| V-15815 | High | The MAC Address Change Policy is set to “Accept” for virtual switches. | Each virtual NIC in a virtual machine has an initial MAC address assigned when the virtual adapter is created. Each virtual adapter also has an effective MAC address that filters out incoming... |
| V-68725 | High | VMware ESX management software that is no longer supported by the vendor for security updates must not be installed on a system. | VMware ESX operating systems, virtual machines, and associated management software that are no longer supported by VMware for security updates are not evaluated or updated for vulnerabilities... |
| V-15817 | High | Forged Transmits are set to “Accept” on virtual switches | Each virtual NIC in a virtual machine has an initial MAC address assigned when the virtual adapter is created. Each virtual adapter also has an effective MAC address that filters out incoming... |
| V-15818 | High | Promiscuous Mode is set to “Accept” on virtual switches. | ESX Server has the ability to run virtual and physical network adapters in promiscuous mode. Promiscuous mode may be enabled on public and private virtual switches. When promiscuous mode is... |
| V-15873 | Medium | VI Web Access sessions with VirtualCenter are unencrypted. | User sessions with VirtualCenter should be encrypted since transmitting data in plaintext may be viewed as it travels through the network. User sessions may be initiated from the VI client and VI... |
| V-15792 | Medium | Static discoveries are not configured for hardware iSCSI initiators. | ESX Server uses two types of methods to determine what storage resources are available for access by the iSCSI initiators on the network. These methods are dynamic discovery and static discovery.... |
| V-15860 | Medium | Patches and security updates are not current on the VirtualCenter Server. | Organizations need to stay current with all applicable VirtualCenter Server software updates that are released from VMware. If updates and patches are not installed, then security vulnerabilities... |
| V-15866 | Medium | VirtualCenter virtual machine does not have a memory reservation. | Virtual machine settings affect the availability of the VirtualCenter virtual machine as well. If the virtual machine is not configured with resource reservations, there is no guarantee that the... |
| V-15864 | Medium | VirtualCenter virtual machine is not configured in an ESX Server cluster with High Availability enabled. | If the ESX Server hosting the VirtualCenter virtual machine fails, the single point of central administration to the entire virtual infrastructure is gone. To mitigate this potential scenario,... |
| V-15865 | Medium | VirtualCenter virtual machine does not have a CPU reservation. | Virtual machine settings affect the availability of the VirtualCenter virtual machine as well. If the virtual machine is not configured with resource reservations, there is no guarantee that the... |
| V-15869 | Medium | Unauthorized users have access to the VirtualCenter virtual machine. | Virtual machines may be accessed by anyone with the proper permissions. If the VirtualCenter virtual machine is accessed by a normal virtual machine user, specific settings in the virtual... |
| V-15880 | Medium | VirtualCenter does not log user, group, permission or role changes. | VirtualCenter Servers not configured to log user, group, permission and role changes will not have the ability to review past system and user events. Recording these events is critical to... |
| V-15806 | Medium | Virtual machines are connected to public virtual switches and are not documented. | Public virtual switches are bound to physical NICs providing virtual machines connectivity to the physical network, whereas connecting physical servers to the LAN usually requires a cable. Virtual... |
| V-15807 | Medium | Virtual switch port group is configured to VLAN 1 | The VLAN ID restricts port group traffic to a logical Ethernet segment within the physical network. Port groups may have a VLAN ID of 0 to 4095. VLAN ID values of 1 to 4094 place the virtual... |
| V-15802 | Medium | The service console and virtual machines are not on dedicated VLANs or network segments. | Virtual machine traffic destined for a physical network should always be placed on a separate physical adapter from service console traffic. It is appropriate to use as many additional physical... |
| V-15975 | Medium | VirtualCenter Server assets are not properly registered in VMS. | The Vulnerability Management System (VMS) was developed to interface with the DoD Enterprise tools to assist all DoD CC/S/As in the identification of security vulnerabilities and track the issues... |
| V-15808 | Medium | Virtual switch port group is configured to VLAN 1001 to 1024. | The VLAN ID restricts port group traffic to a logical Ethernet segment within the physical network. Port groups may have a VLAN ID of 0 to 4095. VLAN ID values of 1 to 4094 place the virtual... |
| V-15809 | Medium | Virtual switch port group is configured to VLAN 4095. | The VLAN ID restricts port group traffic to a logical Ethernet segment within the physical network. Port groups may have a VLAN ID of 0 to 4095. VLAN IDs that have VLAN ID 4095 are able reach... |
| V-15789 | Medium | CHAP authentication is not configured for iSCSI traffic. | ISCSI connections are able to be configured with Challenge Handshake Authentication Protocol (CHAP) authentication and IP security (IPSec) encryption. “ESX Server only supports one-way CHAP... |
| V-15788 | Medium | iSCSI VLAN or network segment is not configured for iSCSI traffic. | Virtual machines may share virtual switches and VLANs with the iSCSI configuration. This type of configuration may expose iSCSI traffic to unauthorized virtual machine users. To restrict... |
| V-15786 | Medium | There is no dedicated VLAN or network segment configured for virtual disk file transfers. | The transfer of virtual disk files and VMotion migrations to and from VMFS volumes is sent in plaintext. This type of traffic provides no confidentiality for the data. Due to this vulnerability,... |
