Check: CISC-ND-000530
Cisco IOS XR Router NDM STIG:
CISC-ND-000530
(in versions v2 r5 through v1 r1)
Title
The Cisco router must be configured to implement replay-resistant authentication mechanisms for network access to privileged accounts. (Cat II impact)
Discussion
A replay attack may enable an unauthorized user to gain access to the application. Authentication sessions between the authenticator and the application validating the user credentials must not be vulnerable to a replay attack. An authentication process resists replay attacks if it is impractical to achieve a successful authentication by recording and replaying a previous authentication message. Techniques used to address this include protocols using nonces (e.g., numbers generated for a specific one-time use) or challenges (e.g., TLS, WS_Security). Additional techniques include time-synchronous or challenge-response one-time authenticators.
Check Content
Review the router configuration to verify that SSH version 2 is configured as shown in the example below. ssh server v2 Note: IOS XR supports SSHv1 and SSHv2. SSHv1 uses Rivest, Shamir, and Adelman (RSA) keys while SSHv2 uses Digital Signature Algorithm (DSA) keys. If the router is not configured to implement replay-resistant authentication mechanisms for network access to privileged accounts, this is a finding.
Fix Text
Configure the router to use SSH version 2 as shown in the example below. RP/0/0/CPU0:R3(config)#ssh server v2
Additional Identifiers
Rule ID: SV-216531r879597_rule
Vulnerability ID: V-216531
Group Title: SRG-APP-000156-NDM-000250
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-001941 |
The information system implements replay-resistant authentication mechanisms for network access to privileged accounts. |
Controls
Number | Title |
---|---|
IA-2 (8) |
Network Access To Privileged Accounts - Replay Resistant |