Details
If the organization is not using products that use the dvfilter network API, the host should not be configured to send network information to a VM.
If the API is enabled, an attacker might attempt to connect a VM to it, potentially providing access to the network of other VMs on the host. If the organization is using a product that uses this API, verify that the host has been configured correctly. If the organization is not using such a product, ensure the setting is blank.
Solution
From the vSphere Client, select the ESXi Host and go to Configure >> System >> Advanced System Settings.
Click ‘Edit’, select the ‘Net.DVFilterBindIpAddress’ value, and remove any incorrect addresses.
or
From a PowerCLI command prompt while connected to the ESXi host, run the following command:
Get-VMHost | Get-AdvancedSetting -Name Net.DVFilterBindIpAddress | Set-AdvancedSetting -Value ”
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: Configuration Management.This control applies to the following type of system VMware.
References
- 800-53|CM-6b.
- CAT|II
- CCI|CCI-000366
- Rule-ID|SV-239316r674877_rule
- STIG-ID|ESXI-67-000062
- STIG-Legacy|SV-104157
- STIG-Legacy|V-94071
- Vuln-ID|V-239316