The Dell OS10 Switch must implement replay-resistant authentication mechanisms for network access to privileged accounts.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-269780 | OS10-NDM-000390 | SV-269780r1051725_rule | Medium |
| Description |
| A replay attack may enable an unauthorized user to gain access to the application. Authentication sessions between the authenticator and the application validating the user credentials must not be vulnerable to a replay attack. An authentication process resists replay attacks if it is impractical to achieve a successful authentication by recording and replaying a previous authentication message. Techniques used to address this include protocols using nonces (e.g., numbers generated for a specific one-time use) or challenges (e.g., TLS, WS_Security). Additional techniques include time-synchronous or challenge-response one-time authenticators. |
| STIG | Date |
| Dell OS10 Switch NDM Security Technical Implementation Guide | 2024-12-11 |
Details
| Check Text (C-73813r1051723_chk) |
| Review the OS10 Switch configuration to determine if replay-resistant authentication mechanisms are implemented for network access to privileged accounts. Review the FIPS status to verify that FIPS mode is enabled, as shown below: OS10# show fips status FIPS mode: Enabled Crypto Library: OpenSSL 1.0.2zg-fips 7 Feb 2023 FIPS Object Module: DELL OpenSSL FIPS Crypto Module v2.6 July 2021 OS10# Verify that SSH is enabled for network access by reviewing the SSH server status: OS10# show ip ssh | grep "SSH Server:" SSH Server: Enabled Verify that telnet is disabled on the switch by verifying that the following is not in the running-configuration: ip telnet server enable If FIPS mode is not enabled or if the SSH is not enabled or if telnet is enabled in the OS10 Switch, this is a finding. |
| Fix Text (F-73714r1051724_fix) |
| Configure the OS10 Switch to implement replay-resistant authentication mechanisms for network access to privileged accounts: OS10(config)# crypto fips enable WARNING: Upon committing this configuration, the system will regenerate SSH keys. Please consult documentation and toggle FIPS mode only if you know what you are doing! Continue? [yes/no(default)]:yes OS10(config)# Disable telnet if it has been enabled: OS10(config)# no ip telnet server enable Enable SSH if it has been disabled: OS10(config)# ip ssh server enable |