The Juniper router must be configured with a master password that is used to generate encrypted keys for shared secrets.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-220142	JUNI-ND-001460	SV-220142r401224_rule		Medium

Description
By default, shared secrets in a Junos configuration only use an obfuscation algorithm ($9$ format), which is not very strong and can easily be decrypted. Strong encryption for configured secrets can be enabled by configuring a master password to be used as input to the password based key derivation function (PBKDF2) to generate an encryption key. The key is used as input to the Advanced Encryption Standard in Galois/Counter Mode (AES256-GCM).

Description

By default, shared secrets in a Junos configuration only use an obfuscation algorithm ($9$ format), which is not very strong and can easily be decrypted. Strong encryption for configured secrets can be enabled by configuring a master password to be used as input to the password based key derivation function (PBKDF2) to generate an encryption key. The key is used as input to the Advanced Encryption Standard in Galois/Counter Mode (AES256-GCM).

STIG	Date
Juniper Router NDM Security Technical Implementation Guide	2022-09-12

Details

Check Text ( C-21857r388903_chk )
Verify that a master password has been configured as by entering the following command: show configuration system master-password The output will appear as follows: password-configured; Note: The master password is hidden from the configuration. If a master password has not been configured, this is a finding.

Fix Text (F-21849r388904_fix)
Configure the master password to be used to generate encrypted keys for shared secrets as shown in the example below. [edit] set system master-password plain-text-password Master password: xxxxxxxxxx Repeat master password: xxxxxxxxxx