Compliant Product - VMware ESXi 6.7U2
Certificate Date: 2019.11.11CC Certificate Security Target Validation Report
Validation Report Number: CCEVS-VR-VID10964-2019
Product Type: Remote Access
Conformance Claim: Protection Profile Compliant
PP Identifier: Extended Package for Server Virtualization Version 1.0
Protection Profile for Virtualization Version 1.0
Extended Package for Secure Shell (SSH) Version 1.0
CC Testing Lab: CGI IT Security Labs
The TOE is VMware ESXi 6.7 Update 2 with 6.7 Patch Version 201905001 applied, installed on a platform consisting of a Dell PowerEdge R740 server with Intel Xeon 6126 “Skylake” CPUs. The TOE is designed to act as a virtualization platform, providing the ability to implement and virtualize different workloads across multiple virtual machines (VMs). The TOE is a software-only TOE where the core component is installed directly on the bare metal hardware. The TOE provides functionality to enforce and support auditing, cryptographic operations, data protection, identification/authentication, security management, and protection of the TSF. Administrators can provision VMs, perform updates, configure virtual network and storage resources, and enforce data protection across virtual machines.
Security Evaluation Summary
The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) process and scheme. The criteria against which the TOE is judged are described in the Common Criteria for Information Technology Security Evaluation, Version 3.1 rev 5. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 3.1 rev 5. The product, when delivered configured as identified in the guidance supplement for VMware ESXi 6.7 Update 2 with 6.7 Patch Version 201905001, v1.16, November8, 2019 document, satisfies all of the security functional requirements stated in the VMware ESXi 6.7 Update 2 with 6.7 Patch Version 201905001 Security Target, Version 1.12. The project underwent CCEVS Validator review. The evaluation was completed in October 2019. Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report prepared by CCEVS.
The security features of the TOE are described below in detail. Also, the TOE meets all the assurance activities from Protection Profile for Virtualization Version 1.0 with the Extended Package Server Virtualization Version 1.0 and Extended Package for Secure Shell (SSH) Version 1.0
The ESXi security audit function collects and stores audit records in pre-allocated flat files on ESXi. Each audit record contains the:
· date and time of the event
· type of event
· subject identity
· object identity
· result (success or failure) of the event
ESXi provides a command to review its audit records. Reviewing the audit records on ESXi is restricted to administrators. ESXi also supports sending audit records to a collector external to the TOE.
The TOE protects communications with components external to the TOE. It implements CAVP-validated cryptographic algorithms to handle all cryptographic functions to protect communications.
All passwords are hashed by the TOE. Cryptographic keys and other critical security parameters are never exposed in plain text. Certificates may only be imported through cryptographically validated channels.
The ESXi entropy subsystem is NIST SP 800-90A compliant. Finally, VMs are provided access to a hardware entropy source for random bit generation.
User Data Protection
ESXi constrains direct access to all physical resources (CPU, memory, HDD, USB, etc.). VM data sharing is provided via virtual networks. Network traffic over a virtual network is only visible to the VMs configured for that virtual network.
VM access to USB physical devices as well as virtual networks is controlled by Administrators.
Additionally, all volatile and non-volatile memory is zeroed to prevent residual data leakage.
TOE remote communications are protected by CAVP-validated crypto primitives through SSH and TLS 1.2.
Identification and Authentication
Credentials (i.e. SSH public key, username/password) are required for an Administrator to gain access to ESXi. If the authentication credentials are valid, access to the system is provided. Failed and successful user login events are captured in the audit logs. The TOE also supports account lockout after a sufficient number of failed login attempts.
Password complexity policy is managed using standard PAM mechanisms.
The TOE uses X.509 certificate authentication for establishing trusted TLSv1.2 communication channels. ESXi performs validation of certificates through examination of the certificate path, CA flags, and extendedKeyUsage, as well as revocation checks against a CRL.
Security management specifies how ESXi manages several aspects of the TSF, including TSF data and security functions. TSF data includes configuration data of the TOE, audit data, and system data.
The TOE supports remote administration over secure channels.
From a management perspective, access to ESXi objects is controlled via a role based access control mechanism. Only administrators can modify the access controls. For the purpose of this evaluation, the only role is Administrator. Thus all management functions are restricted to administrators.
The TOE displays an advisory warning message regarding unauthorized use of the TOE before establishing an Administrator session.
Protection of the TSF
The TSF is protected by the following mechanisms:
Protection of the TOE from physical tampering must be ensured by its environment. The TOE protects the confidentiality and integrity of all data as it is transmitted to and from the TOE.
For VMs, the TSF allows administrators to disable hypercalls to reduce the potential attack surface.