The MDM server must query the certification authority to determine whether a public-key certificate has been revoked before accepting the certificate for authentication purposes.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-36239 | SRG-APP-175-MDM-221-SRV | SV-47643r1_rule | Low |
| Description |
|---|
| Failure to verify a certificate’s revocation status can result in the system accepting a revoked and therefore authorized certificate. This could result in the installation of unauthorized software or connection for rogue networks, depending on the use for which the certificate is intended. Querying for certificate revocation mitigates the risk that the system will accept an unauthorized certificate. |
| STIG | Date |
|---|---|
| Mobile Device Manager Security Requirements Guide | 2013-01-24 |
Details
| Check Text ( C-44479r1_chk ) |
|---|
| Review MDM server documentation to determine the expected behavior of the system. Inspect readily available configuration settings if these are available. Otherwise, test the MDM server with a known revoked certificate to determine whether the server properly rejects further transactions with the system or object presenting the revoked certificate. If the MDM server accepts a revoked certificate or is configured not to check for certificate revocation, this is a finding. |
| Fix Text (F-40769r1_fix) |
|---|
| Configure the MDM server to query the certification authority to determine whether a public-key certificate has been revoked before accepting the certificate for authentication purposes. |