The container platform must implement replay-resistant authentication mechanisms for network access to nonprivileged accounts.

STIG ID: SRG-APP-000157-CTR-000385  |  SRG: SRG-APP-000157 |  Severity: medium |  CCI: CCI-001941 |  Vulnerability Id: V-233085

Vulnerability Discussion

A replay attack may enable an unauthorized user to gain access to the application. Authentication sessions between the authenticator and the application validating the user credentials must not be vulnerable to a replay attack.

An authentication process resists replay attacks if it is impractical to achieve a successful authentication by recording and replaying a previous authentication message.

A nonprivileged account is any operating system account with authorizations of a nonprivileged user.

Techniques used to address this include protocols using nonces (e.g., numbers generated for a specific one-time use) or challenges (e.g., TLS, WS_Security). Additional techniques include time-synchronous or challenge-response one-time authenticators.

Check

Review the container platform configuration to determine if the container platform is configured to provide replay-resistant authentication mechanisms for network access to nonprivileged accounts.

If the container platform is not configured to provide replay-resistant authentication mechanisms for network access to nonprivileged accounts, this is a finding.

Fix

Configure the container platform to provide replay-resistant authentication mechanisms for network access to nonprivileged accounts.
This website is not created by, run, approved, or endorsed by the U.S. Department of Defense. Use at your own risk. This website is created by open-source software.