The ESXi host must restrict use of the dvFilter network application programming interface (API).

An XCCDF Rule

Description

If the organization is not using products that use the dvFilter network API, the host should not be configured to send network information to a virtual machine (VM). If the API is enabled, an attacker might attempt to connect a virtual machine to it, potentially providing access to the network of other VMs on the host. If using a product that makes use of this API, verify the host has been configured correctly. If not using such a product, ensure the setting is blank.

ID: SV-258774r959010_rule
Version: ESXI-80-000219
Severity: Medium
References: CCI-000366
Updated: about 2 months ago

Remediation Templates

From the vSphere Client, go to Hosts and Clusters.

Select the ESXi Host >> Configure >> System >> Advanced System Settings.

Click "Edit". Select the "Net.DVFilterBindIpAddress" value and remove any incorrect addresses.
or

From a PowerCLI command prompt while connected to the ESXi host, run the following command:

Get-VMHost | Get-AdvancedSetting -Name Net.DVFilterBindIpAddress | Set-AdvancedSetting -Value ""

The ESXi host must restrict use of the dvFilter network application programming interface (API).

Description

Remediation Templates

A Manual Procedure