Access to virtual machines (VMs) through the "dvfilter" network Application Programming Interface (API) must be controlled.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-256467	VMCH-70-000019	SV-256467r886444_rule		Low

Description
An attacker might compromise a VM by using the "dvFilter" API. Configure only VMs that need this access to use the API.

STIG	Date
VMware vSphere 7.0 Virtual Machine Security Technical Implementation Guide	2023-12-01

Details

Check Text ( C-60142r886442_chk )
From the vSphere Client, right-click the Virtual Machine and go to Edit Settings >> VM Options >> Advanced >> Configuration Parameters >> Edit Configuration. Look for settings with the format "ethernet.filter.name". or From a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command: Get-VM "VM Name" \| Get-AdvancedSetting -Name "ethernet.filter.name" If the virtual machine advanced setting "ethernet.filter.name" exists and dvfilters are not in use, this is a finding. If the virtual machine advanced setting "ethernet.filter*.name" exists and the value is not valid, this is a finding.

Check Text ( C-60142r886442_chk )

From the vSphere Client, right-click the Virtual Machine and go to Edit Settings >> VM Options >> Advanced >> Configuration Parameters >> Edit Configuration.

Look for settings with the format "ethernet*.filter*.name".

or

From a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command:

Get-VM "VM Name" | Get-AdvancedSetting -Name "ethernet*.filter*.name*"

If the virtual machine advanced setting "ethernet*.filter*.name" exists and dvfilters are not in use, this is a finding.

If the virtual machine advanced setting "ethernet*.filter*.name" exists and the value is not valid, this is a finding.

Fix Text (F-60085r886443_fix)
From the vSphere Client, right-click the Virtual Machine and go to Edit Settings >> VM Options >> Advanced >> Configuration Parameters >> Edit Configuration. Look for settings with the format "ethernet.filter.name". Ensure only required VMs use this setting. Note: The VM must be powered off to configure the advanced settings through the vSphere Client. Therefore, it is recommended to configure these settings with PowerCLI as this can be done while the VM is powered on. Settings do not take effect via either method until the virtual machine is cold started, not rebooted. or From a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command: Get-VM "VM Name" \| Get-AdvancedSetting -Name ethernetX.filterY.name \| Remove-AdvancedSetting Note: Change the X and Y values to match the specific setting in the organization's environment.

Fix Text (F-60085r886443_fix)

From the vSphere Client, right-click the Virtual Machine and go to Edit Settings >> VM Options >> Advanced >> Configuration Parameters >> Edit Configuration.

Look for settings with the format "ethernet*.filter*.name".

Ensure only required VMs use this setting.

Note: The VM must be powered off to configure the advanced settings through the vSphere Client. Therefore, it is recommended to configure these settings with PowerCLI as this can be done while the VM is powered on. Settings do not take effect via either method until the virtual machine is cold started, not rebooted.

or

From a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command:

Get-VM "VM Name" | Get-AdvancedSetting -Name ethernetX.filterY.name | Remove-AdvancedSetting

Note: Change the X and Y values to match the specific setting in the organization's environment.