Invictux

Audit Report

Summary

Invictux performed an audit on Wednesday, December 11, 2024 of the network device described in the audit scope. The report
consists of the following:

a best practice security audit section which details any identified security-related issues. Each security issue identified includes
details of what was found together with the impact of the issue, how easy it would be for an attacker to exploit and a
recommendation. The recommendations may include alternatives and, where relevant, the commands to resolve the issue;
a National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) vulnerability audit that compares
the software versions against the vulnerability database. Each finding includes details about the vulnerability, a Common
Vulnerabilities Scoring System (CVSS) severity rating and links to vendor references and more (section );
A NIST SP 800-53 Revision 5 audit of controls mapped to STIG controls via CCI referances.

Audit Scope
The scope of this audit was limited to the device described in Table 1.

Device Name OS

Cisco Catalyst Switch JED-DC-CORE-SW.catrion.local IOS 17.9

Table 1: Audit scope

Best Practice Security

Invictux performed a best practice security audit of the one device detailed in the scope and identified 36 security-related findings.
Although significant findings were identified that Invictux recommends should be reviewed as soon as is practical, most of the
security findings were rated as low or informational. Each of the findings identified is described in greater detail in the main body of
this report.

Invictux can draw the following statistics from the results of this security assessment (percentages have been rounded). 5 findings
(14%) were rated as high, 5 findings (14%) were rated as medium, 17 findings (47%) were rated as low and 9 findings (25%) were
rated as informational.

Severity Classification Issue Classification

Table 2 details the number of findings identified for each audited device and the rating of the highest rated finding.

Device Name Findings Highest Rating

Cisco Catalyst Switch JED-DC-CORE-SW.catrion.local 36 High

Table 2: Summary of findings for each device

Informational Low Medium High Critical

Trivial 6 2 0 1 0

Easy 0 10 1 3 0

Moderate 1 2 2 4 0

Challenging 2 0 0 2 0

Table 3: Invictux "Impact" to Invictux "Ease"

NIST NVD
Invictux performed a NIST NVD software vulnerability audit. The audit compared the device version details and those detailed in
the NVD to identify any known vulnerabilities in the software currently being used.

Invictux identified 42 vulnerabilities of which the highest was rated as critical.

Device Critical High Medium Low Info Total

JED-DC-CORE-SW.catrion.local 2 11 27 2 0 42

Table 4: Device software vulnerability summary

New vulnerabilities are constantly being discovered and reported, which makes it important to keep the vulnerability database up to
date. The date of the last database update, that was used for this audit, was Monday, September 30, 2024.

Severity Classification Vulnerability Classification

 Not Defined Physical Local Adjacent Network Network

Low 0 0 0 0 6

High 0 0 0 0 0

Not Defined 0 0 0 0 0

Table 5: CVSS v3.1 "Attack Vector" to CVSS v3.1 "Attack Complexity"

It is worth noting that although a software vulnerability may be present, it may not be exploitable without the device being in a
specific configuration. It is also worth noting that, the vulnerability database only contains publically known vulnerabilities and not
undisclosed issues known only to the manufacturers and third parties; the database may also not contain all affected software
versions.

NIST SP 800-53 Summary

Invictux performed a NIST SP 800-53 audit on Wednesday, December 11, 2024 of one device. This is a summary of those
findings. Invictux identified 16 passes and 23 fails with ten that require further investigation.

Overall NIST SP 800-53 summary findings

Status Total

Pass 16

Fail 23

Investigate 10

Table 6: Overall NIST SP 800-53 summary findings table

Title Control Status Devices Risk

JED-DC-CORE-
AC-12 Session Termination AC-12 CAT-I
SW.catrion.local

JED-DC-CORE-
CM-6(1) Automated Management, Application, & Verification CM-6(1) CAT-I
SW.catrion.local

CM-7(b) Prohibit/restrict use of defined functions, ports, JED-DC-CORE-

CM-7(b) CAT-I
protocols, software, and/or services SW.catrion.local

JED-DC-CORE- CAT-
AC-2(4) Automated Audit Actions AC-2(4)
SW.catrion.local II

JED-DC-CORE- CAT-
AC-2(7a) Privileged User Accounts AC-2(7a)
SW.catrion.local II
Title Control Status Devices Risk

JED-DC-CORE- CAT-
AC-4(17) Domain Authentication AC-4(17)
SW.catrion.local II

JED-DC-CORE- CAT-
AC-6(9) Log Use Of Privileged Functions AC-6(9)
SW.catrion.local II

JED-DC-CORE- CAT-
AC-7(a) Unsuccessful Logon Attempts AC-7(a)
SW.catrion.local II

JED-DC-CORE- CAT-
AC-8(a) System Use Notification AC-8(a)
SW.catrion.local II

JED-DC-CORE- CAT-
AC-10 Concurrent Session Control AC-10
SW.catrion.local II

JED-DC-CORE- CAT-
AU-3(1) Additional Audit Information AU-3(1)
SW.catrion.local II

JED-DC-CORE- CAT-
AU-4 Audit Log Storage Capacity AU-4
SW.catrion.local II

JED-DC-CORE- CAT-
AU-8(b) Record time stamps for audit records AU-8(b)
SW.catrion.local II

JED-DC-CORE- CAT-
AU-10 Non-Repudiation AU-10
SW.catrion.local II

JED-DC-CORE- CAT-
AU-12(b) Audit Record Generation AU-12(b)
SW.catrion.local II

JED-DC-CORE- CAT-
AU-12(c) Audit Record Generation AU-12(c)
SW.catrion.local II

CM-7(a) Configure the system to provide only mission-essential JED-DC-CORE- CAT-

CM-7(a)
capabilities SW.catrion.local II

JED-DC-CORE- CAT-
IA-5(1)(b) Password-Based Authentication IA-5(1)(b)
SW.catrion.local II

IA-5(2)(a) JED-DC-CORE- CAT-

IA-5(2)(a)(2) Public Key-Based Authentication
(2) SW.catrion.local II

JED-DC-CORE- CAT-
IA-7 Cryptographic Module Authentication IA-7
SW.catrion.local II

SC-7 (a) Monitor & control communications at the external JED-DC-CORE- CAT-
SC-7 (a)
managed interfaces SW.catrion.local II

JED-DC-CORE- CAT-
SC-45(2) System Time Synchronization SC-45(2)
SW.catrion.local II

JED-DC-CORE- CAT-
SI-11(b) Error Handling SI-11(b)
SW.catrion.local II

Table 7: NIST SP 800-53 audit findings (Fail)

Title Control Status Devices Risk

AC-17(2) Protection Of Confidentiality & Integrity Using JED-DC-CORE-

AC-17(2) CAT-I
Encryption SW.catrion.local
Title Control Status Devices Risk

JED-DC-CORE-
AU-4(1) Transfer to Alternate Storage AU-4(1) CAT-I
SW.catrion.local

JED-DC-CORE-
IA-3 Device Identification & Authentication IA-3 CAT-I
SW.catrion.local

IA-5(1) JED-DC-CORE-
IA-5(1)(c) Password-Based Authentication CAT-I
(c) SW.catrion.local

JED-DC-CORE-
SC-10 Network Disconnect SC-10 CAT-I
SW.catrion.local

JED-DC-CORE- CAT-
AU-3 Content Of Audit Records AU-3
SW.catrion.local II

JED-DC-CORE- CAT-
AU-5(2) Real-time Alerts AU-5(2)
SW.catrion.local II

JED-DC-CORE- CAT-
AU-9 Protection Of Audit Information AU-9
SW.catrion.local II

AU- JED-DC-CORE- CAT-

AU-12(a) Audit Record Generation
12(a) SW.catrion.local II

JED-DC-CORE- CAT-
CM-5(6) Limit Library Privileges CM-5(6)
SW.catrion.local II

JED-DC-CORE- CAT-
IA-3(1) Cryptographic Bidirectional Authentication IA-3(1)
SW.catrion.local II

