Title

The router must not be configured to have any zero-touch deployment feature enabled when connected to an operational network. (Cat II impact)

Discussion

Network devices that are configured via a zero-touch deployment or auto-loading feature can have their startup configuration or image pushed to the device for installation via TFTP or Remote Copy (rcp). Loading an image or configuration file from the network is taking a security risk because the file could be intercepted by an attacker who could corrupt the file, resulting in a denial of service.

Check Content

Review the device configuration to determine if a configuration auto-loading or zero-touch deployment feature is enabled. If a configuration auto-loading feature or zero-touch deployment feature is enabled, this is a finding. Note: Auto-configuration or zero-touch deployment features can be enabled when the router is offline for the purpose of image loading or building out the configuration. In addition, this would not be applicable to the provisioning of virtual routers via a software-defined network (SDN) orchestration system.

Fix Text

Disable all configuration auto-loading or zero-touch deployment features.

Additional Identifiers

Rule ID: SV-207149r856633_rule

Vulnerability ID: V-207149

Group Title: SRG-NET-000362

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.