Title

The BlackBerry 10 OS Work Space must only install and use DoD PKI-issued or DoD-approved server authentication certificates. (Cat II impact)

Discussion

If unauthorized device authentication certificates are installed on the device, there is the potential that the device may connect to a rogue device or network. Rogue devices can mimic the behavior of authorized equipment to trick the user into providing authentication credentials, which could then in turn be used to compromise DoD information and networks. Restricting device authentication certificates to an authorized list mitigates the risk of attaching to rogue devices and networks.

Check Content

From the Work Space, navigate to "Settings >> Security and Privacy >> Certificates", and throughout different enterprise certificate stores ("Enterprise Root Certificates", "Enterprise Intermediate Certificates", and "Enterprise Client Certificates"). Verify the certificates listed originated from the BDS server. If the certificates do not originate from a DoD BDS server, this is a finding. NOTE: Certificates in stores other than enterprise certificate stores do not apply.

Fix Text

On BlackBerry Device Service, remove the corresponding .pem file from this folder: <drive>:\<shared_network_folder>\Shared\Certificates\<ENTERPRISE/VPN/WIFI/www>

Additional Identifiers

Rule ID:

Vulnerability ID: V-47205

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.