Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-258953 | VCSA-80-000286 | SV-258953r934517_rule | Medium |
Description |
---|
When enabled, vSphere performs bidirectional authentication of both the iSCSI target and host. When not authenticating both the iSCSI target and host, the potential exists for a man-in-the-middle attack in which an attacker might impersonate either side of the connection to steal data. Bidirectional authentication mitigates this risk. |
STIG | Date |
---|---|
VMware vSphere 8.0 vCenter Security Technical Implementation Guide | 2023-10-11 |
Check Text ( C-62693r934515_chk ) |
---|
If no clusters are enabled for vSAN or if vSAN is enabled but iSCSI is not enabled, this is not applicable. From the vSphere Client, go to Host and Clusters. Select a vSAN Enabled Cluster >> Configure >> vSAN >> iSCSI Target Service. For each iSCSI target, review the value in the "Authentication" column. If the Authentication method is not set to "CHAP_Mutual" for any iSCSI target, this is a finding. |
Fix Text (F-62602r934516_fix) |
---|
From the vSphere Client, go to Host and Clusters. Select a vSAN Enabled Cluster >> Configure >> vSAN >> iSCSI Target Service. For each iSCSI target, select the item and click "Edit". Change the "Authentication" field to "Mutual CHAP" and configure the incoming and outgoing users and secrets appropriately. |