The vCenter Server must have Mutual Challenge Handshake Authentication Protocol (CHAP) configured for vSAN Internet Small Computer System Interface (iSCSI) targets.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-258953 | VCSA-80-000286 | SV-258953r961863_rule | CCI-000366 | medium |
| Description | ||||
| When enabled, vSphere performs bidirectional authentication of both the iSCSI target and host. When not authenticating both the iSCSI target and host, the potential exists for a man-in-the-middle attack in which an attacker might impersonate either side of the connection to steal data. Bidirectional authentication mitigates this risk. | ||||
| STIG | Date | |||
| VMware vSphere 8.0 vCenter Security Technical Implementation Guide | 2025-06-09 | |||
Details
Check Text (C-258953r961863_chk)
If no clusters are enabled for vSAN or if vSAN is enabled but iSCSI is not enabled, this is not applicable.
From the vSphere Client, go to Host and Clusters.
Select a vSAN Enabled Cluster >> Configure >> vSAN >> iSCSI Target Service.
For each iSCSI target, review the value in the "Authentication" column.
If the Authentication method is not set to "CHAP_Mutual" for any iSCSI target, this is a finding.
Fix Text (F-62602r934516_fix)
From the vSphere Client, go to Host and Clusters.
Select a vSAN Enabled Cluster >> Configure >> vSAN >> iSCSI Target Service.
For each iSCSI target, select the item and click "Edit".
Change the "Authentication" field to "Mutual CHAP" and configure the incoming and outgoing users and secrets appropriately.