Use of the dvFilter network application programming interfaces (APIs) must be restricted.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-256423 | ESXI-70-000062 | SV-256423r959010_rule | Medium |
| Description |
| If the organization is not using products that use the dvfilter network API, the host should not be configured to send network information to a virtual machine (VM). If the API is enabled, an attacker might attempt to connect a virtual machine to it, potentially providing access to the network of other VMs on the host. If using a product that makes use of this API, verify the host has been configured correctly. If not using such a product, ensure the setting is blank. |
| STIG | Date |
| VMware vSphere 7.0 ESXi Security Technical Implementation Guide | 2024-12-16 |
Details
| Check Text (C-60098r886048_chk) |
| From the vSphere Client, go to Hosts and Clusters. Select the ESXi Host >> Configure >> System >> Advanced System Settings. Select the "Net.DVFilterBindIpAddress" value and verify the value is blank or the correct IP address of a security appliance if in use. or From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VMHost | Get-AdvancedSetting -Name Net.DVFilterBindIpAddress If the "Net.DVFilterBindIpAddress" is not blank and security appliances are not in use on the host, this is a finding. |
| Fix Text (F-60041r886049_fix) |
| From the vSphere Client, go to Hosts and Clusters. Select the ESXi Host >> Configure >> System >> Advanced System Settings. Click "Edit". Select the "Net.DVFilterBindIpAddress" value and remove any incorrect addresses. or From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VMHost | Get-AdvancedSetting -Name Net.DVFilterBindIpAddress | Set-AdvancedSetting -Value "" |