Check: SRG-NET-000234-ALG-000116
Application Layer Gateway SRG:
SRG-NET-000234-ALG-000116
(in versions v2 r2 through v1 r2)
Title
The ALG must generate unique session identifiers using a FIPS 140-2 approved random number generator. (Cat II impact)
Discussion
Sequentially generated session IDs can be easily guessed by an attacker. Employing the concept of randomness in the generation of unique session identifiers helps to protect against brute-force attacks to determine future session identifiers. This requirement is applicable to ALGs that create and use sessions and session identifiers to control user communications. If an attacker can guess the session identifier, or can inject or manually insert session information, the valid user's application session can be compromised.
Check Content
Verify the ALG generates unique session identifiers using a FIPS 140-2 approved random number generator. If the ALG does not generate unique session identifiers using a FIPS 140-2 approved random number generator, this is a finding.
Fix Text
Configure ALG to generate unique session identifiers using a FIPS 140-2 approved random number generator.
Additional Identifiers
Rule ID: SV-204960r396015_rule
Vulnerability ID: V-204960
Group Title: SRG-NET-000234
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-001188 |
Generate a unique session identifier for each session with organization-defined randomness requirements. |
Controls
Number | Title |
---|---|
SC-23(3) |
Unique Session Identifiers with Randomization |