Virtual machines (VMs) must disable access through the "dvfilter" network Application Programming Interface (API).

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
low	V-258713	SRG-OS-000480-VMM-002000	VMCH-80-000200	SV-258713r959010_rule	2024-07-11	2

Description
An attacker might compromise a VM by using the "dvFilter" API. Configure only VMs that need this access to use the API.

ℹ️ Check
For each virtual machine do the following: From the vSphere Client, right-click the Virtual Machine and go to Edit Settings >> Advanced Parameters. Verify the settings with the format "ethernet.filter.name" do not exist. or From a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command: Get-VM "VM Name" \| Get-AdvancedSetting -Name "ethernet.filter.name" If the virtual machine advanced setting "ethernet.filter.name" exists and dvfilters are not in use, this is a finding. If the virtual machine advanced setting "ethernet.filter*.name" exists and the value is not valid, this is a finding.

ℹ️ Check

For each virtual machine do the following: From the vSphere Client, right-click the Virtual Machine and go to Edit Settings >> Advanced Parameters. Verify the settings with the format "ethernet*.filter*.name" do not exist. or From a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command: Get-VM "VM Name" | Get-AdvancedSetting -Name "ethernet*.filter*.name*" If the virtual machine advanced setting "ethernet*.filter*.name" exists and dvfilters are not in use, this is a finding. If the virtual machine advanced setting "ethernet*.filter*.name" exists and the value is not valid, this is a finding.

✔️ Fix
For each virtual machine do the following: From the vSphere Client, right-click the Virtual Machine and go to Edit Settings >> Advanced Parameters. Look for settings with the format "ethernet.filter.name". Ensure only required VMs use this setting. or From a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command: Get-VM "VM Name" \| Get-AdvancedSetting -Name ethernetX.filterY.name \| Remove-AdvancedSetting Note: Change the X and Y values to match the specific setting in the organization's environment. Note: The VM must be powered off to configure the advanced settings through the vSphere Client. Therefore, it is recommended to configure these settings with PowerCLI as this can be done while the VM is powered on. Settings do not take effect via either method until the virtual machine is cold started, not rebooted.

✔️ Fix

For each virtual machine do the following: From the vSphere Client, right-click the Virtual Machine and go to Edit Settings >> Advanced Parameters. Look for settings with the format "ethernet*.filter*.name". Ensure only required VMs use this setting. or From a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command: Get-VM "VM Name" | Get-AdvancedSetting -Name ethernetX.filterY.name | Remove-AdvancedSetting Note: Change the X and Y values to match the specific setting in the organization's environment. Note: The VM must be powered off to configure the advanced settings through the vSphere Client. Therefore, it is recommended to configure these settings with PowerCLI as this can be done while the VM is powered on. Settings do not take effect via either method until the virtual machine is cold started, not rebooted.