ESXI-67-000054 - The ESXi host must enable bidirectional CHAP authentication for iSCSI traffic.

Information

When enabled, vSphere performs bidirectional authentication of both the iSCSI target and host. There is a potential for a MiTM attack, when not authenticating both the iSCSI target and host, in which an attacker might impersonate either side of the connection to steal data. Bidirectional authentication mitigates this risk.

Solution

From the vSphere Client, select the ESXi host and go to Configure >> Storage >> Storage Adapters.

Select the iSCSI adapter >> Properties >> Authentication and click the 'Edit' button.

Set Authentication method to 'Use bidirectional CHAP' and enter a unique secret for each traffic flow direction.

or

From a PowerCLI command prompt while connected to the ESXi host, run the following command:

Get-VMHost | Get-VMHostHba | Where {$_.Type -eq 'iscsi'} | Set-VMHostHba -ChapType Required -ChapName 'chapname' -ChapPassword 'password' -MutualChapEnabled $true -MutualChapName 'mutualchapname' -MutualChapPassword 'mutualpassword'

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_VMW_vSphere_6-7_Y23M07_STIG.zip

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6b., CAT|III, CCI|CCI-000366, Rule-ID|SV-239308r674853_rule, STIG-ID|ESXI-67-000054, Vuln-ID|V-239308

Plugin: VMware

Control ID: e9a854a4fac8de7cc28a068abf685ef34e03fcb97355c44351ae7c37b8903b41