Title

Server Authentication is not configured on the Sun Ray server. (Cat II impact)

Discussion

It is possible to spoof a Sun Ray server or a Sun Ray client and pose as either. This leads to the man-in-the-middle attack, in which an impostor claims to be the Sun Ray server for the clients and pretends to be a client for the server. It then goes about intercepting all the messages and having access to all the secure data. Client and server authentication can resolve this type of attack. Server-side authentication is only supported, through the pre-configured public-private key pairs in Sun Ray Server Software and firmware. The Digital Signature Algorithm (DSA) is used to verify that clients are communicating with a valid Sun Ray server. This authentication scheme is not completely foolproof, but it mitigates man-in-the-middle attacks and makes it harder for attackers to spoof Sun Ray Server Software.

Check Content

Within the Sun Ray Administration console, perform the following: 1. Select the Advanced Tab. 2. Select the Security Tab. 3. Verify that “Server Authentication” is checked. If it is not checked, this is a finding.

Fix Text

Enable Server Authentication for the Sun Ray server.

Additional Identifiers

Rule ID:

Vulnerability ID: V-16148

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.