ESXI-06-000062 - The system must prevent unintended use of the dvFilter network APIs.

Information

If you are not using products that make use of the dvfilter network API, the host should not be configured to send network information to a VM. If the API is enabled an attacker might attempt to connect a VM to it thereby potentially providing access to the network of other VMs on the host. If you are using a product that makes use of this API then verify that the host has been configured correctly. If you are not using such a product make sure the setting is blank.

Solution

From the vSphere Client select the ESXi Host and go to Configuration >> Advanced Settings. Select the Net.DVFilterBindIpAddress setting and remove any incorrect addresses.

or

From a PowerCLI command prompt while connected to the ESXi host run the following command:

Get-VMHost | Get-AdvancedSetting -Name Net.DVFilterBindIpAddress | Set-AdvancedSetting -Value ''

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_VMware_vSphere_6-0_ESXi_V1R5_STIG.zip

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6b., CAT|II, CCI|CCI-000366, Group-ID|V-63293, Rule-ID|SV-77783r1_rule, STIG-ID|ESXI-06-000062, Vuln-ID|V-63293

Plugin: VMware

Control ID: 2c55143580420dfc0e7849812f4581b75f7bdefda70639981895eb78b7f16187