ONTAP must recognize only system-generated session identifiers.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-246960	NAOT-SC-000002	SV-246960r769212_rule		Medium

Description
Network device management web interfaces utilize sessions and session identifiers to control management interface behavior and administrator access. If an attacker can guess the session identifier or can inject or manually insert session information, the session may be compromised. Unique session IDs address man-in-the-middle attacks, including session hijacking or insertion of false information into a session. If the attacker is unable to identify or guess the session information related to pending application traffic, they will have more difficulty hijacking the session or otherwise manipulating valid sessions.

Description

Network device management web interfaces utilize sessions and session identifiers to control management interface behavior and administrator access. If an attacker can guess the session identifier or can inject or manually insert session information, the session may be compromised. Unique session IDs address man-in-the-middle attacks, including session hijacking or insertion of false information into a session. If the attacker is unable to identify or guess the session information related to pending application traffic, they will have more difficulty hijacking the session or otherwise manipulating valid sessions.

STIG	Date
NetApp ONTAP DSC 9.x Security Technical Implementation Guide	2021-07-28

Details

Check Text ( C-50392r769210_chk )
Use "system services web show" to see if external web services is "true". If ONTAP cannot be configured to recognize only system-generated session identifiers, this is a finding.

Fix Text (F-50346r769211_fix)
Configure ONTAP to recognize only system-generated session identifiers by "system services web modify -external false".