CISC-RT-000090 - The Cisco router must not be configured to have any zero-touch deployment feature enabled when connected to an operational network.

Information

Network devices that are configured via a zero-touch deployment or auto-loading feature can have their startup configuration or image pushed to the device for installation via TFTP or Remote Copy (rcp). Loading an image or configuration file from the network is taking a security risk because the file could be intercepted by an attacker who could corrupt the file, resulting in a denial of service.

Solution

Disable configuration auto-loading if enabled using the following commands:

R8(config)#no boot network
R8(config)#no service config

Disable CNS zero-touch deployment if enabled as shown in the example below:

R2(config)#no cns config initial
R2(config)#no cns exec
R2(config)#no cns image
R2(config)#no cns trusted-server config x.x.x.x
R2(config)#no cns trusted-server image x.x.x.x

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Cisco_IOS-XE_Router_Y24M07_STIG.zip

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-5, CAT|II, CCI|CCI-002385, Rule-ID|SV-216649r855812_rule, STIG-ID|CISC-RT-000090, STIG-Legacy|SV-106009, STIG-Legacy|V-96871, Vuln-ID|V-216649

Plugin: Cisco

Control ID: 9f5a1a84c129164d97c0033a7d985a68e5a4a432dfb061e8448ea8e36ae34ab3