Title

The Cisco ACI must implement replay-resistant authentication mechanisms for network access to privileged accounts. (Cat II impact)

Discussion

A replay attack may enable an unauthorized user to gain access to the application. authentication sessions between the authenticator and the application validating the user credentials must not be vulnerable to a replay attack. An authentication process resists replay attacks if it is impractical to achieve a successful authentication by recording and replaying a previous authentication message. Techniques used to address this include protocols using nonces (e.g., numbers generated for a specific one-time use) or challenges (e.g., TLS, WS_Security). Additional techniques include time-synchronous or challenge-response one-time authenticators.

Check Content

Verify the default fabric TLS Protocol: 1. On the menu bar, choose Fabric >> Fabric Policies. 2. In the Navigation pane, select Policies >> Pod >> Management Access >> default. 3. In the Work pane, find the HTTPS section. 4. For SSL Protocols, verify the box for TLS 1.2 or higher is checked. Verify other SSL or TLS versions are not checked. If the Cisco ACI fabric does not implement TLS 1.2 or higher for authentication for network access to privileged accounts, this is a finding.

Fix Text

Configure the default fabric TLS Protocol: 1. On the menu bar, choose Fabric >> Fabric Policies. 2. In the Navigation pane, choose Policies >> Pod >> Management Access >> default. 3. In the Work pane, find the HTTPS section. 4. For SSL Protocols, check the boxes for TLS 1.2 or higher. Uncheck or leave unchecked for any other SSL or TLS version.

Additional Identifiers

Rule ID: SV-271936r1064334_rule

Vulnerability ID: V-271936

Group Title: SRG-APP-000156-NDM-000250

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.