ESXI-67-000059 - The virtual switch Forged Transmits policy must be set to reject on the ESXi host.

Information

If the virtual machine operating system changes the MAC address, the operating system can send frames with an impersonated source MAC address at any time. This allows an operating system to stage malicious attacks on the devices in a network by impersonating a network adaptor authorized by the receiving network.

This means the virtual switch does not compare the source and effective MAC addresses.

To protect against MAC address impersonation, all virtual switches should have forged transmissions set to reject. Reject Forged Transmit can be set at the vSwitch and/or the Portgroup level. Switch-level settings can be overridden at the Portgroup level.

Solution

From the vSphere Client, go to Configure >> Networking >> Virtual Switches.

For each virtual switch and port group, click Edit settings (dots) and change 'Forged Transmits' to reject.

or

From a PowerCLI command prompt while connected to the ESXi host, run the following commands:

Get-VirtualSwitch | Get-SecurityPolicy | Set-SecurityPolicy -ForgedTransmits $false
Get-VirtualPortGroup | Get-SecurityPolicy | Set-SecurityPolicy -ForgedTransmitsInherited $true

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_VMW_vSphere_6-7_Y23M07_STIG.zip

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6b., CAT|II, CCI|CCI-000366, Rule-ID|SV-239313r674868_rule, STIG-ID|ESXI-67-000059, Vuln-ID|V-239313

Plugin: VMware

Control ID: 709de410c224621044d1895e27092dbc18eb5ff16a10759730cd7214ae1f38ba