Check: SRG-APP-000223-DB-000168
Database SRG:
SRG-APP-000223-DB-000168
(in versions v3 r4 through v2 r10)
Title
The DBMS must recognize only system-generated session identifiers. (Cat II impact)
Discussion
DBMSs utilize sessions and session identifiers to control application behavior and user access. If an attacker can guess the session identifier or can inject or manually insert session information, the session may be compromised. This requirement focuses on communications protection for the DBMS session rather than for the network packet. The intent of this control is to establish grounds for confidence at each end of a communications session in the ongoing identity of the other party and in the validity of the information being transmitted. The DBMS must recognize only system-generated session identifiers. If an attacker were able to generate a session with a non-system-generated session identifier and have it recognized by the system, the attacker could gain access to the system without passing through access controls designed to limit database sessions to authorized users.
Check Content
Review DBMS settings and vendor documentation to determine whether the DBMS recognizes session identifiers that are not system-generated. If the DBMS recognizes session identifiers that are not system generated, this is a finding.
Fix Text
Utilize a DBMS product that only recognizes session identifiers that are system-generated.
Additional Identifiers
Rule ID: SV-206566r879638_rule
Vulnerability ID: V-206566
Group Title: SRG-APP-000223
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-001664 |
The information system recognizes only session identifiers that are system-generated. |
Controls
Number | Title |
---|---|
SC-23 (3) |
Unique Session Identifiers With Randomization |