Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-25548 | WIR1355-03 | SV-31764r3_rule | Low |
Description |
---|
When a self-signed PKI certificate is used, a rogue BES can impersonate the DoD BES during SA connections to the BlackBerry Administration Service (BAS) or when a BlackBerry user uses BlackBerry Web Desktop Manager (BWDM) to connect to the BAS. In addition, DoDI 8520-02 requires PKI certificates come from a trusted DoD PKI. |
STIG | Date |
---|---|
BlackBerry Enterprise Server (version 5.x), Part 2 Security Technical Implementation Guide | 2016-09-08 |
Check Text ( C-32097r4_chk ) |
---|
Verify a DoD server certificate has been installed on the BES and the self-signed certificate, available as an option during the setup of the BES, has not been installed. Ask the BlackBerry Administrator to access the BAS login console using Internet Explorer. Verify no certificate error occurs. Click the "Lock" icon next to the address bar then select "view certificates". On the "General" tab, verify the "Issued to:" and "Issued by:" fields do not show the same value. Then on the "Certification Path" tab, verify the top certificate is a trusted DoD Root certificate authority (e.g., DoD Root CA 2) and the certificate status field states "This certificate is OK". Remediation: If a certificate error occurs either the default self-signed certificate is still installed, the BlackBerry Enterprise Server has not been rebooted since the DoD-issued certificate has been installed, or the computer accessing the BAS does not have the DoD Root and Intermediate certificate authorities installed. The reviewer can select the "Continue to this website" option and follow the same procedure above. If the certificate is issued from an approved DoD PKI, ask the BlackBerry Administrator to run InstallRoot on the computer accessing the BAS. Otherwise, have the BlackBerry Administrator follow the procedures outlined in the STIG to request/install a certificate issued from a trusted DoD PKI. |
Fix Text (F-28492r2_fix) |
---|
Use a DoD-issued digital certificate on the BES to support BAS and BWDM authentication. |