The system must control access to VMs through the dvfilter network APIs.

From VMware ESXi Version 5 Virtual Machine Security Technical Implementation Guide

Part of ESXi5-250

Associated with: CCI-000366

SV-51363r1_rule The system must control access to VMs through the dvfilter network APIs.

Vulnerability discussion

A VM must be configured explicitly to accept access by the dvfilter network API. This should be performed only for VMs that require the dvfilter network API. An attacker might compromise the VM by making use of this introspection channel.

Check content

Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi Shell and locate the VM's vmx file. # find / | grep vmx If a VM is not supposed to be protected by a product using the dvfilter API, ensure the following is not present in its VMX file: ethernet0.filter1.name = dv-filter1 where "ethernet0" is the network adaptor interface of the virtual machine that is to be protected, "filter1" is the number of the filter that is being used, and "dv-filter1" is the name of the particular data path kernel module that is protecting the VM. If the VM is supposed to be protected, check that the name of the data path kernel is set correctly. # grep "^ethernet" If a dvfilter is not being used, and the above command return is empty, this is not a finding. If a dvfilter is being used, and the above command return is either empty or does not contain the correctly formatted network adaptor interface, filter number , and data path kernel module, this is a finding. Re-enable Lockdown Mode on the host.

Fix text

To edit a powered-down virtual machine's .vmx file, first remove it from vCenter Server's inventory. Manual additions to the .vmx file from ESXi will be overwritten by any registered entries stored in the vCenter Server database. Make a backup copy of the .vmx file. If the edit breaks the virtual machine, it can be rolled back to the original version of the file. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage. Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the .vmx file. Right-click the .vmx file and click Remove from inventory. Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi host and locate the VM's vmx file. # find / | grep vmx Add the following to the VM's vmx file. ethernet0.filter1.name = dv-filter1 Where "ethernet0" is the network adaptor interface of the virtual machine that is to be protected, "filter1" is the number of the filter that is being used, and "dv-filter1" is the name of the particular data path kernel module that is protecting the VM. Re-enable Lockdown Mode on the host. Re-register the VM with the vCenter Server. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage. Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the .vmx file. Right-click the .vmx file and click Add to inventory. The Add to Inventory wizard opens. Continue to follow the wizard to add the virtual machine.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer