Title

The vCenter Server must remove unauthorized port mirroring sessions on distributed switches. (Cat II impact)

Discussion

The vSphere Distributed Virtual Switch can enable port mirroring sessions allowing traffic to be mirrored from one source to a destination. If port mirroring is configured unknowingly this could allow an attacker to observe network traffic of virtual machines.

Check Content

If distributed switches are not used, this is not applicable. From the vSphere Client, go to "Networking". Select a distributed switch >> Configure >> Settings >> Port Mirroring. Review any configured "Port Mirroring" sessions. or From a PowerCLI command prompt while connected to the vCenter server, run the following command: Get-VDSwitch | select Name,@{N="Port Mirroring Sessions";E={$_.ExtensionData.Config.VspanSession.Name}} If there are any unauthorized port mirroring sessions configured, this is a finding.

Fix Text

From the vSphere Client, go to "Networking". Select a distributed switch >> Configure >> Settings >> Port Mirroring. Select the unauthorized "Port Mirroring" session and click "Remove". Click "OK".

Additional Identifiers

Rule ID: SV-258965r961863_rule

Vulnerability ID: V-258965

Group Title: SRG-APP-000516

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.