Check: SRG-APP-000220-NDM-000268
Network Device Management SRG:
SRG-APP-000220-NDM-000268
(in versions v4 r3 through v2 r7)
Title
The network device must invalidate session identifiers upon administrator logout or other session termination. (Cat II impact)
Discussion
Captured sessions can be reused in "replay" attacks. This requirement limits the ability of adversaries to capture and to continue to employ previously valid session IDs. This requirement is applicable to devices that use a web interface for device management. Session IDs are tokens generated by web applications to uniquely identify an application user's session. Applications will make application decisions and execute business logic based on the session ID. Unique session identifiers or IDs are the opposite of sequentially generated session IDs which can be easily guessed by an attacker. Unique session IDs help to reduce predictability of said identifiers. If a device uses a web interface for device management, when an administrator logs out, or when any other session termination event occurs, the device management web application must invalidate the session identifier to minimize the potential for an attacker to hijack that particular management session.
Check Content
If the network device uses a web interface for device management, determine if the network device invalidates session identifiers upon administrator logout or other session termination. This requirement may be verified by validated test results. If the network device does not invalidate session identifiers upon administrator logout or other session termination, this is a finding.
Fix Text
Configure the network device to invalidate session identifiers upon administrator logout or other session termination.
Additional Identifiers
Rule ID: SV-202075r879637_rule
Vulnerability ID: V-202075
Group Title: SRG-APP-000220
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-001185 |
The information system invalidates session identifiers upon user logout or other session termination. |
Controls
Number | Title |
---|---|
SC-23 (1) |
Invalidate Session Identifiers At Logout |