search

ND-iTC / Documents

ND iTC Document repository (NDcPP, ND SD, and all related files)
MIT License
6 stars 1 forks source link

[NIT Request] FIA_AFL.1 Lockout Scenario #322

Closed sheepbaron closed 8 months ago

sheepbaron commented 11 months ago

Before submitting your request, please check OpenOffice for the current set of Technical Decisions the ND iTC has released, https://ccusersforum.onlyoffice.com/Products/Projects/TMDocs.aspx?prjID=455640#1888103.

Requesting Organization: Michael Baron - Michael.Baron@ul.com - UL CCTL

Status: If your issue arises from a currently active CC evaluation then please tick the ‘On-going certification’ box, submit the completed request through your Certification/Validation Body (CB), and update the 'Certification deadline dates' field.

[ ] On-going certification [ X ] Preparatory/Other

Certification Deadline Dates: If your product is in an on-going CC effort please include any scheme deadlines above. N/A

SFR or Section of cPP/SD in question: NDcPPv3.0 Date: 06-04-2023 > FIA_AFL.1 > Application Note 116

Supporting Document testing in question: The EAs, for the SRF associated with the application note, do not attempt to test for the enforcement of the premise described in the app note.

Issue: A conflict between the requirement in FIA_UIA_EXT.1.3 and the quasi-requirement described in Application Note 116 exists.

Rationale: Application Note 116 states: "... authentication failures by remote Administrators cannot lead to a situation where no Administrator access is available, either permanently or temporarily (e.g. by providing local logon which is not subject to blocking). ...ensure that Administrator access will always be maintained, even if remote administration is made permanently or temporarily unavailable due to blocking of accounts as a result of FIA_AFL.1."

The conflict occurs because NDcPPv3.0 allows for the case where a TOE provides only a remote management interface (without a means for a local management interface). Since FIA_AFL.1 applies to all remote management interfaces, a scenario can occur where no Administrator access is available due to the FIA_AFL.1 mechanism.

The two selections in FIA_AFL.1.2 do not appear to provide a bypass to this conflict:

  1. No 'out' exists when "until [assignment: action to unlock] is taken by an Administrator" is selected in FIA_AFL.1.2; because if only a remote management interface exists, and all accounts are locked out, no action can take place by an admin since no interface exists from which an admin can be identified and authenticated to be able to perform an administrative action. In addition, I don't think a 'factory-reset' capability (via physical, unauthenticated mechanism) to reset credentials would be acceptable; else, I would include that as a selectable option in FIA_AFL.1.2.

  2. If "until an Administrator defined time period has elapsed" is selected in FIA_AFL.1.2, there exists a temporary period where it is possible that all administrators are locked out from accessing the administrative interface.

Proposed Resolution:

  1. Remove the entire quoted text from Application Note 116. While this introduces a Denial of Service vector, it is one of minimal risk and impact. Attackers would need to know all configured usernames on the device in order to successfully perform a complete lockout.
  2. or, make it clear in the application note that a temporary lockout is acceptable
kr15tyk commented 8 months ago

Resolved by the NIT in RFI 202313, no changes required https://ccusersforum.onlyoffice.co/Products/Files/DocEditor.aspx?fileid=8752231&action=view