Detections
Analytics
ESXI-80-000145 - The ESXi host must enable bidirectional Challenge-Handshake Authentication Protocol (CHAP) authentication for Internet Small Computer Systems Interface (iSCSI) traffic.
Information
When enabled, vSphere performs bidirectional authentication of both the iSCSI target and host. When not authenticating both the iSCSI target and host, there is potential for a man-in-the-middle attack, in which an attacker might impersonate either side of the connection to steal data. Bidirectional authentication mitigates this risk.Solution
From the vSphere Client, go to Hosts and Clusters.Select the ESXi Host >> Configure >> Storage >> Storage Adapters.
Select the iSCSI adapter >> Properties >> Authentication.
Click "Edit...". Set "Authentication Method" to "Use bidirectional CHAP" and enter a unique secret for each traffic flow direction.
or
From a PowerCLI command prompt while connected to the ESXi host, run the following command:
Get-VMHost | Get-VMHostHba | Where {$_.Type -eq "iscsi"} | Set-VMHostHba -ChapType Required -ChapName "chapname" -ChapPassword "password" -MutualChapEnabled $true -MutualChapName "mutualchapname" -MutualChapPassword "mutualpassword"
See Also
https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_VMW_vSphere_8-0_Y25M07_STIG.zip
Item Details
Audit Name: DISA VMware vSphere 8.0 ESXi STIG v2r3 VMware
Category: IDENTIFICATION AND AUTHENTICATION
References: 800-53|IA-3(1), CAT|II, CCI|CCI-001967, Rule-ID|SV-258747r971545_rule, STIG-ID|ESXI-80-000145, Vuln-ID|V-258747
Plugin: VMware
Control ID: 6b13e800fe22a3b2045f5f0389bc206dfdafc7f4f2cc5ca307df43c87f7e9856