UCF STIG Viewer Logo

The vCenter Server must have Mutual Challenge Handshake Authentication Protocol (CHAP) configured for vSAN Internet Small Computer System Interface (iSCSI) targets.


Overview

Finding ID Version Rule ID IA Controls Severity
V-258953 VCSA-80-000286 SV-258953r961863_rule Medium
Description
When enabled, vSphere performs bidirectional authentication of both the iSCSI target and host. When not authenticating both the iSCSI target and host, the potential exists for a man-in-the-middle attack in which an attacker might impersonate either side of the connection to steal data. Bidirectional authentication mitigates this risk.
STIG Date
VMware vSphere 8.0 vCenter Security Technical Implementation Guide 2024-07-11

Details

Check Text ( C-62693r934515_chk )
If no clusters are enabled for vSAN or if vSAN is enabled but iSCSI is not enabled, this is not applicable.

From the vSphere Client, go to Host and Clusters.

Select a vSAN Enabled Cluster >> Configure >> vSAN >> iSCSI Target Service.

For each iSCSI target, review the value in the "Authentication" column.

If the Authentication method is not set to "CHAP_Mutual" for any iSCSI target, this is a finding.
Fix Text (F-62602r934516_fix)
From the vSphere Client, go to Host and Clusters.

Select a vSAN Enabled Cluster >> Configure >> vSAN >> iSCSI Target Service.

For each iSCSI target, select the item and click "Edit".

Change the "Authentication" field to "Mutual CHAP" and configure the incoming and outgoing users and secrets appropriately.