Rule ID
SV-271936r1113837_rule
Version
V1R2
CCIs
A replay attack may enable an unauthorized user to gain access to the application. authentication sessions between the authenticator and the application validating the user credentials must not be vulnerable to a replay attack. An authentication process resists replay attacks if it is impractical to achieve a successful authentication by recording and replaying a previous authentication message. Techniques used to address this include protocols using nonces (e.g., numbers generated for a specific one-time use) or challenges (e.g., TLS, WS_Security). Additional techniques include time-synchronous or challenge-response one-time authenticators.
Verify the default fabric TLS Protocol: 1. On the menu bar, choose Fabric >> Fabric Policies. 2. In the Navigation pane, select Policies >> Pod >> Management Access >> default. 3. In the Work pane, find the HTTPS section. 4. For SSL Protocols, verify the box for TLS 1.2 or higher is checked. Verify other SSL or TLS versions are not checked. If the Cisco ACI fabric does not implement TLS 1.2 or higher for authentication for network access to privileged accounts, this is a finding.
Configure the default fabric TLS Protocol: 1. On the menu bar, choose Fabric >> Fabric Policies. 2. In the Navigation pane, choose Policies >> Pod >> Management Access >> default. 3. In the Work pane, find the HTTPS section. 4. For SSL Protocols, check the boxes for TLS 1.2 or higher. Uncheck or leave unchecked for any other SSL or TLS version.