The application must install security-relevant firmware updates within the time period directed by an authoritative source (e.g., IAVM, CTOs, DTMs, and STIGs).

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-269799	SRG-APP-000457-NDM-000352	OS10-NDM-000810	SV-269799r1051782_rule	2024-12-11	1

Description
Security flaws with firmware are discovered daily. Vendors are constantly updating and patching their products to address newly discovered security vulnerabilities. Organizations (including any contractor to the organization) are required to promptly install security-relevant firmware updates. Flaws discovered during security assessments, continuous monitoring, incident response activities, or information system error handling must also be addressed expeditiously. Organization-defined time periods for updating security-relevant firmware may vary based on a variety of factors including, for example, the security category of the information system or the criticality of the update (i.e., severity of the vulnerability related to the discovered flaw). This requirement will apply to software patch management solutions that are used to install firmware patches across the enclave (e.g., mobile device management solutions). Patch criticality, as well as system criticality will vary. Therefore, the tactical situations regarding the patch management process will also vary. This means that the time period used must be a configurable parameter. Time frames for application of security-relevant firmware updates may be dependent upon the Information Assurance Vulnerability Management (IAVM) process. The application will be configured to check for and install security-relevant firmware updates within an identified time period from the availability of the update. The specific time period will be defined by an authoritative source (e.g., IAVM, CTOs, DTMs, and STIGs).

Description

Security flaws with firmware are discovered daily. Vendors are constantly updating and patching their products to address newly discovered security vulnerabilities. Organizations (including any contractor to the organization) are required to promptly install security-relevant firmware updates. Flaws discovered during security assessments, continuous monitoring, incident response activities, or information system error handling must also be addressed expeditiously. Organization-defined time periods for updating security-relevant firmware may vary based on a variety of factors including, for example, the security category of the information system or the criticality of the update (i.e., severity of the vulnerability related to the discovered flaw). This requirement will apply to software patch management solutions that are used to install firmware patches across the enclave (e.g., mobile device management solutions). Patch criticality, as well as system criticality will vary. Therefore, the tactical situations regarding the patch management process will also vary. This means that the time period used must be a configurable parameter. Time frames for application of security-relevant firmware updates may be dependent upon the Information Assurance Vulnerability Management (IAVM) process. The application will be configured to check for and install security-relevant firmware updates within an identified time period from the availability of the update. The specific time period will be defined by an authoritative source (e.g., IAVM, CTOs, DTMs, and STIGs).

ℹ️ Check
Verify the OS10 Switch version by entering the following command: OS10# show version Verify the release is the most recent approved release available on Dell.com. All OS10 releases supported by Dell can be found at https://www.dell.com/support. If the OS10 Switch is not running an approved release within the time period directed by an authoritative source (e.g., IAVM, CTOs, DTMs, and STIGs), this is a finding.

ℹ️ Check

Verify the OS10 Switch version by entering the following command: OS10# show version Verify the release is the most recent approved release available on Dell.com. All OS10 releases supported by Dell can be found at https://www.dell.com/support. If the OS10 Switch is not running an approved release within the time period directed by an authoritative source (e.g., IAVM, CTOs, DTMs, and STIGs), this is a finding.

