Title

A KVM switch with configurable features must have the configuration protected from modification with a DoD compliant password. (Cat II impact)

Discussion

If the KVM switch is configurable, some features that are available such as auto toggling between attached ISs are not permitted. If the configuration is not protected by a password it can be modified by any user allowing features that are not permitted. This can lead to the compromise of sensitive data. If the KVM switch has configurable features, the ISSO or SA will ensure the configuration is protected from modification with a DoD compliant password.

Check Content

If the KVM switch is configurable, the reviewer will, with the assistance of the SA, try to change the configuration with a random password and with no password. If the reviewer is able to change the configuration with a random password or no password, then this is a finding. Note: The emphasis here is the protection of the configuration not the technique, if the configuration is protected as a function of a privileged user id/password sign in or by a DoD PKI (for network attached KVM switches) this fulfills this requirement.

Fix Text

If the KVM switch’s configuration can be protected by a password, including user id/password combinations or PKI for network attached switches, create a DOD compliant password to protect the configuration. If the KVM switch’s configuration cannot be protected by a password, including user id/password combinations or PKI for network attached switches, replace it with a KVM switch that either has no configuration or the configuration can be protected by a password.

Additional Identifiers

Rule ID: SV-6843r2_rule

Vulnerability ID: V-6681

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.