Check: CISC-ND-000530
Cisco NX OS Switch NDM STIG:
CISC-ND-000530
(in versions v2 r7 through v2 r6)
Title
The Cisco switch must be configured to implement replay-resistant authentication mechanisms for network access to privileged accounts. (Cat II impact)
Discussion
A replay attack may enable an unauthorized user to gain access to the application. Authentication sessions between the authenticator and the application validating the user credentials must not be vulnerable to a replay attack. An authentication process resists replay attacks if it is impractical to achieve a successful authentication by recording and replaying a previous authentication message.
Check Content
Verify that FIPS mode is enabled as shown in the example below: show fips status Note: Cisco NX-OS software supports only SSH version 2 (SSHv2). Beginning in Cisco NX-OS Release 5.1, SSH runs in FIPS mode. Source: Cisco Nexus 7000 Series NX-OS Security Configuration Guide, Release 6.x. If the switch is not configured to implement cryptographic mechanisms to protect the confidentiality of remote maintenance sessions, this is a finding.
Fix Text
Enable fips mode via the command "fips mode enable". Note: The switch will require a reboot for fips mode to be enabled.
Additional Identifiers
Rule ID: SV-220488r929031_rule
Vulnerability ID: V-220488
Group Title: SRG-APP-000156-NDM-000250
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-001941 |
The information system implements replay-resistant authentication mechanisms for network access to privileged accounts. |
Controls
Number | Title |
---|---|
IA-2 (8) |
Network Access To Privileged Accounts - Replay Resistant |