Detections
Analytics

ESXI5-VM-000033 - The system must disable VIX messages from the VM.

Information

The VIX API is a library for writing scripts and programs to manipulate virtual machines. If custom VIX programming is not used in the environment, then disable features to reduce the potential for vulnerabilities. Unprivileged code running in a VMware virtual machine (guest OS) may break out of the VMX process, and elevate from unprivileged guest code execution to host kernel code execution. The ability to send messages from the VM to the host is one of these features. Note that disabling this feature does 'not' adversely affect the functioning of VIX operations that originate outside the guest, so certain VMware and 3rd party solutions that rely upon this capability should continue to work.

Solution

Configure the VM with the correct '<keyword> = <keyval>' pair.

To edit a powered-down virtual machine's .vmx file, first remove it from vCenter Server's inventory. Manual additions to the .vmx file from ESXi will be overwritten by any registered entries stored in the vCenter Server database. Make a backup copy of the .vmx file. If the edit breaks the virtual machine, it can be rolled back to the original version of the file.

Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials.
If connecting to vCenter Server, click on the desired host.
Click the Configuration tab.
Click Storage.
Right-click on the appropriate datastore and click Browse Datastore.
Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file.
Right-click the .vmx file and click Remove from inventory.

Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client.

Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials.
If connecting to vCenter Server, click on the desired host.
Click the Configuration tab.
Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively.
Start the ESXi Shell service, where/as required.

As root, log in to the ESXi host and locate the VM's vmx file.
# find / | grep vmx

Add the following to the VM's vmx file.
keyword = 'keyval'

Where:
keyword = isolation.tools.vixMessage.disable
keyval = TRUE

Re-enable Lockdown Mode on the host.

Re-register the VM with the vCenter Server:
Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials.
If connecting to vCenter Server, click on the desired host.
Click the Configuration tab.
Click Storage.
Right-click on the appropriate datastore and click Browse Datastore.
Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file.
Right-click the .vmx file and click Add to inventory. The Add to Inventory wizard opens.
Continue to follow the wizard to add the virtual machine.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_VMW_ESXi5_Virtual_Machine_V2R1_STIG.zip

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6b., CAT|III, CCI|CCI-000366, Group-ID|V-39488, Rule-ID|SV-250706r799580_rule, STIG-ID|ESXI5-VM-000033, STIG-Legacy|SV-51346, STIG-Legacy|V-39488, Vuln-ID|V-250706

Plugin: VMware

Control ID: f0de9c916e5e8fb5fd0c0dede49da1fab6f7bca32d746f95a744779c51690de8