2.6 Ensure dvfilter API is not configured if not used

Information

The dvfilter network API is used by some products (e.g., VMSafe). If it is not in use, it should not be configured to send network information to a VM.

Rationale:

If the dvfilter network API is enabled in the future and it is already configured, an attacker might attempt to connect a VM to it, thereby potentially providing access to the network of other VMs on the host.

Impact:

This will prevent a dvfilter-based network security appliance such as a firewall from functioning if not configured correctly.

Solution

To remove the configuration for the dvfilter network API, perform the following from the vSphere web client:

From the vSphere web client, select the host and click Configure then expand System

Click on Advanced System Settings then Edit.

Search for Net.DVFilterBindIpAddress in the filter.

Set Net.DVFilterBindIpAddress has an empty value.

If an appliance is being used, make sure the value of this parameter is set to the proper IP address.

Enter the proper IP address.

Click OK.

To implement the recommended configuration state, run the following PowerCLI command:

# Set Net.DVFilterBindIpAddress to null on all hosts
Get-VMHost HOST1 | Foreach { Set-AdvancedSetting -VMHost $_ -Name Net.DVFilterBindIpAddress -IPValue '' }

Default Value:

Not configured

See Also

https://workbench.cisecurity.org/benchmarks/7798