Title

BlackBerry 10 OS VPN client must employ DoD PKI-approved mechanisms for authentication when connecting to DoD networks. (Cat II impact)

Discussion

VPNs are vulnerable to attack if they are not supported by strong authentication. An adversary may be able to gain access to network resources and sensitive information if they can compromise the authentication process. Common Access Card (CAC) authentication is a strong cryptographic two-factor authentication that greatly mitigates the risk of VPN authentication breaches. Other DoD-approved PKI mechanisms provide similar levels of assurance. Reference the DoD CIO memorandum regarding interim guidance on the use of derived PKI credentials (2015-05-06 DoD Interim Guidance for Implementing Derived PKI Credentials on Unclass CMDs) for BlackBerry certificate configuration information.

Check Content

From either the Work Space or Personal Space, navigate to "Settings >> Network Connections >> VPN ". Select and hold a VPN profile to check, and select "Edit Profile" to edit the VPN Profile. For each VPN Profile connecting to DoD networks: - Select the VPN Profile to edit. - Verify "Authentication Type" is set to "PKI" or "XAUTH-PKI" and grayed out. Otherwise, this is a finding. NOTE: If the VPN Profile listed under "Settings >> Network Connections >> VPN" has a brief case logo on the right side, it was created on BlackBerry Device Service published to the device. "Authentication Type" for this VPN Profile will be grayed out and enforced. If no VPN profiles are saved, this requirement is NA.

Fix Text

On BlackBerry Device Service, select the applicable VPN Profile and set "Authentication Type" to "PKI" or "XAUTH-PKI".

Additional Identifiers

Rule ID:

Vulnerability ID: V-47193

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.