| V-15785 | Medium | VMotion virtual switches are not configured with a dedicated physical network adapter | The security issue with VMotion migrations is that the encapsulated files are transmitted in plaintext. Plaintext provides no confidentiality, and anyone with the proper access may view these... |
| V-15871 | Medium | No logon warning banner is configured for VirtualCenter users. | Once users are authenticated by VirtualCenter, users should be presented with a warning message. presenting a warning message prior to user logon may assist the prosecution of trespassers on the... |
| V-15870 | Medium | No dedicated VirtualCenter administrator created within the Windows Administrator Group on the Windows Server for managing the VirtualCenter environment. | By default, the local administrator or domain administrator is allowed to log on to VirtualCenter. These administrators are allowed since VirtualCenter requires a user with local administrator... |
| V-15899 | Medium | Test and development virtual machines are not logically separated from production virtual machines. | Test and development can be defined by using the folllowing definitions from the Enclave STIG. Testing is a process of technical investigation intended to reveal quality-related information... |
| V-15872 | Medium | VI Client sessions with VirtualCenter are unencrypted. | User sessions with VirtualCenter should be encrypted since transmitting data in plaintext may be viewed as it travels through the network. User sessions may be initiated from the VI client and VI... |
| V-15897 | Medium | Virtual machines are not time synchronized with the ESX Server or an authoritative time server. | The accuracy of time within the virtualization environment is difficult due to the timer interrupt issue. Time drifts may be as dramatic as 5-10 minutes. Inaccurate time causes other inaccuracies... |
| V-15895 | Medium | The VMware Tools setinfo variable is enabled for virtual machines. | The virtual machine operating system sends informational messages to the ESX Server host through VMware Tools. These messages are setinfo messages and typically contain name-value pairs that... |
| V-15894 | Medium | VMware Tools drag and drop capabilities are enabled for virtual machines. | The drag and drop operation may be used to transfer files from the guest virtual machine to the computer connecting to the virtual machine via the VI Console. Files may be moved from the guest... |
| V-15893 | Medium | Clipboard capabilities (copy and paste) are enabled for virtual machines. | Several security issues arise with the clipboard. The first is that the system administrator might turn on the clipboard transfer and use it. However, deselecting the clipboard check box will not... |
| V-15890 | Medium | Nonpersistent disk mode is set for virtual machines. | The security issue with nonpersistent disk mode is that attackers may undo or remove any traces that they were ever on the machine with a simple shutdown or reboot. Once the virtual machine has... |
| V-15984 | Medium | VirtualCenter Server assets are not configured with the correct posture in VMS. | Correctly configuring the VirtualCenter Server asset in VMS will ensure that the appropriate vulnerabilities are assigned to the asset. If the asset is not configured with the correct posture,... |
| V-15859 | Medium | VirtualCenter server is hosting other applications such as database servers, e-mail servers or clients, dhcp servers, web servers, etc. | VirtualCenter availability is critical since it controls and manages the entire virtual infrastructure. ESX Server will still function without VirtualCenter, however, management of the virtual... |
| V-15813 | Medium | Virtual switch labels begin with a number. | Virtual switches within the ESX Server require a field for the name of the switch. This label is important since it serves as a functional descriptor for the switch. The labels of the virtual... |
| V-15812 | Medium | Virtual switches are not labeled. | Virtual switches within the ESX Server require a field for the name of the switch. This label is important since it serves as a functional descriptor for the switch, just as physical switches... |
| V-15810 | Medium | Port groups are not configured with a network label. | Port Groups define how virtual machine connections are made through the virtual switch. Port groups may be configured with bandwidth limitations and VLAN tagging policies for each member port.... |
| V-17020 | Medium | VirtualCenter is not using DoD approved certificates. | User sessions with VirtualCenter should be encrypted since transmitting data in plaintext may be viewed as it travels through the network. User sessions may be initiated from the VI client and VI... |
| V-15867 | Low | VirtualCenter virtual machine CPU alarm is not configured. | To ensure that system administrators are notified if there is a resource problem on the VirtualCenter virtual machine, alarms should be configured to email the administrator. If alarms are not... |
| V-15868 | Low | VirtualCenter virtual machine memory alarm is not configured. | To ensure that system administrators are notified if there is a resource problem on the VirtualCenter virtual machine, alarms should be configured to email the administrator. If alarms are not... |
| V-15803 | Low | Notify Switches feature is not enabled to allowfor notifications to be sent to physical switches. | One option in NIC Teaming is Notify Switches. Whenever a virtual NIC is connected to a virtual switch or whenever a virtual NIC’s traffic would be routed over a different physical NIC due to a... |
| V-15896 | Low | Configuration tools are enabled for virtual machines. | There are other settings that should be specified in the configuration files for virtual machines. The connectable setting disables connecting and disconnecting removable devices from within the... |
