Symptoms:

• A security scan identifies "NFS Shares World Readable" or "NFS Export Permissions Too Permissive" on vSAN File Service.
• The vulnerability is reported because the NFS export policy uses a wildcard (*) or a broad CIDR range (e.g., 0.0.0.0/0) without restricting access to specific worker node IPs.

vSAN File Service

This issue occurs when the NFS export policy for a file share is configured to allow access from any IP address or does not have Root Squash enabled. By default, if the export policy is not restricted to the specific IPs, any client on the network could potentially mount and read the share.

To resolve the vulnerability while maintaining access for clients, follow these steps:

1. Identify client IPs:

   • Collect the specific IP addresses or CIDR ranges for the clients (e.g., vKS worker nodes) that require access to the file share.

2. Restrict the Net access:

   • In the vSphere Client, navigate to vSAN > File Service Shares.
   • Select the affected file share and click Edit.
   • Go to the Net access control tab.
   • Modify the existing rule or add a new one under Customize net access. Replace broad wildcards (*) with the specific client IPs/CIDRs identified in Step 1. 

3. Verify Networking and Mounts:

   • Verify that the share is still accessible and performs read/write operations from the authorized clients.

4. Re-scan:

   • Perform a security re-scan to confirm the "World Readable" vulnerability is resolved.

Create a vSAN File Share