The MDM server must verify all digital certificates in the certificate chain when performing PKI transactions.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-36240 | SRG-APP-175-MDM-222-SRV | SV-47644r1_rule | Low |
| Description |
|---|
| If an adversary is able to compromise one of the certificates in the certificate chain, the adversary may be able to sign lower level certificates in the chain. This would enable the adversary to masquerade as other users or systems. By providing the mobile user with such false assurance, the adversary may be able obtain DoD information, capture authentication credentials, and perform other unauthorized functions. Verifying all digital certificates in the chain mitigates this risk. |
| STIG | Date |
|---|---|
| Mobile Device Manager Security Requirements Guide | 2013-01-24 |
Details
| Check Text ( C-44480r1_chk ) |
|---|
| Review MDM server configuration to validate the MDM server is verifying all digital certificates in the certificate chain when performing PKI transactions. If higher assurance is required, the reviewer should attempt to perform a transaction using a falsely signed certificate. If the certificate is accepted, the operating system is likely not performing the required check of root and intermediate certificates. If all digital certificates in the chain are not being verified during PKI transactions, this is a finding. |
| Fix Text (F-40770r1_fix) |
|---|
| Configure the MDM server to check all digital certificates in the certificate chain when performing PKI transactions. |