Changes are coming to https://stigviewer.com.
Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey
The system must prevent unintended use of the dvFilter network APIs.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-63293 | ESXI-06-000062 | SV-77783r1_rule | Medium |
| Description |
|---|
| If you are not using products that make use of the dvfilter network API, the host should not be configured to send network information to a VM. If the API is enabled an attacker might attempt to connect a VM to it thereby potentially providing access to the network of other VMs on the host. If you are using a product that makes use of this API then verify that the host has been configured correctly. If you are not using such a product make sure the setting is blank. |
| STIG | Date |
|---|---|
| VMware vSphere ESXi 6.0 Security Technical Implementation Guide | 2017-07-11 |
Details
| Check Text ( C-64027r1_chk ) |
|---|
| From the vSphere Client select the ESXi Host and go to Configuration >> Advanced Settings. Select the Net.DVFilterBindIpAddress value and verify the value is blank or the correct IP address of a security appliance if in use. or From a PowerCLI command prompt while connected to the ESXi host run the following command: Get-VMHost | Get-AdvancedSetting -Name Net.DVFilterBindIpAddress If the Net.DVFilterBindIpAddress is not blank and security appliances are not in use on the host, this is a finding. |
| Fix Text (F-69211r1_fix) |
|---|
| From the vSphere Client select the ESXi Host and go to Configuration >> Advanced Settings. Select the Net.DVFilterBindIpAddress setting and remove any incorrect addresses. or From a PowerCLI command prompt while connected to the ESXi host run the following command: Get-VMHost | Get-AdvancedSetting -Name Net.DVFilterBindIpAddress | Set-AdvancedSetting -Value "" |