The ESXi host must prevent unintended use of the dvFilter network APIs.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-207661 | ESXI-65-000062 | SV-207661r388482_rule | Medium |
| Description |
|---|
| If you are not using products that make use of the dvfilter network API, the host should not be configured to send network information to a VM. If the API is enabled an attacker might attempt to connect a VM to it thereby potentially providing access to the network of other VMs on the host. If you are using a product that makes use of this API then verify that the host has been configured correctly. If you are not using such a product make sure the setting is blank. |
| STIG | Date |
|---|---|
| VMware vSphere 6.5 ESXi Security Technical Implementation Guide | 2021-09-22 |
Details
| Check Text ( C-7916r364382_chk ) |
|---|
| From the vSphere Web Client select the ESXi Host and go to Configure >> System >> Advanced System Settings. Select the Net.DVFilterBindIpAddress value and verify the value is blank or the correct IP address of a security appliance if in use. or From a PowerCLI command prompt while connected to the ESXi host run the following command: Get-VMHost | Get-AdvancedSetting -Name Net.DVFilterBindIpAddress If the Net.DVFilterBindIpAddress is not blank and security appliances are not in use on the host, this is a finding. |
| Fix Text (F-7916r364383_fix) |
|---|
| From the vSphere Web Client select the ESXi Host and go to Configure >> System >> Advanced System Settings. Click Edit and select the Net.DVFilterBindIpAddress value and remove any incorrect addresses. or From a PowerCLI command prompt while connected to the ESXi host run the following command: Get-VMHost | Get-AdvancedSetting -Name Net.DVFilterBindIpAddress | Set-AdvancedSetting -Value "" |