✔️ Fix
Upgrade the network device to the latest version of the desired LTS version of OS10 available from Dell support. Step 1: Download the OS10 image file and GPG signature using secure file transfer from a trusted local server: OS10# image download https://hostip/filepath/PKGS_OS10-Enterprise-10.5.6.2.110buster-installer-x86_64.bin Download started. Use 'show image status' for updates OS10# OS10# show image status Image Upgrade State: idle ================================================== File Transfer State: transfer-success -------------------------------------------------- State Detail: Completed: No error Task Start: 2024-04-26T16:52:54Z Task End: 2024-04-26T16:53:18Z Transfer Progress: 100 % Transfer Bytes: 959310070 bytes File Size: 959310070 bytes Transfer Rate: 44447 kbps Installation State: idle -------------------------------------------------- State Detail: No install information available Task Start: 0000-00-00T00:00:00Z Task End: 0000-00-00T00:00:00Z OS10# OS10# image download https://hostip/filepath/PKGS_OS10-Enterprise-10.5.6.2.110buster-installer-x86_64.bin.gpg OS10# OS10# OS10# dir image Directory contents for folder: image Date (modified) Size (bytes) Name --------------------- ------------ ------------------------------------------ 2024-04-26T16:53:16Z 959310070 PKGS_OS10-Enterprise-10.5.6.2.110buster-installer-x86_64.bin 2024-04-26T16:57:36Z 566 PKGS_OS10-Enterprise-10.5.6.2.110buster-installer-x86_64.bin.gpg OS10# Step 2: Load the Dell GPG signing key and verify the image GPG signature: OS10# image gpg-key key-server keyserver.ubuntu.com key-id 7FDA043B OS10# OS10# image verify image://PKGS_OS10-Enterprise-10.5.6.2.110buster-installer-x86_64.bin gpg signature image://PKGS_OS10-Enterprise-10.5.6.2.110buster-installer-x86_64.bin.gpg Image verified successfully. OS10# Step 3: install the new OS10 image into the backup image partition: OS10# image install image://PKGS_OS10-Enterprise-10.5.6.2.110buster-installer-x86_64.bin Info: Take the Backup of the configs which can be used during downgrade Install started. Use 'show image status' for updates OS10# OS10# show image status Image Upgrade State: idle ================================================== File Transfer State: transfer-success -------------------------------------------------- State Detail: Completed: No error Task Start: 2024-04-26T16:58:01Z Task End: 2024-04-26T16:58:01Z Transfer Progress: 100 % Transfer Bytes: 350 bytes File Size: 350 bytes Transfer Rate: 3 kbps Installation State: install-success -------------------------------------------------- State Detail: Completed: Success Task Start: 2024-04-26T17:04:48Z Task End: 2024-04-26T17:22:03Z OS10# Step 4: Switch the standby image to be the boot image and reboot the switch: OS10# OS10# boot system standby OS10# OS10# reload Proceed to reboot the system? [confirm yes/no]:yes

✔️ Fix

Upgrade the network device to the latest version of the desired LTS version of OS10 available from Dell support. Step 1: Download the OS10 image file and GPG signature using secure file transfer from a trusted local server: OS10# image download https://hostip/filepath/PKGS_OS10-Enterprise-10.5.6.2.110buster-installer-x86_64.bin Download started. Use 'show image status' for updates OS10# OS10# show image status Image Upgrade State: idle ================================================== File Transfer State: transfer-success -------------------------------------------------- State Detail: Completed: No error Task Start: 2024-04-26T16:52:54Z Task End: 2024-04-26T16:53:18Z Transfer Progress: 100 % Transfer Bytes: 959310070 bytes File Size: 959310070 bytes Transfer Rate: 44447 kbps Installation State: idle -------------------------------------------------- State Detail: No install information available Task Start: 0000-00-00T00:00:00Z Task End: 0000-00-00T00:00:00Z OS10# OS10# image download https://hostip/filepath/PKGS_OS10-Enterprise-10.5.6.2.110buster-installer-x86_64.bin.gpg OS10# OS10# OS10# dir image Directory contents for folder: image Date (modified) Size (bytes) Name --------------------- ------------ ------------------------------------------ 2024-04-26T16:53:16Z 959310070 PKGS_OS10-Enterprise-10.5.6.2.110buster-installer-x86_64.bin 2024-04-26T16:57:36Z 566 PKGS_OS10-Enterprise-10.5.6.2.110buster-installer-x86_64.bin.gpg OS10# Step 2: Load the Dell GPG signing key and verify the image GPG signature: OS10# image gpg-key key-server keyserver.ubuntu.com key-id 7FDA043B OS10# OS10# image verify image://PKGS_OS10-Enterprise-10.5.6.2.110buster-installer-x86_64.bin gpg signature image://PKGS_OS10-Enterprise-10.5.6.2.110buster-installer-x86_64.bin.gpg Image verified successfully. OS10# Step 3: install the new OS10 image into the backup image partition: OS10# image install image://PKGS_OS10-Enterprise-10.5.6.2.110buster-installer-x86_64.bin Info: Take the Backup of the configs which can be used during downgrade Install started. Use 'show image status' for updates OS10# OS10# show image status Image Upgrade State: idle ================================================== File Transfer State: transfer-success -------------------------------------------------- State Detail: Completed: No error Task Start: 2024-04-26T16:58:01Z Task End: 2024-04-26T16:58:01Z Transfer Progress: 100 % Transfer Bytes: 350 bytes File Size: 350 bytes Transfer Rate: 3 kbps Installation State: install-success -------------------------------------------------- State Detail: Completed: Success Task Start: 2024-04-26T17:04:48Z Task End: 2024-04-26T17:22:03Z OS10# Step 4: Switch the standby image to be the boot image and reboot the switch: OS10# OS10# boot system standby OS10# OS10# reload Proceed to reboot the system? [confirm yes/no]:yes