ESXI-67-000062 - The ESXi host must prevent unintended use of the dvFilter network APIs.

Information

If the organization is not using products that use the dvfilter network API, the host should not be configured to send network information to a VM.

If the API is enabled, an attacker might attempt to connect a VM to it, potentially providing access to the network of other VMs on the host. If the organization is using a product that uses this API, verify that the host has been configured correctly. If the organization is not using such a product, ensure the setting is blank.

Solution

From the vSphere Client, select the ESXi Host and go to Configure >> System >> Advanced System Settings.

Click 'Edit', select the 'Net.DVFilterBindIpAddress' value, and remove any incorrect addresses.

or

From a PowerCLI command prompt while connected to the ESXi host, run the following command:

Get-VMHost | Get-AdvancedSetting -Name Net.DVFilterBindIpAddress | Set-AdvancedSetting -Value ''

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_VMW_vSphere_6-7_Y23M07_STIG.zip

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6b., CAT|II, CCI|CCI-000366, Rule-ID|SV-239316r674877_rule, STIG-ID|ESXI-67-000062, Vuln-ID|V-239316

Plugin: VMware

Control ID: f3bf502c5dc187fe6459ce5a825398c4b91532ac4546aee2153fd2d5bf677a97