Details
Network devices that are configured via a zero-touch deployment or auto-loading feature can have their startup configuration or image pushed to the device for installation via TFTP or Remote Copy (rcp). Loading an image or configuration file from the network is taking a security risk because the file could be intercepted by an attacker who could corrupt the file, resulting in a denial of service.
Solution
Disable configuration auto-loading if enabled using the following commands:
SW1(config)#no boot network
SW1(config)#no service config
Disable CNS zero-touch deployment if enabled as shown in the example below:
SW2(config)#no cns config initial
SW2(config)#no cns exec
SW2(config)#no cns image
SW2(config)#no cns trusted-server config x.x.x.x
SW2(config)#no cns trusted-server image x.x.x.x
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: System and Communications Protection.This control applies to the following type of system Cisco.
References
- 800-53|SC-5
- CAT|II
- CCI|CCI-002385
- Rule-ID|SV-220427r622190_rule
- STIG-ID|CISC-RT-000090
- STIG-Legacy|SV-110701
- STIG-Legacy|V-101597
- Vuln-ID|V-220427