Title

iSCSI storage equipment is not configured with the latest patches and updates. (Cat II impact)

Discussion

The ESX Server does not open any ports to listen for network connections. This measure reduces the chances that an intruder can attack the ESX Server through spare ports and possibly compromise the server. However, iSCSI device vulnerabilities may exist even though the ESX Server is configured properly. If security vulnerabilities exist in the iSCSI device software, data located on the iSCSI device may be at risk. To mitigate this risk, system administrators will install all security patches provided by the storage equipment manufacturer and limit the devices connected to the iSCSI network.

Check Content

Validating the iSCSI device software will require the assistance of the system administrator. The system administrator will have to give you the version number of the software and validate that the software is at the latest version. If the software is not at the latest version, this is a finding.

Fix Text

Install the latest patches and updates to the iSCSI device.

Additional Identifiers

Rule ID: SV-16729r1_rule

Vulnerability ID: V-15790

Group Title: iSCSI storage equipment not current with patches.

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.