All port groups on standard switches must be configured to reject forged transmits.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-256420	ESXI-70-000059	SV-256420r886041_rule		Medium

Description
If the virtual machine (VM) operating system changes the Media Access Control (MAC) address, the operating system can send frames with an impersonated source MAC address at any time. This allows an operating system to stage malicious attacks on the devices in a network by impersonating a network adaptor authorized by the receiving network. This means the virtual switch does not compare the source and effective MAC addresses. To protect against MAC address impersonation, all virtual switches must have forged transmissions set to reject. Reject Forged Transmit can be set at the vSwitch and/or the Portgroup level. Switch-level settings can be overridden at the Portgroup level.

Description

If the virtual machine (VM) operating system changes the Media Access Control (MAC) address, the operating system can send frames with an impersonated source MAC address at any time. This allows an operating system to stage malicious attacks on the devices in a network by impersonating a network adaptor authorized by the receiving network. This means the virtual switch does not compare the source and effective MAC addresses. To protect against MAC address impersonation, all virtual switches must have forged transmissions set to reject. Reject Forged Transmit can be set at the vSwitch and/or the Portgroup level. Switch-level settings can be overridden at the Portgroup level.

STIG	Date
VMware vSphere 7.0 ESXi Security Technical Implementation Guide	2023-06-21

Details

Check Text ( C-60095r886039_chk )
Note: This control addresses ESXi standard switches. Distributed switches are addressed in the vCenter STIG. If there is no standard switch on the ESXi host, this is not applicable. From the vSphere Client, go to Hosts and Clusters. Select the ESXi Host >> Configure >> Networking >> Virtual Switches. On each standard switch, click the "..." button next to each port group. Click View Settings >> Policies tab. Verify that "Forged transmits" is set to "Reject". or From a PowerCLI command prompt while connected to the ESXi host, run the following commands: Get-VirtualSwitch -Standard \| Get-SecurityPolicy Get-VirtualPortGroup -Standard \| Get-SecurityPolicy If the "Forged Transmits" policy is set to "Accept" (or "true", via PowerCLI), this is a finding.

Check Text ( C-60095r886039_chk )

Note: This control addresses ESXi standard switches. Distributed switches are addressed in the vCenter STIG. If there is no standard switch on the ESXi host, this is not applicable.

From the vSphere Client, go to Hosts and Clusters.

Select the ESXi Host >> Configure >> Networking >> Virtual Switches.

On each standard switch, click the "..." button next to each port group. Click View Settings >> Policies tab.

Verify that "Forged transmits" is set to "Reject".

or

From a PowerCLI command prompt while connected to the ESXi host, run the following commands:

Get-VirtualSwitch -Standard | Get-SecurityPolicy
Get-VirtualPortGroup -Standard | Get-SecurityPolicy

If the "Forged Transmits" policy is set to "Accept" (or "true", via PowerCLI), this is a finding.

Fix Text (F-60038r886040_fix)
From the vSphere Client, go to Hosts and Clusters. Select the ESXi Host >> Configure >> Networking >> Virtual Switches. On each standard switch, click the "..." button next to each port group. Click Edit Settings >> Security tab. Set "Forged transmits" to "Reject". or From a PowerCLI command prompt while connected to the ESXi host, run the following commands: Get-VirtualSwitch -Standard \| Get-SecurityPolicy \| Set-SecurityPolicy -ForgedTransmits $false Get-VirtualPortGroup -Standard \| Get-SecurityPolicy \| Set-SecurityPolicy -ForgedTransmitsInherited $true

Fix Text (F-60038r886040_fix)

From the vSphere Client, go to Hosts and Clusters.

Select the ESXi Host >> Configure >> Networking >> Virtual Switches.

On each standard switch, click the "..." button next to each port group. Click Edit Settings >> Security tab.

Set "Forged transmits" to "Reject".

or

From a PowerCLI command prompt while connected to the ESXi host, run the following commands:

Get-VirtualSwitch -Standard | Get-SecurityPolicy | Set-SecurityPolicy -ForgedTransmits $false
Get-VirtualPortGroup -Standard | Get-SecurityPolicy | Set-SecurityPolicy -ForgedTransmitsInherited $true