UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The vCenter Server for Windows must have Mutual CHAP configured for vSAN iSCSI targets.


Overview

Finding ID Version Rule ID IA Controls Severity
V-94833 VCWN-65-000065 SV-104663r1_rule Low
Description
When enabled vSphere performs bidirectional authentication of both the iSCSI target and host. There is a potential for a MitM attack when not authenticating both the iSCSI target and host in which an attacker might impersonate either side of the connection to steal data. Bidirectional authentication mitigates this risk.
STIG Date
VMware vSphere 6.5 vCenter Server for Windows Security Technical Implementation Guide 2020-03-27

Details

Check Text ( C-94029r1_chk )
If no clusters are enabled for vSAN or if vSAN is enabled but iSCSI is not enabled, this is not applicable.

From the vSphere Web Client go to Host and Clusters >> Select a Cluster >> Configure >> Virtual SAN >> iSCSI Targets

For each iSCSI Target select the item and click the pencil icon to open the edit dialog.

If the Authentication method is not set to "Mutual CHAP" and fully configured, this is a finding.
Fix Text (F-100957r1_fix)
From the vSphere Web Client go to Host and Clusters >> Select a Cluster >> Configure >> Virtual SAN >> iSCSI Targets

For each iSCSI Target select the item and click the pencil icon to open the edit dialog. Change the "Authentication" field to "Mutual CHAP" and configure the incoming and outgoing users and secrets appropriately.