The MDM server must not transmit passwords in clear text.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-36025	SRG-APP-172-MDM-022-SRV	SV-47414r1_rule		High

Description
Transmission of passwords in clear text reveals the password to any adversary who can successfully eavesdrop on the communication. In the case of wireless communication, the ability to eavesdrop is available to anyone within the range of the device’s radio signal, which in some cases can be miles. Once an adversary has obtained a password, the adversary may be able to use it to compromise sensitive DoD information or other DoD information systems. Using methods that avoid the transmission of passwords in clear text mitigates the risk of this attack.

Description

Transmission of passwords in clear text reveals the password to any adversary who can successfully eavesdrop on the communication. In the case of wireless communication, the ability to eavesdrop is available to anyone within the range of the device’s radio signal, which in some cases can be miles. Once an adversary has obtained a password, the adversary may be able to use it to compromise sensitive DoD information or other DoD information systems. Using methods that avoid the transmission of passwords in clear text mitigates the risk of this attack.

STIG	Date
Mobile Device Manager Security Requirements Guide	2013-01-24

Details

Check Text ( C-44264r1_chk )
Review the MDM server configuration to determine whether it is possible to transmit passwords in clear text. If it is determined that the system transmits passwords in clear text, this is a finding.

Fix Text (F-40555r1_fix)
Configure the MDM server so it does not transmit passwords in clear text.