VCSA-70-000009 - The vCenter Server must use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during electronic dissemination using remote access.

Information

Using older unauthorized versions or incorrectly configuring protocol negotiation makes the gateway vulnerable to known and unknown attacks that exploit vulnerabilities in this protocol.

Satisfies: SRG-APP-000014, SRG-APP-000645, SRG-APP-000156, SRG-APP-000157, SRG-APP-000219, SRG-APP-000439, SRG-APP-000440, SRG-APP-000441, SRG-APP-000442, SRG-APP-000560, SRG-APP-000565, SRG-APP-000625

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

At the command prompt on the vCenter Server Appliance, run the following commands:

# /usr/lib/vmware-TlsReconfigurator/VcTlsReconfigurator/reconfigureVc backup

# /usr/lib/vmware-TlsReconfigurator/VcTlsReconfigurator/reconfigureVc update -p TLSv1.2

vCenter services will be restarted as part of the reconfiguration. The operating system will not be restarted.

The '--no-restart' flag can be added to restart services at a later time.

Changes will not take effect until all services are restarted or the appliance is rebooted.

Note: This change should be performed on vCenter prior to ESXi.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_VMW_vSphere_7-0_Y24M01_STIG.zip

Item Details

Category: ACCESS CONTROL, CONFIGURATION MANAGEMENT, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|AC-17(2), 800-53|CM-7b., 800-53|IA-2(8), 800-53|IA-2(9), 800-53|SC-8, 800-53|SC-8(1), 800-53|SC-8(2), 800-53|SC-13, 800-53|SC-23, CAT|I, CCI|CCI-000068, CCI|CCI-000382, CCI|CCI-001184, CCI|CCI-001453, CCI|CCI-001941, CCI|CCI-001942, CCI|CCI-002418, CCI|CCI-002420, CCI|CCI-002421, CCI|CCI-002422, CCI|CCI-002450, Rule-ID|SV-256318r919041_rule, STIG-ID|VCSA-70-000009, Vuln-ID|V-256318

Plugin: VMware

Control ID: 6d3c6145b66258584247e4c0c87a024074263047ecfc3a3617a1e8f4f91b2e83