Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-265974 | ESXI-80-000247 | SV-265974r1003578_rule | Medium |
Description |
---|
Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session. In ESXi 8.0 Update 3 and newer TLS profiles are available to configure client and server TLS settings and must be configured to use only strong ciphers. |
STIG | Date |
---|---|
VMware vSphere 8.0 ESXi Security Technical Implementation Guide | 2024-07-11 |
Check Text ( C-69897r1003576_chk ) |
---|
From an ESXi shell, run the following command: # esxcli system tls server get --show-profile-defaults --show-current-boot-profile or From a PowerCLI command prompt while connected to the ESXi host, run the following commands: $esxcli = Get-EsxCli -v2 $arguments = $esxcli.system.tls.server.get.CreateArgs() $arguments.showprofiledefaults = $true $arguments.showcurrentbootprofile = $true $esxcli.system.tls.server.get.invoke($arguments) Example result: Profile: NIST_2024 Cipher List: ECDHE+AESGCM Cipher Suite: TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384 Groups: prime256v1:secp384r1:secp521r1 Protocol Versions: tls1.2,tls1.3 Reboot Required: true If the TLS profile is not set to "NIST_2024" or is not the current boot profile, this is a finding. |
Fix Text (F-69800r1003577_fix) |
---|
TLS Profiles can be configured with vSphere Configuration Profiles or manually on each host for clusters not using vSphere Configuration Profiles. For ESXi hosts in clusters managed with vSphere Configuration Profiles do the following: Note: These steps assume a vSphere Configuration Profile is already in use for the target cluster. From the vSphere Client, go to Host and Clusters. Select the vCenter Server >> Select the target cluster >> Configure >> Desired State >> Configuration >> Draft. Click "Create Draft" or "Import from Host" if a draft does not exist. Select system >> tls_server >> Configure Settings. Select "NIST_2024" from the drop down for profile and click "Save". Click "Apply Changes" and run through the pre-check to enforce the change. Note: Updating this setting through a vSphere Configuration Profile will place hosts into maintenance mode and perform a rolling reboot of all hosts in the cluster. For standalone hosts or clusters not managed with vSphere Configuration Profiles do the following: Prior to changing the TLS profile it is highly recommended to place the host in maintenance mode. From an ESXi shell, run the following command: # esxcli system tls server set -p NIST_2024 or From a PowerCLI command prompt while connected to the ESXi host, run the following commands: $esxcli = Get-EsxCli -v2 $arguments = $esxcli.system.tls.server.set.CreateArgs() $arguments.profile = "NIST_2024" $esxcli.system.tls.server.set.invoke($arguments) A reboot is required to complete the process of changing profiles. |