Check: SRG-APP-000175-UEM-000106
Unified Endpoint Management Server SRG:
SRG-APP-000175-UEM-000106
(in versions v2 r3 through v1 r1)
Title
When the UEM server cannot establish a connection to determine the validity of a certificate, the server must be configured not to have the option to accept the certificate. (Cat II impact)
Discussion
When an UEM server accepts an unverified certificate, it may be trusting a malicious actor. For example, messages signed with an invalid certificate may contain links to malware, which could lead to the installation or distribution of that malware on DoD information systems, leading to compromise of DoD sensitive information and other attacks. Satisfies:FIA_X509_EXT.2.2 Reference:PP-MDM-412003
Check Content
Verify the UEM server does not automatically accept a certificate when it cannot establish a connection to determine the validity of a certificate. If the UEM server automatically accepts a certificate when it cannot establish a connection to determine the validity of a certificate, this is a finding.
Fix Text
Configure the UEM server to not automatically accept a certificate when it cannot establish a connection to determine the validity of a certificate.
Additional Identifiers
Rule ID: SV-234379r961038_rule
Vulnerability ID: V-234379
Group Title: SRG-APP-000175
Expert Comments
CCIs
| Number | Definition |
|---|---|
| CCI-000185 |
For public key-based authentication, validate certificates by constructing and verifying a certification path to an accepted trust anchor including checking certificate status information. |
Controls
| Number | Title |
|---|---|
| IA-5(2) |
Pki-based Authentication |