UCF STIG Viewer Logo

The vCenter Server must remove unauthorized port mirroring sessions on distributed switches.


Overview

Finding ID Version Rule ID IA Controls Severity
V-258965 VCSA-80-000300 SV-258965r961863_rule Medium
Description
The vSphere Distributed Virtual Switch can enable port mirroring sessions allowing traffic to be mirrored from one source to a destination. If port mirroring is configured unknowingly this could allow an attacker to observe network traffic of virtual machines.
STIG Date
VMware vSphere 8.0 vCenter Security Technical Implementation Guide 2024-07-11

Details

Check Text ( C-62705r934551_chk )
If distributed switches are not used, this is not applicable.

From the vSphere Client, go to "Networking".

Select a distributed switch >> Configure >> Settings >> Port Mirroring.

Review any configured "Port Mirroring" sessions.

or

From a PowerCLI command prompt while connected to the vCenter server, run the following command:

Get-VDSwitch | select Name,@{N="Port Mirroring Sessions";E={$_.ExtensionData.Config.VspanSession.Name}}

If there are any unauthorized port mirroring sessions configured, this is a finding.
Fix Text (F-62614r934552_fix)
From the vSphere Client, go to "Networking".

Select a distributed switch >> Configure >> Settings >> Port Mirroring.

Select the unauthorized "Port Mirroring" session and click "Remove". Click "OK".