The ESXi host must configure virtual switch security policies to reject forged transmits.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-258771 | ESXI-80-000216 | SV-258771r933374_rule | CCI-000366 | medium |
| Description | ||||
| If the virtual machine (VM) operating system changes the Media Access Control (MAC) address, the operating system can send frames with an impersonated source MAC address at any time. This allows an operating system to stage malicious attacks on the devices in a network by impersonating a network adaptor authorized by the receiving network. This means the virtual switch does not compare the source and effective MAC addresses. To protect against MAC address impersonation, all virtual switches must have forged transmissions set to reject. Reject Forged Transmit can be set at the vSwitch and/or the Portgroup level. Switch-level settings can be overridden at the Portgroup level. | ||||
| STIG | Date | |||
| VMware vSphere 8.0 ESXi Security Technical Implementation Guide | 2023-10-11 | |||
Related Frameworks
4 paths across 3 frameworks
Related Frameworks
NIST 800-531 mapping
CM-6
1.00
- DISA · V1R1 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
NIST 800-1712 mappings
3.4.1
1.00
- DISA · V1R1 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
- NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
3.4.2
1.00
- DISA · V1R1 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
- NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
CCI1 mapping
CCI-000366
1.00
- DISA · V1R1 · disa_xccdf · related
Details
Check Text (C-258771r933374_chk)
Note: This control addresses ESXi standard switches. Distributed switches are addressed in the vCenter STIG. If there is no standard switch on the ESXi host, this is not applicable.
From the vSphere Client, go to Hosts and Clusters.
Select the ESXi Host >> Configure >> Networking >> Virtual Switches.
On each standard switch, click the '...' button next to each port group and select "Edit Settings".
Click the "Security" tab. Verify that "Forged transmits" is set to "Reject" and that "Override" is not checked.
or
From a PowerCLI command prompt while connected to the ESXi host, run the following commands:
Get-VirtualSwitch | Get-SecurityPolicy
Get-VirtualPortGroup | Get-SecurityPolicy | Select-Object *
If the "Forged Transmits" policy is set to "Accept" (or "true", via PowerCLI) or the security policy inherited from the virtual switch is overridden, this is a finding.
Fix Text (F-62420r933373_fix)
From the vSphere Client, go to Hosts and Clusters.
Select the ESXi Host >> Configure >> Networking >> Virtual Switches.
On each standard switch, click "Edit" and select Security.
Set "Forged transmits" to "Reject". Click "OK".
For each port group, click the '...' button and select "Edit Settings" then Security.
Set "Forged transmits" to "Reject" and uncheck the "Override" box. Click "OK".
or
From a PowerCLI command prompt while connected to the ESXi host, run the following commands:
Get-VirtualSwitch | Get-SecurityPolicy | Set-SecurityPolicy -ForgedTransmits $false
Get-VirtualPortGroup | Get-SecurityPolicy | Set-SecurityPolicy -ForgedTransmitsInherited $true