2.7 Prevent unintended use of dvfilter network APIs

Information

Confirm that dvfilter API is not configured if not is use. If you are using virtual security appliances that leverage this API then configuration may be necessary.

*Rationale*

If you are not using products that make use of the dvfilter network API (e.g. VMSafe), the
host should not be configured to send network information to a VM. If the API is enabled,
an attacker might attempt to connect a VM to it, thereby potentially providing access to the
network of other VMs on the host. If you are using a product that makes use of this API then
verify that the host has been configured correctly.

Solution

To implement the recommended configuration state, run the following PowerCLI
command-# Set Net.DVFilterBindIpAddress to null on all hosts
Get-VMHost HOST1 | Foreach { Set-VMHostAdvancedConfiguration -VMHost $_ -Name Net.DVFilterBindIpAddress -Value '' }

Impact-This will prevent a dvfilter-based network security appliance such as a firewall from
functioning if not configured correctly.

Default Value-The prescribed state is the default state.

See Also

https://workbench.cisecurity.org/files/902

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-3

Plugin: VMware

Control ID: 4cc4a6f11dcfb5df039ed96d34060f6fba743eb80d9863d60072294b7f5f7b7f