2.6 Prevent unintended use of dvfilter network APIs

Information

Confirm that dvfilter API is not configured if not is use. If you are using virtual security
appliances that leverage this API then configuration may be necessary.

*Rationale*

If you are not using products that make use of the dvfilter network API (e.g. VMSafe), the
host should not be configured to send network information to a VM. If the API is enabled,
an attacker might attempt to connect a VM to it, thereby potentially providing access to the
network of other VMs on the host. If you are using a product that makes use of this API then
verify that the host has been configured correctly.

Solution

Perform the following from the vSphere web client-

1. Select the host and click 'Manage' -> 'Settings' -> 'System' -> 'Advanced System
Settings'.
2. Enter Net.DVFilterBindIpAddress in the filter.
3. Verify Net.DVFilterBindIpAddress has an empty value.
4. If an appliance is being used, then make sure the value of this parameter is set to the
proper IP address.
5. Make sure the attribute is highlighted, then click the pencil icon.
6. Enter the proper IP address.
7. Click 'OK'.To implement the recommended configuration state, run the following PowerCLI
command-# Set Net.DVFilterBindIpAddress to null on all hosts
Get-VMHost HOST1 | Foreach { Set-VMHostAdvancedConfiguration -VMHost $_ -Name
Net.DVFilterBindIpAddress -Value '' }

Impact-This will prevent a dvfilter-based network security appliance such as a firewall from
functioning if not configured correctly.

Default Value-The prescribed state is the default state.

See Also

https://workbench.cisecurity.org/files/145

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-3

Plugin: VMware

Control ID: 3262e0398a4ca8b3c93d845bb0f94bfb3151191b0111ecf299ddb7c5c0aa4480