ESXI-06-000054 - The system must enable bidirectional CHAP authentication for iSCSI traffic.

Information

When enabled, vSphere performs bidirectional authentication of both the iSCSI target and host. There is a potential for a MiTM attack, when not authenticating both the iSCSI target and host, in which an attacker might impersonate either side of the connection to steal data. Bidirectional authentication mitigates this risk.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

From the vSphere Client select the ESXi Host and go to Configuration >> Storage Adapters >> Select the iSCSI adapter >> Properties >> CHAP. Change CHAP and Mutual CHAP to 'Use CHAP' and enter a unique secret.

or

From a PowerCLI command prompt while connected to the ESXi host run the following command:

Get-VMHost | Get-VMHostHba | Where {$_.Type -eq 'iscsi'} | Set-VMHostHba -ChapType Required -ChapName 'chapname' -ChapPassword 'password' -MutualChapEnabled $true -MutualChapName 'mutualchapname' -MutualChapPassword 'mutualpassword'

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_VMware_vSphere_6-0_ESXi_V1R5_STIG.zip

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6b., CAT|III, CCI|CCI-000366, Group-ID|V-63277, Rule-ID|SV-77767r1_rule, STIG-ID|ESXI-06-000054, Vuln-ID|V-63277

Plugin: VMware

Control ID: a03388d9e6177d26f0739874596766cbd79b9f1683cf84bfa08bd4d69ce75ff4