JED-DC-CORE- CAT-
IA-11 Re-authentication IA-11
SW.catrion.local II

MA-4(e) Terminate session & network connections when JED-DC-CORE- CAT-

MA-4(e)
nonlocal maintenance is complete SW.catrion.local II

JED-DC-CORE- CAT-
SC-5 (2) Capacity, Bandwidth, and Redundancy SC-5 (2)
SW.catrion.local II

JED-DC-CORE- CAT-
SC-13 Cryptographic Protection SC-13
SW.catrion.local II

JED-DC-CORE- CAT-
AC-4(8) Security and Privacy Policy Filters AC-4(8)
SW.catrion.local III

Table 8: NIST SP 800-53 audit findings (Pass)

Title Control Status Devices Risk

IA-2(8) Access to Accounts — Replay Resistant IA-2(8) JED-DC-CORE-SW.catrion.local CAT-I

MA-4(6) Cryptographic Protection MA-4(6) JED-DC-CORE-SW.catrion.local CAT-I

SC-5 Denial-of-service Protection SC-5 JED-DC-CORE-SW.catrion.local CAT-I

SC-7(5) Deny By Default — Allow By Exception SC-7(5) JED-DC-CORE-SW.catrion.local CAT-I

AC-4 Information Flow Enforcement AC-4 JED-DC-CORE-SW.catrion.local CAT-II

 Title Control Status Devices Risk

AU-5(4) Shutdown on Failure AU-5(4) JED-DC-CORE-SW.catrion.local CAT-II

CP-9(b) Conduct backups of system documentation CP-9(b) JED-DC-CORE-SW.catrion.local CAT-II

IA-5(2)(a)(1) Public Key-Based Authentication IA-5(2)(a)(1) JED-DC-CORE-SW.catrion.local CAT-II

SC-17 Public Key Infrastructure Certificates SC-17 JED-DC-CORE-SW.catrion.local CAT-II

SC-23(3) Session Authenticity SC-23(3) JED-DC-CORE-SW.catrion.local CAT-II

Table 9: NIST SP 800-53 audit findings (Investigate)

Contents

Your Report
Evaluation Use Only
Report Conventions
Compliance Status
CVSS v2 Ratings
CVSS v3.1 Ratings
DISA STIG Ratings
Invictux Ratings
Network Filtering Actions
Network Filter Objects
Best Practice Security
Introduction
Unicast RPF Verification Was Disabled
STP Not Enabled On All Interfaces
STP BPDU Guard Was Not Enabled
STP Root Guard Not Enabled
OSPF Routing Updates With No Authentication
Users With A Weak Authentication Password
DTP Was Enabled
Users Configured With Cisco Type 7 Password Hashing Algorithm
STP Loop Guard Not Enabled
Low OSPF Priorities
Weak User Account Lockout Policy Setting
No OSPF LSA Thresholds
No SNMP TFTP Server Access List Configured
NTP Authentication Was Disabled
The BOOTP Service Was Not Disabled
Weak Password Age Policy Setting
Weak Minimum Password Length Policy Setting
Weak Lowercase Password Character Policy Setting
Weak Uppercase Password Character Policy Setting
Weak Numbers Password Character Policy Setting
 Weak Specials Password Character Policy Setting
Switch Port Security Disabled
ICMP Unreachable Messages Were Enabled
CDP Was Enabled
LLDP Was Enabled
Proxy ARP Was Enabled
IP Source Routing Was Enabled
DNS Lookups Were Enabled
No Network Filtering Rules Were Configured
Interfaces Were Configured With No Filtering
ICMP Redirect Messages Were Enabled
PAD Service Enabled
Unrestricted Outbound Administrative Access
No Post Logon Banner Message
Potentially Unused Network Interfaces
Switch Ports Allow Trunking All VLAN
Classless Routing Enabled
Conclusions
Recommendations
Mitigation Classification
NIST NVD
Introduction
CVE-2007-5552
CVE-2020-3426
CVE-2018-0172
CVE-2020-3475
CVE-1999-0293
CVE-2018-0154
CVE-2020-3479
CVE-2022-20726
CVE-2007-5551
CVE-2008-4609
CVE-2008-4963
CVE-2013-5469
CVE-2014-7998
CVE-2007-5548
CVE-2008-5230
CVE-2013-1217
CVE-2013-5522
CVE-2014-3299
CVE-2015-0598
CVE-2013-1241
CVE-2013-6705
CVE-2014-2131
CVE-2014-3273
CVE-2014-7997
CVE-2013-5499
CVE-2013-5527
CVE-2015-0632
CVE-2013-1100
CVE-2000-0486
CVE-2006-3906
CVE-2007-5550
 CVE-2013-3436
CVE-2014-3309
CVE-2014-7992
CVE-2015-0659
CVE-2015-0606
CVE-2013-1136
CVE-2007-5547
CVE-2013-5548
CVE-2013-6694
CVE-1999-0524
CVE-2007-5549
Conclusions
Recommendations
CIS - Excluded Devices
Introduction
NIST SP 800-53
Introduction
Access Control [AC]
Audit and Accountability [AU]
Configuration Management (CM)
Contingency Planning (CP)
Identification and Authentication (IA)
Maintenance (MA)
System and Communications Protection (SC)
System and Information Integrity (SI)
Appendix
Protocols
IP Options
Services
Logging Severity Level
OSPF LSA Message Types
Common Time Zones
Abbreviations
Invictux Version

