2.6 Ensure dvfilter API is not configured if not used

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

The dvfilter network API is used by some products (e.g., VMSafe). If it is not in use, it should not be configured to send network information to a VM.

Rationale:

If the dvfilter network API is enabled in the future and it is already configured, an attacker might attempt to connect a VM to it, thereby potentially providing access to the network of other VMs on the host.

Impact:

This will prevent a dvfilter-based network security appliance such as a firewall from functioning if not configured correctly.

Solution

To remove the configuration for the dvfilter network API, perform the following from the vSphere web client:

Select the host and click 'Configure' -> 'System' -> 'Advanced System Settings'.

Enter Net.DVFilterBindIpAddress in the filter.

Set Net.DVFilterBindIpAddress to an empty value.

If an appliance is being used, make sure the value of this parameter is set to the proper IP address.

Make sure the attribute is highlighted, then click the pencil icon.

Enter the proper IP address.

Click 'OK'.

To implement the recommended configuration state, run the following PowerCLI command:

# Set Net.DVFilterBindIpAddress to null on all hosts
Get-VMHost HOST1 | Foreach { Set-AdvancedSetting -VMHost $_ -Name Net.DVFilterBindIpAddress -IPValue '' }

Default Value:

Not configured

See Also

https://workbench.cisecurity.org/files/3511