UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The MDM server must query the certification authority to determine whether a public-key certificate has been revoked before accepting the certificate for authentication purposes.


Overview

Finding ID Version Rule ID IA Controls Severity
V-36239 SRG-APP-175-MDM-221-SRV SV-47643r1_rule Low
Description
Failure to verify a certificate’s revocation status can result in the system accepting a revoked and therefore authorized certificate. This could result in the installation of unauthorized software or connection for rogue networks, depending on the use for which the certificate is intended. Querying for certificate revocation mitigates the risk that the system will accept an unauthorized certificate.
STIG Date
Mobile Device Manager Security Requirements Guide 2013-01-24

Details

Check Text ( C-44479r1_chk )
Review MDM server documentation to determine the expected behavior of the system. Inspect readily available configuration settings if these are available. Otherwise, test the MDM server with a known revoked certificate to determine whether the server properly rejects further transactions with the system or object presenting the revoked certificate. If the MDM server accepts a revoked certificate or is configured not to check for certificate revocation, this is a finding.
Fix Text (F-40769r1_fix)
Configure the MDM server to query the certification authority to determine whether a public-key certificate has been revoked before accepting the certificate for authentication purposes.