VMHostService

Running this command returns all of the services on the VMhost. (Output has been manually parse to only show the needed service)

Key                  Label                          Policy     Running  Required
---                  -----                          ------     -------  --------
sfcbd-watchdog       CIM Server                     on         True     False   

Now that the name of the service is known, sfcbd-watchdog, it can be targeted to be disabled.

Get-VMhost VMhost_Name_Here | Get-VMHostService | Where Key -eq "sfcbd-watchdog" | Stop-VMHostService -confirm:$false

This command will only stop the server. If you were to reboot the host, depending how the policy is configured the server would start back up. So the policy needs to be changed.

Get-VMhost VMhost_Name_Here | Get-VMHostService | Where Key -eq "sfcbd-watchdog" | Set-VMHostService -Policy Off

Now that we have figured out the per VMhost configuration changes, it can be modify to update a cluster at a time by adding Get-Cluster ClusterName at the beginning of the line then pipe to the rest of the command like the command below.

Get-Cluster ClusterName | Get-VMhost | Get-VMHostService | Where Key -eq "sfcbd-watchdog" | Stop-VMHostService -confirm:$false
Cet-Cluster ClusterName | Get-VMhost | Get-VMHostService | Where Key -eq "sfcbd-watchdog" | Set-VMHostService -Policy Off

Now with this workaround in place, you have the time to start planning your vCenter upgrade.

-Stuart

Exit mobile version