Check: KNOX-09-000750
Samsung OS 9 with Knox 3.x COBO Use Case KPE(AE) Deployment STIG:
KNOX-09-000750
(in versions v1 r4 through v1 r1)
Title
Samsung Android must be configured to enforce a USB host mode exception list. Note: This configuration allows DeX mode (with input devices), which is DoD-approved for use. (Cat II impact)
Discussion
The USB host mode feature allows USB devices to connect to the device (e.g., USB flash drives, USB mouse, USB keyboard) using a micro USB-to-USB adapter cable. The USB host mode exception list allows selected USB devices to operate while disallowing others based on their USB device class. With some USB device classes, a user can copy sensitive DoD information to external USB storage unencrypted, resulting in compromise of DoD data. However, some USB device classes, such as Human Interface Devices (HID), do not allow data to be copied. Disabling all USB devices except for HID mitigates the risk of compromising sensitive DoD data. This allows for DeX mode to be used with a USB keyboard and mouse without compromising DoD data. SFR ID: FMT_SMF_EXT.1.1 #47
Check Content
Review device configuration settings to confirm that the USB host mode exception list is configured. This procedure is performed on both the MDM Administration console and the Samsung Android device. On the MDM console, for the device, in the "Knox restrictions" group, verify that "HID" is selected in the "USB host mode exception list". On the Samsung Android device, do the following: 1. Connect a micro USB-to-USB "On the Go" (OTG) adapter to the device. 2. Connect a USB thumb drive to the adapter. 3. Verify that the device cannot access the USB thumb drive. If on the MDM console "USB host mode exception list" has any selection other than "HID", or on the Samsung Android device the USB thumb drive can be mounted, this is a finding.
Fix Text
Configure Samsung Android with a USB host mode exception list. On the MDM console, for the device, in the "Knox restrictions" group, select "HID" in the "USB host mode exception list".
Additional Identifiers
Rule ID: SV-217681r388482_rule
Vulnerability ID: V-217681
Group Title: PP-MDF-991000
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000366 |
The organization implements the security configuration settings. |
Controls
Number | Title |
---|---|
CM-6 |
Configuration Settings |