Check: KNOX-14-210290
Samsung Android OS 14 with Knox 3.x COPE STIG:
KNOX-14-210290
(in versions v1 r2 through v1 r1)
Title
Samsung Android must not accept the certificate when it cannot establish a connection to determine the validity of a certificate. (Cat III impact)
Discussion
Certificate-based security controls depend on the ability of the system to verify the validity of a certificate. If the MOS were to accept an invalid certificate, it could take unauthorized actions, resulting in unanticipated outcomes. At the same time, if the MOS were to disable functionality when it could not determine the validity of the certificate, this could result in a denial of service. Therefore, the ability to provide exceptions is appropriate to balance the tradeoff between security and functionality. Always accepting certificates when they cannot be determined to be valid is the most extreme exception policy and is not appropriate in the DOD context. Involving an Administrator or user in the exception decision mitigates this risk to some degree. SFR ID: FIA_X509_EXT_2.2
Check Content
Verify requirement KNOX-14-210280 (Common Criteria mode) has been implemented. If "Common Criteria mode" has not been implemented, this is a finding.
Fix Text
Implement "Common Criteria mode" (refer to requirement KNOX-14-210280).
Additional Identifiers
Rule ID: SV-258690r931270_rule
Vulnerability ID: V-258690
Group Title: PP-MDF-331080
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000185 |
The information system, for PKI-based authentication, validates certifications by constructing and verifying a certification path to an accepted trust anchor including checking certificate status information. |
Controls
Number | Title |
---|---|
IA-5 (2) |
Pki-Based Authentication |