← Back to HYCU Protege Security Technical Implementation Guide

V-268260

CAT II (Medium)

The HYCU virtual appliance must implement replay-resistant authentication mechanisms for network access to privileged accounts.

Rule ID

SV-268260r1038716_rule

STIG

HYCU Protege Security Technical Implementation Guide

Version

V1R2

CCIs

CCI-001941

Discussion

A replay attack may enable an unauthorized user to gain access to the application. Authentication sessions between the authenticator and the application validating the user credentials must not be vulnerable to a replay attack. An authentication process resists replay attacks if it is impractical to achieve a successful authentication by recording and replaying a previous authentication message. Techniques used to address this include protocols using nonces (e.g., numbers generated for a specific one-time use) or challenges (e.g., TLS, WS_Security). Additional techniques include time-synchronous or challenge-response one-time authenticators.

Check Content

The use of SSH-2 protocol for network/remote access prevents replay attacks. The SSH-2 protocol is the standard for the SSH daemon in the Linux OS used by HYCU.

To determine the SSH version in use, log in to the HYCU console and execute the following command:
ssh -v localhost

If the output does not show remote protocol version 2.0 in use, this is a finding.

HYCU web access uses TLS, which addresses this threat. HYCU web access cannot be configured to not use TLS.

Fix Text

Log in to the HYCU console and configure SSH to use the SSH-2 protocol by editing the protocol variable in the file "/etc/ssh/sshd_config".