STIGQter: STIG Summary: Application Security and Development Security Technical Implementation Guide Version: 5 Release: 1 Benchmark Date: 23 Oct 2020:

The application must require users to reauthenticate when organization-defined circumstances or situations require reauthentication.

DISA Rule

SV-222520r508029_rule

Vulnerability Number

V-222520

Group Title

SRG-APP-000389

Rule Version

APSC-DV-001520

Severity

CAT II

CCI(s)

• CCI-002038 - The organization requires users to reauthenticate upon organization-defined circumstances or situations requiring reauthentication.

Weight

10

Fix Recommendation

Configure the application to require reauthentication before user privilege is escalated and user roles are changed.

Check Contents

Review the application guidance and interview the application administrator.

Identify the application user roles.

Identify the methods and manner in which an application user is allowed to escalate their privileges or change their role.

Create or utilize an account that has 2 roles within the application, both should be non-administrator.
Example: User role and Report Creator role.

Authenticate to the application as the user in the User role.

Access the application functionality that allows the user to change their role and change from the User role to the Report Creator role.

If the user is not prompted to reauthenticate before the user’s role is changed, this is a finding.

Log out of the application and log back in as the User role.

Access the application functionality that allows the user to escalate their privileges to an administrative user.

Attempt to escalate the privileges of the user.

If the user is not prompted to reauthenticate before the user is allowed to proceed with escalated privileges, this is a finding.

Vulnerability Number

V-222520

Documentable

False

Rule Version

APSC-DV-001520

Severity Override Guidance

Review the application guidance and interview the application administrator.

Identify the application user roles.

Identify the methods and manner in which an application user is allowed to escalate their privileges or change their role.

Create or utilize an account that has 2 roles within the application, both should be non-administrator.
Example: User role and Report Creator role.

Authenticate to the application as the user in the User role.

Access the application functionality that allows the user to change their role and change from the User role to the Report Creator role.

If the user is not prompted to reauthenticate before the user’s role is changed, this is a finding.

Log out of the application and log back in as the User role.

Access the application functionality that allows the user to escalate their privileges to an administrative user.

Attempt to escalate the privileges of the user.

If the user is not prompted to reauthenticate before the user is allowed to proceed with escalated privileges, this is a finding.

Check Content Reference

M

Target Key

4093

Comments