Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-256366 | VCSA-70-000286 | SV-256366r885709_rule | Medium |
Description |
---|
When enabled, vSphere performs bidirectional authentication of both the iSCSI target and host. When not authenticating both the iSCSI target and host, the potential exists for a man-in-the-middle attack in which an attacker might impersonate either side of the connection to steal data. Bidirectional authentication mitigates this risk. |
STIG | Date |
---|---|
VMware vSphere 7.0 vCenter Security Technical Implementation Guide | 2023-03-01 |
Check Text ( C-60041r885707_chk ) |
---|
If no clusters are enabled for vSAN or if vSAN is enabled but iSCSI is not enabled, this is not applicable. From the vSphere Client, go to Host and Clusters. Select a vSAN Enabled Cluster >> Configure >> vSAN >> iSCSI Target Service. For each iSCSI target, review the value in the "Authentication" column. If the Authentication method is not set to "CHAP_Mutual" for any iSCSI target, this is a finding. |
Fix Text (F-59984r885708_fix) |
---|
From the vSphere Client, go to Host and Clusters. Select a vSAN Enabled Cluster >> Configure >> vSAN >> iSCSI Target Service. For each iSCSI target, select the item and click "Edit". Change the "Authentication" field to "Mutual CHAP" and configure the incoming and outgoing users and secrets appropriately. |