Title

The RUCKUS ICX device must obtain its public key certificates from an appropriate certificate policy through an approved service provider. (Cat II impact)

Discussion

For user certificates, each organization obtains certificates from an approved, shared service provider, as required by OMB policy. For federal agencies operating a legacy public key infrastructure cross-certified with the Federal Bridge Certification Authority at medium assurance or higher, this certification authority will suffice.

Check Content

Review the certificate used by the system using the command: SSH@ICX# show ip ssl device-certificate Certificate: Data: Version: 3 (0x2) Serial Number: 3488150 (0x353996) Signature Algorithm: sha256WithRSAEncryption Issuer: CN=RuckusPKI-DeviceSubCA-2, O=Ruckus Wireless Inc., L=Sunnyvale, ST=California, C=US Validity Not Before: Jun 9 09:40:52 2023 GMT Not After : Jun 9 09:40:52 2048 GMT Subject: CN=SN-FNNxxxxxxxx, O=Ruckus Wireless Inc., L=Sunnyvale, ST=California, C=US Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:c5:c0:60:9a:cb:4a:a3:9f:fb:63:c6:21:c2:55: 1f:66:95:f2:9a:fb:eb:37:33:d1:73:28:4b:14:8a: ... If the certificate is not from an approved service provider, this is a finding.

Fix Text

Load an approved certificate onto the system: ICX# copy scp flash x.x.x.x client_cert.pem ssl-client-cert ICX# copy scp flash x.x.x.x client_cert.key.pem ssl-client-private-key ICX# copy scp flash x.x.x.x root_cert.pem ssl-trust-cert

Additional Identifiers

Rule ID: SV-273838r1110850_rule

Vulnerability ID: V-273838

Group Title: SRG-APP-000516-NDM-000344

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.