The Dell OS10 Switch must implement replay-resistant authentication mechanisms for network access to privileged accounts.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-269780 | OS10-NDM-000390 | SV-269780r1051725_rule | CCI-001941 | medium |
| Description | ||||
| A replay attack may enable an unauthorized user to gain access to the application. Authentication sessions between the authenticator and the application validating the user credentials must not be vulnerable to a replay attack. An authentication process resists replay attacks if it is impractical to achieve a successful authentication by recording and replaying a previous authentication message. Techniques used to address this include protocols using nonces (e.g., numbers generated for a specific one-time use) or challenges (e.g., TLS, WS_Security). Additional techniques include time-synchronous or challenge-response one-time authenticators. | ||||
| STIG | Date | |||
| Dell OS10 Switch NDM Security Technical Implementation Guide | 2024-12-11 | |||
Details
Check Text (C-269780r1051725_chk)
Review the OS10 Switch configuration to determine if replay-resistant authentication mechanisms are implemented for network access to privileged accounts.
Review the FIPS status to verify that FIPS mode is enabled, as shown below:
OS10# show fips status
FIPS mode: Enabled
Crypto Library: OpenSSL 1.0.2zg-fips 7 Feb 2023
FIPS Object Module: DELL OpenSSL FIPS Crypto Module v2.6 July 2021
OS10#
Verify that SSH is enabled for network access by reviewing the SSH server status:
OS10# show ip ssh | grep "SSH Server:"
SSH Server: Enabled
Verify that telnet is disabled on the switch by verifying that the following is not in the running-configuration:
ip telnet server enable
If FIPS mode is not enabled or if the SSH is not enabled or if telnet is enabled in the OS10 Switch, this is a finding.
Fix Text (F-73714r1051724_fix)
Configure the OS10 Switch to implement replay-resistant authentication mechanisms for network access to privileged accounts:
OS10(config)# crypto fips enable
WARNING: Upon committing this configuration, the system will regenerate SSH keys. Please consult documentation and toggle FIPS mode only if you know what you are doing!
Continue? [yes/no(default)]:yes
OS10(config)#
Disable telnet if it has been enabled:
OS10(config)# no ip telnet server enable
Enable SSH if it has been disabled:
OS10(config)# ip ssh server enable