Your Report

This report was produced by Invictux on Wednesday, December 11, 2024. The body of this report contains the following reports:

Best Practice Security;

NIST NVD;
CIS - Excluded Devices;
NIST SP 800-53.

During this report various text styles, icons, ratings and so on are used to describe and reflect various aspects of the analysis and
configuration. This section describes those conventions, ratings and icons etc.
Evaluation Use Only
This report was created using Invictux. Therefore the content of this report cannot be used for anything other than evaluation.

Report Conventions
This report will make use of the text conventions described in Table 10.

Convention Description

command This text style represents a device command that should be entered literally.

This style of text represents a part of a device command that you should substitute with a relevant value. For
<user
example, a command that sets a device's IP address would use this text style in a position where the address
data>
should be entered.

[optional] These are used to enclose a part of a command that should be treated as optional.

{required} These are used to enclose a part of a command that is required.

| This is used to divide options which could be enclosed in either required or optional braces.

Table 10: Report conventions

Compliance Status

Each compliance audit check is given a status that indicates the outcome of the analysis for that audit check. Table 11 describes each
possible status.

Status Description

The check has passed all of its required elements. For example, if the check states that the Telnet service
should be disabled and it was, then it will be marked as passed.

The check has failed to meet some or all of the requirements. For example, the check may specify that support
for only SSH protocol version 2 must be configured and version 1 was found to be configured. Therefore the
result would be marked as a fail.

The check requires further investigation in order to determine if it is a pass or fail. For example, if the test
states that port security should be enabled on a network switch port or it needs to be physically secured. If the
device's configuration does not show that the network port has port security enabled, then an investigation of
the physical security would have to be performed in order to determine this checks status. Therefore this
check would be reported as needing further investigation.

The check was not applicable for this device. For example, if the test requires HTTP be disabled but the device
does not support HTTP, the check would be marked as N/A.

Table 11: Compliance Status

CVSS v2 Ratings
Overview

This audit report includes issues that were rated using the industry standard CVSS version 2 rating system. The CVSS version 2 is
composed of a number of detailed individual metrics which categorise the aspects of a vulnerbility. These metrics, when
combined using a well defined formula, result in a score between 0 and 10, with 10 being the most significant.

The CVSS metrics are grouped into three distinct groups; the base metric group, the temporal metric group and the
environmental metric group. Each group of metrics has a formula that results in a score for that group. The base metrics
represents the intrinsic and fundamental characteristics of the vulnerability that is constant over time and user environments. The
temporal metrics represents the characteristics of a vulnerability that changes over a period of time. The environmental metrics
represent the characteristics of a vulnerability that is unique to a specific environment.

Base Metrics

The base metrics score an issue's characteristics that are constant over time and between different environments. Those metrics
and scores are described in more detail in the following sub-sections.

