The ESXi host must restrict use of the dvFilter network application programming interface (API).
Severity | Group ID | Group Title | Version | Rule ID | Date | STIG Version |
|---|---|---|---|---|---|---|
| medium | V-258774 | SRG-OS-000480-VMM-002000 | ESXI-80-000219 | SV-258774r933383_rule | 2023-10-11 | 1 |
Description
If the organization is not using products that use the dvFilter network API, the host should not be configured to send network information to a virtual machine (VM).
If the API is enabled, an attacker might attempt to connect a virtual machine to it, potentially providing access to the network of other VMs on the host.
If using a product that makes use of this API, verify the host has been configured correctly. If not using such a product, ensure the setting is blank.
ℹ️ Check
From the vSphere Client, go to Hosts and Clusters.
Select the ESXi Host >> Configure >> System >> Advanced System Settings.
Select the "Net.DVFilterBindIpAddress" value and verify the value is blank or the correct IP address of a security appliance if in use.
or
From a PowerCLI command prompt while connected to the ESXi host, run the following command:
Get-VMHost | Get-AdvancedSetting -Name Net.DVFilterBindIpAddress
If the "Net.DVFilterBindIpAddress" setting is not blank and security appliances are not in use on the host, this is a finding.
✔️ Fix
From the vSphere Client, go to Hosts and Clusters.
Select the ESXi Host >> Configure >> System >> Advanced System Settings.
Click "Edit". Select the "Net.DVFilterBindIpAddress" value and remove any incorrect addresses.
or
From a PowerCLI command prompt while connected to the ESXi host, run the following command:
Get-VMHost | Get-AdvancedSetting -Name Net.DVFilterBindIpAddress | Set-AdvancedSetting -Value ""