Ensuring the system implements replay-resistant authentication
Rule Title: RiOS must implement replay-resistant authentication mechanisms for network access to privileged accounts.
STIG ID: RICX-DM-000106
Rule ID: SV-77443r1_rule Severity: CAT II
Vuln ID: V-62953 Class: Unclass
A replay attack might enable an unauthorized user to gain access to the application. Authentication sessions between the authenticator and the application validating the user credentials must not be vulnerable to a replay attack.
An authentication process resists replay attacks if it is impractical to achieve a successful authentication by recording and replaying a previous authentication message.
Techniques used to address this security issue include protocols using nonces (for example, numbers generated for a specific one-time use) or challenges (for example, TLS, WS_Security). Additional techniques include time-synchronous or challenge-response one-time authenticators.
Verifying the system implements replay-resistant authentication
Verify that RiOS is configured to implement replay resistant authentication mechanisms for network access to privileged accounts.
1. Connect to the CLI and enter these commands:
enable
show config full
2. Press the space bar to scroll through the configuration and verify that these commands are contained in the configuration:
no web http enable
web https enable
no web ssl protocol sslv3
no web ssl protocol tlsv1
web ssl protocol tlsv1.1
web ssl protocol tlsv1.2
If all of the above configurations are not defined as listed, this is a security vulnerability finding.
Configuring the system implements replay-resistant authentication
Configure RiOS to implement replay resistant authentication mechanisms for network access to privileged accounts.
• Connect to the CLI and enter these commands:
enable
configuration terminal
no web http enable
web https enable
no web ssl protocol sslv3
no web ssl protocol tlsv1
web ssl protocol tlsv1.1
web ssl protocol tlsv1.2
write memory
exit