Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-6129 | APP3305 | SV-6129r2_rule | IATS-1 IATS-2 | High |
Description |
---|
The application should not provide access to users or other entities using expired, revoked or improperly signed certificates because the identity cannot be verified. |
STIG | Date |
---|---|
Application Security and Development Checklist | 2014-12-22 |
Check Text ( C-2943r2_chk ) |
---|
If the application is not PK-enabled, this check is not applicable. If the application resides on the SIPRNet and PKI infrastructure is unavailable, this check is not applicable. This check is not applicable where system users are determined to be information privileged individuals, volunteers, or reservists, as required in the DoDI 8520.2. DoD test certificates can be obtained from the following website: http://jitc.fhu.disa.mil/pki/lab2.html Note: Before executing this check, the following certificate types need to be obtained: • Expired • Revoked • Improperly Signed If the application is PK-enabled and is not using DoD PKI certificates, the application representative will need to provide these certificates. If the application is PK-enabled and is not using DoD PKI certificates, the application representative will need to provide these certificates. If the application is a web-application that utilizes client certificates, validate proper PKI-functionality by using a test system configured to use an expired certificate, a revoked certificate and an improperly signed certificate. The test system should contain three user profiles: One with a revoked certificate, one with an expired certificate, and one with an improperly signed certificate. Log on with each of the user accounts for which there is an associated “bad certificate” profile and perform selected functions in the application that requires the use of a certificate (e.g., authentication). 1) If the expired, revoked, or improperly signed certificate can be used for application functions, it is a finding. Also, review the web server’s configuration to ascertain whether appropriate certificate validity checks are occurring. 2) If the web server does not check for and deny expired, revoked, or improperly signed certificates, it is a finding. If the application is not a web-application, work with an application SA to identify PK-enabled application functions, and then sequentially install the invalid certificates, testing each of the functions against each of the certificates. 3) Any successful use of any of the invalid certificates is a finding. If a finding is found in any of the preceding steps, document the details of the finding to include the following: • Which of the invalid certificates was accepted (potentially more than one). • The specific application functions that accepted the invalid certificate. *Note: Do not use (WS-Security, SAML, and XML) security libraries that do not perform full certificate validation adequately. Checking should include the certificate against the CA’s Certificate Revocation List (CRL) or the Online Certificate Status Protocol (OCSP). |
Fix Text (F-17021r1_fix) |
---|
Enable the application to provide certificate validation. |