Compliant Product - VMware ESXi 7.0 Update 3d
Certificate Date: 2022.09.06CC Certificate Security Target Validation Report
Validation Report Number: CCEVS-VR-VID11249-2022
Product Type: Virtualization
Conformance Claim: Protection Profile Compliant
PP Identifier: PP-Module for Server Virtualization Version 1.1
Functional Package for TLS Version 1.1
Protection Profile for Virtualization Version 1.1
CC Testing Lab: Leidos Common Criteria Testing Laboratory
The Target of Evaluation (TOE) is VMware ESXi 7.0 Update 3d installed on a Dell PowerEdge R740 server platform with Intel Xeon 6230R “Cascade Lake” CPUs. The TOE is a Type 1 (“bare metal”) hypervisor that is installed onto a computer system with no host platform operating system. It serves as a virtual machine manager (VMM) and virtualization system. This allows for the instantiation of multiple virtual machines (VMs) onto a single physical platform. It also implements mechanisms to enforce logical separation of VMs from one another and from the hypervisor so that data transmission between these domains can only occur through authorized interfaces.
Security Evaluation Summary
The Leidos Common Criteria Testing Laboratory (CCTL) conducted the evaluation in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) requirements and guidance. The criteria against which the TOE was judged are described in the Common Criteria for Information Technology Security Evaluation, Version 3.1, Revision 5, September 2017. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 3.1 release 5. The product, when delivered and configured as identified in the guidance documentation, satisfies all of the security functional requirements stated in the VMware ESXi 7.0 Update 3d Security Target. The Leidos CCTL completed the evaluation in August 2022. Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report prepared by CCEVS.
The TOE's security audit function accepts audit records and stores them locally in pre-allocated files, as well as transmitting them to a remote syslog server via TLS. Each audit record contains relevant information about the audit event. Locally-stored audit records are reviewable by authorized subjects and protected from unauthorized deletion and modification.
The TOE implements CAVP-validated cryptographic algorithms for its cryptographic services. These are used to support TLS and HTTPS communications. Trusted communications protocols are implemented using secure cryptographic parameters and in accordance with relevant standards. The TOE implements a NIST SP 800-90A conformant DRBG that is seeded with a combination of hardware and software entropy. The hardware entropy source used by the TOE is made available to Guest VMs through a passthrough interface.
User Data Protection
The TOE uses hardware-based mechanisms to constrain direct access of Guest VMs to PCI devices. Authorized subjects may configure a specific Guest VM to use USB and network interfaces, however access to PCI pass-through devices, vGPU devices, and SCSI pass-through devices is always prohibited. The TOE clears all volatile and non-volatile memory cleared prior to allocation to a Guest VM so that domain separation between Guest VMs is enforced.
Identification and Authentication
To control access to the TSF, the TOE uses locally defined username/password credentials for authentication. All TSF-mediated actions require successful authentication prior to authorization. The TSF protects against brute-force password authentication attempts by locking an offending user account for a period of time when an excessive number of failed attempts have been accumulated. The TSF also enforces configuration of password complexity policies to further reduce the chance that a brute force authentication attack will succeed.
The TOE uses X.509 certificate validation services for TLS authentication and code signing. CRLs are used for revocation checking. The TSF rejects invalid certificates and those whose revocation status cannot be determined.
The TOE includes management functions that allow for configuration of its own behavior as well as configuration and manipulation of Guest VMs, such as starting/stopping VMs, creating checkpoints for VMs, and configuring the VMs with virtual networking and physical device access. The TOE includes several management interfaces over which various management functions can be performed. The TOE implements role-based access control to grant members of different roles granular privileges to manage the TSF and its associated data. For the purpose of the evaluation, only the ‘Administrator’ role is defined.
The TOE also enforces physical and logical separation of management and operational networks and protects against data sharing between Guest VMs using virtual networking, unless specifically authorized by an Administrator.
Protection of the TSF
The TOE implements various mechanisms to protect itself from misuse. A Guest VM can only access devices assigned to it by an Administrator. Furthermore, the TOE validates parameters passed to virtual devices, and implements controls for transferring removable media between Guest VMs. The TOE includes an administratively configurable hypercall interface that allows Guest VMs to interact with the hypervisor. The TOE also uses hardware assists to eliminate the need for shadow page tables and reduce the use of binary translation.
The TOE enforces isolation between Guest VMs and between VMs and itself. It also implements various protection methods in the execution environment to protect against memory-based attacks. TOE updates are also integrity protected using code signing certificates.
The TOE supports the display of an advisory warning message regarding unauthorized use of the TOE before establishing an Administrator session.
The TOE implements TLS and HTTPS for secure communications between itself and external entities, which include remote administrators and remote audit servers. The TOE also enforces unambiguous identification of Guest VMs to reduce the likelihood that a user will inadvertently input data to an unintended Guest VM.