The ESXi host must prevent unintended use of the dvFilter network APIs.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-239316	ESXI-67-000062	SV-239316r674877_rule		Medium

Description
If the organization is not using products that use the dvfilter network API, the host should not be configured to send network information to a VM. If the API is enabled, an attacker might attempt to connect a VM to it, potentially providing access to the network of other VMs on the host. If the organization is using a product that uses this API, verify that the host has been configured correctly. If the organization is not using such a product, ensure the setting is blank.

Description

If the organization is not using products that use the dvfilter network API, the host should not be configured to send network information to a VM. If the API is enabled, an attacker might attempt to connect a VM to it, potentially providing access to the network of other VMs on the host. If the organization is using a product that uses this API, verify that the host has been configured correctly. If the organization is not using such a product, ensure the setting is blank.

STIG	Date
VMware vSphere 6.7 ESXi Security Technical Implementation Guide	2022-01-05

Details

Check Text ( C-42549r674875_chk )
From the vSphere Client, select the ESXi host and go to Configure >> System >> Advanced System Settings. Select the "Net.DVFilterBindIpAddress" value and verify the value is blank or the correct IP address of a security appliance if in use. or From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VMHost \| Get-AdvancedSetting -Name Net.DVFilterBindIpAddress If the "Net.DVFilterBindIpAddress" is not blank and security appliances are not in use on the host, this is a finding.

Check Text ( C-42549r674875_chk )

From the vSphere Client, select the ESXi host and go to Configure >> System >> Advanced System Settings.

Select the "Net.DVFilterBindIpAddress" value and verify the value is blank or the correct IP address of a security appliance if in use.

or

From a PowerCLI command prompt while connected to the ESXi host, run the following command:

Get-VMHost | Get-AdvancedSetting -Name Net.DVFilterBindIpAddress

If the "Net.DVFilterBindIpAddress" is not blank and security appliances are not in use on the host, this is a finding.

Fix Text (F-42508r674876_fix)
From the vSphere Client, select the ESXi Host and go to Configure >> System >> Advanced System Settings. Click "Edit", select the "Net.DVFilterBindIpAddress" value, and remove any incorrect addresses. or From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VMHost \| Get-AdvancedSetting -Name Net.DVFilterBindIpAddress \| Set-AdvancedSetting -Value ""