The router must have configuration auto-loading disabled.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-3080 | NET0760 | SV-3080r2_rule | ECSC-1 | Medium |
| Description |
|---|
| Routers can find their startup configuration either in their own NVRAM or access it over the network via TFTP or Remote Copy (rcp). Loading the image from the network is taking a security risk since the image could be intercepted by an attacker who could corrupt the image resulting in a denial of service. |
| STIG | Date |
|---|---|
| Infrastructure L3 Switch Secure Technical Implementation Guide - Cisco | 2013-10-08 |
Details
| Check Text ( C-3574r5_chk ) |
|---|
| IOS Procedure: Review the router configuration and verify the "boot network" and "service config" commands are not defined. Since version 12.0, these commands have been disabled by default. If configured, the "service config" command will be found right after the version, and the "boot network" command will be found between the boot-start-marker and boot-end-marker commands. |
| Fix Text (F-3105r4_fix) |
|---|
| IOS Procedure: Disable configuration auto-loading by entering the "no boot network" and "no service config" commands. |