VMCH-70-000028 - DirectPath I/O must be disabled on the virtual machine (VM) when not required.

Information

VMDirectPath I/O (PCI passthrough) enables direct assignment of hardware PCI functions to VMs. This gives the VM access to the PCI functions with minimal intervention from the ESXi host. This is a powerful feature for legitimate applications such as virtualized storage appliances, backup appliances, dedicated graphics, etc., but it also allows a potential attacker highly privileged access to underlying hardware and the PCI bus.

Solution

From the vSphere Client, select the Virtual Machine, right-click, and go to Edit Settings >> Virtual Hardware tab.

Find the unexpected PCI device returned from the check.

Hover the mouse over the device and click the circled 'X' to remove the device. Click 'OK'.

or

From a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command:

Get-VM 'VM Name' | Get-AdvancedSetting -Name pciPassthruX.present | Remove-AdvancedSetting

Note: Change the 'X' value to match the specific setting in the organization's environment.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_VMW_vSphere_7-0_Y24M01_STIG.zip

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6b., CAT|II, CCI|CCI-000366, Rule-ID|SV-256476r886471_rule, STIG-ID|VMCH-70-000028, Vuln-ID|V-256476

Plugin: VMware

Control ID: 283d918b42ba748b882bbde67f5eab7dbe472032b7000a6734e37b945eba01e6