{ "name": "stig_vmware_esx_3_virtual_machine", "date": "2016-05-03", "description": "The VMware ESX 3 Virtual Machine Security Technical Implementation Guide (STIG) is published as a tool to improve the security of Department of Defense (DoD) information systems. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil.", "title": "VMware ESX 3 Virtual Machine", "version": "1", "item_syntax": "^\\w-\\d+$", "section_separator": null, "items": [ { "id": "V-15921", "title": "Unused hardware is enabled in virtual machines.", "description": "Virtual machines can connect or disconnect hardware devices. These devices may be network adapters, CD-ROM drives, USB drives, etc. Attackers may use this capability via non-privileged users or processes to breach virtual machines in several ways. An attacker that has access to a virtual machine may connect a CD-ROM drive and access sensitive information on the media left in the drive. Another action an attacker may perform is disconnecting the network adapter to isolate the virtual machine from its network resulting in a DoS. Therefore, as a general security precaution, SAs will remove any unneeded or unused hardware devices. If permanently removing a device is not feasible, SAs can restrict a virtual machine process or user from connecting or disconnecting devices from within the guest operating system.", "severity": "medium" }, { "id": "V-15924", "title": "Guest OS selection does not match installed OS.", "description": "Selecting the correct guest OS for each virtual machine is important. ESX Servers optimize certain internal configurations on the basis of this selection. For this reason, it is important to set the guest operating system correctly. The correct guest operating selection can greatly aid the operating system chosen and may cause significant performance degradation if there is a mismatch between the selection and the OS actually running in the virtual machine. The performance degradation may be similar to running an unsupported OS on the ESX Server. Selecting the wrong guest OS is not likely to cause a virtual machine to run incorrectly, but it could degrade the virtual machine’s performance.", "severity": "medium" }, { "id": "V-15926", "title": "Guest operating system is not supported by ESX Server.", "description": "The guest OS on the ESX Server must be supported by VMware. Guest OS will need to be approved by VMware so that if problems are encountered with the guest OS, VMware can assist with the resolution. Also, unsupported guest virtual machines create problems since no documentation or support is available from VMware.", "severity": "high" }, { "id": "V-15931", "title": "Anti-virus software and signatures are out of date for “off” and “suspended” virtual machines", "description": "Creating new virtual machines is as easy as copying a file. Copying files is a quick and efficient way to rollout new virtual machines. Virtual machines can grow at an explosive rate and really tax the security systems of an organization. Many administrative tasks may be automated, but some upgrades and patches require manual tools. For instance, virtual machines may need to be patched, scanned, and purged in response to a virus or worm attack on the network. Therefore, to protect against potential virus and spyware infections, all off and suspended virtual machines will have the latest up-to-date anti-virus software and signatures.", "severity": "medium" }, { "id": "V-15932", "title": "OS patches and updates are out of date on “off” and “suspended” virtual machines.", "description": "Virtual machines create a condition where they may be on, off, or suspended. The requirement that machines be on in a conventional approach to patch management, virus and vulnerability scanning, and machine configuration creates an issue in the virtual world. Virtual machines can appear and disappear from the network sporadically. Conventional networks can “anneal” new machines into a known good configuration state very quickly. However, converging virtual machines to a known good state is more challenging since the state may change quickly. For instance, a vulnerable machine can appear briefly and either become infected or reappear in a vulnerable state at a later time. Therefore, vulnerable virtual machines may become infected with a virus and never be detected since the virtual machine may be suspended or off. Suspended and off virtual machines should be patched regularly to ensure patches are up to date. Virtual machines that are on will be kept current with the OS per the appropriate OS STIG. ", "severity": "medium" }, { "id": "V-17043", "title": "Virtual machines are not configured with the correct posture in VMS.", "description": "Correctly configuring virtual machine assets in VMS will ensure that the appropriate vulnerabilities are assigned to the asset. If the asset is not configured with the correct posture, vulnerabilities may be open on the asset. These open vulnerabilities may allow an attacker access to the system.", "severity": "medium" }, { "id": "V-68727", "title": "VMware ESX virtual machines that are no longer supported by the vendor for security updates must not be installed on a system.", "description": "VMware ESX operating systems, virtual machines, and associated management software that are no longer supported by VMware for security updates are not evaluated or updated for vulnerabilities leaving them open to potential attack. Organizations must transition to a supported ESXi operating system, virtual machines, and associated management software to ensure continued support.", "severity": "high" } ] }