vNetwork : verify-dvfilter-bind

Information

Prevent unintended use of dvfilter network APIs.
If you are not using products that make use of the dvfilter network API, the host should not be configured to send network information to a VM. If the API is enabled, an attacker might attempt to connect a VM to it, thereby potentially providing access to the network of other VMs on the host. If you are using a product that makes use of this API then verify that the host has been configured correctly.

http://pubs.vmware.com/vsphere-60/topic/com.vmware.vsphere.security.doc/GUID-CD0783C9-1734-4B9A-B821-ED17A77B0206.html

http://pubs.vmware.com/vsphere-60/topic/com.vmware.vsphere.ext_solutions.doc/GUID-6013E15D-92CE-4970-953C-ACCB36ADA8AD.html

Solution

# Set Remove Net.DVFilterBindIpAddress to null on all hosts -
Get-VMHost HOST1 | Foreach { Set-VMHostAdvancedConfiguration -VMHost $_ -Name Net.DVFilterBindIpAddress -Value "" }

See Also

https://www.vmware.com/content/dam/digitalmarketing/vmware/en/files/xls/vSphere_6_0_Hardening_Guide_GA_15_Jun_2015.xls

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-3

Plugin: VMware

Control ID: 578d4fd834d05d0c0b53df192310b098bf358713314e4cd20947a72619dc6ac8