An IS has its BIOS set to allow a boot from a USB device.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-6776	USB02.011.00	SV-6998r1_rule	DCBP-1	High

Description
If an IS's BIOS is left set to allow it to be booted from a USB device, an individual can plug a USB device into the IS and force a reboot, either performing a hardware reset or cycling the power. This can lead to a denial of service. Additionally this can lead to the compromise of sensitive data on the IS that was rebooted and possibly to the network the IS is attached.

STIG	Date
VMware ESX 3 Server	2016-05-13

Details

Check Text ( C-2939r1_chk )
The reviewer will interview the IAO or SA to verify that no IS has its BIOS set to allow a boot from any USB device. Note an IS can be booted from a USB device for maintenance or recovery purposes, but will never be allowed to do so when in normal use. Note: Some systems do not have a setting for disabling Boot from USB. In these cases, boot from USB should be moved to last in the boot device list in the bios. The risk is lessened not mitigated so the reviewer will mark this as a CAT 2 finding.

Check Text ( C-2939r1_chk )

The reviewer will interview the IAO or SA to verify that no IS has its BIOS set to allow a boot from any USB device. Note an IS can be booted from a USB device for maintenance or recovery purposes, but will never be allowed to do so when in normal use.
Note: Some systems do not have a setting for disabling Boot from USB. In these cases, boot from USB should be moved to last in the boot device list in the bios. The risk is lessened not mitigated so the reviewer will mark this as a CAT 2 finding.

Fix Text (F-6429r1_fix)
Develop a plan to check all ISs' BIOS settings as soon a possible. The check will verify that none of the BIOS are set to allow a boot from a USB device. Obtain CM approval for the plan and execute the plan.