The Dell OS10 Switch must implement replay-resistant authentication mechanisms for network access to privileged accounts.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-269780	SRG-APP-000156-NDM-000250	OS10-NDM-000390	SV-269780r1051725_rule	2024-12-11	1

Description
A replay attack may enable an unauthorized user to gain access to the application. Authentication sessions between the authenticator and the application validating the user credentials must not be vulnerable to a replay attack. An authentication process resists replay attacks if it is impractical to achieve a successful authentication by recording and replaying a previous authentication message. Techniques used to address this include protocols using nonces (e.g., numbers generated for a specific one-time use) or challenges (e.g., TLS, WS_Security). Additional techniques include time-synchronous or challenge-response one-time authenticators.

Description

A replay attack may enable an unauthorized user to gain access to the application. Authentication sessions between the authenticator and the application validating the user credentials must not be vulnerable to a replay attack. An authentication process resists replay attacks if it is impractical to achieve a successful authentication by recording and replaying a previous authentication message. Techniques used to address this include protocols using nonces (e.g., numbers generated for a specific one-time use) or challenges (e.g., TLS, WS_Security). Additional techniques include time-synchronous or challenge-response one-time authenticators.

ℹ️ Check
Review the OS10 Switch configuration to determine if replay-resistant authentication mechanisms are implemented for network access to privileged accounts. Review the FIPS status to verify that FIPS mode is enabled, as shown below: OS10# show fips status FIPS mode: Enabled Crypto Library: OpenSSL 1.0.2zg-fips 7 Feb 2023 FIPS Object Module: DELL OpenSSL FIPS Crypto Module v2.6 July 2021 OS10# Verify that SSH is enabled for network access by reviewing the SSH server status: OS10# show ip ssh \| grep "SSH Server:" SSH Server: Enabled Verify that telnet is disabled on the switch by verifying that the following is not in the running-configuration: ip telnet server enable If FIPS mode is not enabled or if the SSH is not enabled or if telnet is enabled in the OS10 Switch, this is a finding.

ℹ️ Check

Review the OS10 Switch configuration to determine if replay-resistant authentication mechanisms are implemented for network access to privileged accounts. Review the FIPS status to verify that FIPS mode is enabled, as shown below: OS10# show fips status FIPS mode: Enabled Crypto Library: OpenSSL 1.0.2zg-fips 7 Feb 2023 FIPS Object Module: DELL OpenSSL FIPS Crypto Module v2.6 July 2021 OS10# Verify that SSH is enabled for network access by reviewing the SSH server status: OS10# show ip ssh | grep "SSH Server:" SSH Server: Enabled Verify that telnet is disabled on the switch by verifying that the following is not in the running-configuration: ip telnet server enable If FIPS mode is not enabled or if the SSH is not enabled or if telnet is enabled in the OS10 Switch, this is a finding.

✔️ Fix
Configure the OS10 Switch to implement replay-resistant authentication mechanisms for network access to privileged accounts: OS10(config)# crypto fips enable WARNING: Upon committing this configuration, the system will regenerate SSH keys. Please consult documentation and toggle FIPS mode only if you know what you are doing! Continue? [yes/no(default)]:yes OS10(config)# Disable telnet if it has been enabled: OS10(config)# no ip telnet server enable Enable SSH if it has been disabled: OS10(config)# ip ssh server enable

✔️ Fix

Configure the OS10 Switch to implement replay-resistant authentication mechanisms for network access to privileged accounts: OS10(config)# crypto fips enable WARNING: Upon committing this configuration, the system will regenerate SSH keys. Please consult documentation and toggle FIPS mode only if you know what you are doing! Continue? [yes/no(default)]:yes OS10(config)# Disable telnet if it has been enabled: OS10(config)# no ip telnet server enable Enable SSH if it has been disabled: OS10(config)# ip ssh server enable