Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-3196 | NET1660 | SV-3196r2_rule | ECSC-1 | High |
Description |
---|
SNMP Versions 1 and 2 are not considered secure. Without the strong authentication and privacy that is provided by the SNMP Version 3 User-based Security Model (USM), an unauthorized user can gain access to network management information used to launch an attack against the network. |
STIG | Date |
---|---|
Infrastructure L3 Switch Secure Technical Implementation Guide - Cisco | 2013-10-08 |
Check Text ( C-3820r5_chk ) |
---|
Review the device configuration to verify it is configured to use SNMPv3 with both SHA authentication and privacy using AES encryption. If the site is using Version 1 or Version 2 with all of the appropriate patches and has developed a migration plan to implement the Version 3 Security Model, this finding can be downgraded to a Category II. To verify the appropriate patches on CISCO devices: Check the following IAVMs associated with SNMPv1: 1. 2001-B-0001 (V0005809) Cisco IOS Software SNMP Read-Write ILMI Community String Vulnerability 2. 2002-A-SNMP-001 (V0005835) Multiple Simple Network Management Protocol Vulnerabilities in Perimeter Devices (Cisco Security Advisory: Malformed SNMP Message-Handling Vulnerabilities) To verify the appropriate patches on other vendors refer to this web site: http://www.cert.org/advisories/CA-2002-03.html. If the targeted asset is running SNMPv3 and does not support SHA or AES, but the device is configured to use MD5 authentication and DES or 3DES encryption, then the finding can be downgraded to a Category III. If the site is using Version 1 or Version 2 and has installed all of the appropriate patches or upgrades to mitigate any known security vulnerabilities, this finding can be downgraded to a Category II. In addition, if the device does not support SNMPv3, this finding can be downgraded to a Category III provided all of the appropriate patches to mitigate any known security vulnerabilities have been applied and has developed a migration plan that includes the device upgrade to support Version 3 and the implementation of the Version 3 Security Model. |
Fix Text (F-3221r3_fix) |
---|
If SNMP is enabled, configure the network element to use SNMP Version 3 Security Model with FIPS 140-2 validated cryptography (i.e., SHA authentication and AES encryption). |