Network devices must only allow SNMP read-only access.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-3969 | NET0894 | SV-3969r5_rule | Medium |
| Description |
|---|
| Enabling write access to the device via SNMP provides a mechanism that can be exploited by an attacker to set configuration variables that can disrupt network operations. |
| STIG | Date |
|---|---|
| WLAN Access Point (Internet Gateway Only Connection) Security Technical Implementation Guide (STIG) | 2019-02-26 |
Details
| Check Text ( C-3942r10_chk ) |
|---|
| Review the network device configuration and verify SNMP community strings are read-only when using SNMPv1, v2c, or basic v3 (no authentication or privacy). Write access may be used if authentication is configured when using SNMPv3. If write-access is used for SNMP versions 1, 2c, or 3-noAuthNoPriv mode and there is no documented approval by the ISSO, this is a finding. |
| Fix Text (F-3902r7_fix) |
|---|
| Configure the network device to allow for read-only SNMP access when using SNMPv1, v2c, or basic v3 (no authentication or privacy). Write access may be used if authentication is configured when using SNMPv3. |