The ESXi host must enable bidirectional CHAP authentication for iSCSI traffic.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-239308	ESXI-67-000054	SV-239308r674853_rule		Low

Description
When enabled, vSphere performs bidirectional authentication of both the iSCSI target and host. There is a potential for a MiTM attack, when not authenticating both the iSCSI target and host, in which an attacker might impersonate either side of the connection to steal data. Bidirectional authentication mitigates this risk.

STIG	Date
VMware vSphere 6.7 ESXi Security Technical Implementation Guide	2022-01-05

Details

Check Text ( C-42541r674851_chk )
From the vSphere Client, select the ESXi host and go to Configure >> Storage >> Storage Adapters. Select the iSCSI adapter >> Properties >> Authentication method, view the CHAP configuration, and verify CHAP is required for target and host authentication. or From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VMHost \| Get-VMHostHba \| Where {$_.Type -eq "iscsi"} \| Select AuthenticationProperties -ExpandProperty AuthenticationProperties If iSCSI is not used, this is not a finding. If iSCSI is used and CHAP is not set to "required" for both the target and host, this is a finding. If iSCSI is used and unique CHAP secrets are not used for each host, this is a finding.

Check Text ( C-42541r674851_chk )

From the vSphere Client, select the ESXi host and go to Configure >> Storage >> Storage Adapters.

Select the iSCSI adapter >> Properties >> Authentication method, view the CHAP configuration, and verify CHAP is required for target and host authentication.

or

From a PowerCLI command prompt while connected to the ESXi host, run the following command:

Get-VMHost | Get-VMHostHba | Where {$_.Type -eq "iscsi"} | Select AuthenticationProperties -ExpandProperty AuthenticationProperties

If iSCSI is not used, this is not a finding.

If iSCSI is used and CHAP is not set to "required" for both the target and host, this is a finding.

If iSCSI is used and unique CHAP secrets are not used for each host, this is a finding.

Fix Text (F-42500r674852_fix)
From the vSphere Client, select the ESXi host and go to Configure >> Storage >> Storage Adapters. Select the iSCSI adapter >> Properties >> Authentication and click the "Edit" button. Set Authentication method to “Use bidirectional CHAP” and enter a unique secret for each traffic flow direction. or From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VMHost \| Get-VMHostHba \| Where {$_.Type -eq "iscsi"} \| Set-VMHostHba -ChapType Required -ChapName "chapname" -ChapPassword "password" -MutualChapEnabled $true -MutualChapName "mutualchapname" -MutualChapPassword "mutualpassword"

Fix Text (F-42500r674852_fix)

From the vSphere Client, select the ESXi host and go to Configure >> Storage >> Storage Adapters.

Select the iSCSI adapter >> Properties >> Authentication and click the "Edit" button.

Set Authentication method to “Use bidirectional CHAP” and enter a unique secret for each traffic flow direction.

or

From a PowerCLI command prompt while connected to the ESXi host, run the following command:

Get-VMHost | Get-VMHostHba | Where {$_.Type -eq "iscsi"} | Set-VMHostHba -ChapType Required -ChapName "chapname" -ChapPassword "password" -MutualChapEnabled $true -MutualChapName "mutualchapname" -MutualChapPassword "mutualpassword"