The vCenter Server must remove unauthorized port mirroring sessions on distributed switches.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-258965 | VCSA-80-000300 | SV-258965r961863_rule | Medium |
| Description |
| The vSphere Distributed Virtual Switch can enable port mirroring sessions allowing traffic to be mirrored from one source to a destination. If port mirroring is configured unknowingly this could allow an attacker to observe network traffic of virtual machines. |
| STIG | Date |
| VMware vSphere 8.0 vCenter Security Technical Implementation Guide | 2025-06-09 |
Details
| Check Text (C-62705r934551_chk) |
| If distributed switches are not used, this is not applicable. From the vSphere Client, go to "Networking". Select a distributed switch >> Configure >> Settings >> Port Mirroring. Review any configured "Port Mirroring" sessions. or From a PowerCLI command prompt while connected to the vCenter server, run the following command: Get-VDSwitch | select Name,@{N="Port Mirroring Sessions";E={$_.ExtensionData.Config.VspanSession.Name}} If there are any unauthorized port mirroring sessions configured, this is a finding. |
| Fix Text (F-62614r934552_fix) |
| From the vSphere Client, go to "Networking". Select a distributed switch >> Configure >> Settings >> Port Mirroring. Select the unauthorized "Port Mirroring" session and click "Remove". Click "OK". |