Access Vector (AV)

This metric reflects how the vulnerability is exploited. The possible values are detailed in Table 12.

Score Description

A vulnerability exploitable with only local access requires the attacker to have either physical access to the
Local (L)
vulnerable system or a local (shell) account.

Adjacent A vulnerability exploitable with adjacent network access requires the attacker to have access to either the
Network (A) broadcast or collision domain of the vulnerable software.

A vulnerability exploitable with network access means the vulnerable software is bound to the network
Network (N) stack and the attacker does not require local network access or local access. Such a vulnerability is often
termed "remotely exploitable".

Table 12: Access Vector Scoring

Access Complexity (AC)

This metric measures the complexity of the attack required to exploit the vulnerability once an attacker has gained access to
the target system. The possible values are detailed in Table 13.

Score Description

High (H) Specialized access conditions exist.

Medium (M) The access conditions are somewhat specialized.

Low (L) Specialized access conditions or extenuating circumstances do not exist.

Table 13: Access Complexity Scoring

Authentication (Au)

This metric measures the number of times an attacker must authenticate to a target in order to exploit a vulnerability. This
metric does not gauge the strength or complexity of the authentication process, only that an attacker is required to provide
credentials before an exploit may occur. The possible values are detailed in Table 14.

Score Description

Multiple Exploiting the vulnerability requires that the attacker authenticate two or more times, even if the same
(M) credentials are used each time.

The vulnerability requires an attacker to be logged into the system (such as at a command line or via a
Single (S)
desktop session or web interface).

None (N) Authentication is not required to exploit the vulnerability.

Table 14: Authentication Scoring

Confidentiality Impact (C)

This metric measures the impact on confidentiality of a successfully exploited vulnerability. Confidentiality refers to limiting
information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized
ones. The possible values are detailed in Table 15.

Score Description

None (N) There is no impact to the confidentiality of the system.

There is considerable informational disclosure. Access to some system files is possible, but the attacker does
Partial (P)
not have control over what is obtained, or the scope of the loss is constrained.

Complete There is total information disclosure, resulting in all system files being revealed. The attacker is able to read
(C) all of the system's data (memory, files, etc.)

Table 15: Confidentiality Impact Scoring

Integrity Impact (I)

This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and
guaranteed veracity of information. The possible values are detailed in Table 16.

Score Description

None (N) There is no impact to the integrity of the system.

Modification of some system files or information is possible, but the attacker does not have control over
Partial (P)
what can be modified, or the scope of what the attacker can affect is limited.

Complete There is a total compromise of system integrity. There is a complete loss of system protection, resulting in
(C) the entire system being compromised. The attacker is able to modify any files on the target system.

Table 16: Integrity Impact Scoring

Availability Impact (A)

 This metric measures the impact to availability of a successfully exploited vulnerability. Availability refers to the accessibility of
information resources. Attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a
system. The possible values are detailed in Table 17.

Score Description

None (N) There is no impact to the availability of the system.

There is reduced performance or interruptions in resource availability. An example is a network-based flood

Partial (P)
attack that permits a limited number of successful connections to an Internet service.

Complete There is a total shutdown of the affected resource. The attacker can render the resource completely
(C) unavailable.

Table 17: Availability Impact Scoring

Temporal Metrics

The threat posed by a vulnerability may change over time. Three such factors that CVSS captures are: confirmation of the technical
details of a vulnerability, the remediation status of the vulnerability, and the availability of exploit code or techniques. Since
temporal metrics are optional they each include a metric value that has no effect on the score. Those metrics and scores are
described in more detail in the following sub-sections.

Exploitability (E)

This metric measures the current state of exploit techniques or code availability. Public availability of easy-to-use exploit code
increases the number of potential attackers by including those who are unskilled, thereby increasing the severity of the
vulnerability. The possible values are detailed in Table 18.

Score Description

Unproven (U) No exploit code is available, or an exploit is entirely theoretical.

Proof-of-concept exploit code or an attack demonstration that is not practical for most systems is
Proof-of-
available. The code or technique is not functional in all situations and may require substantial
Concept (POC)
modification by a skilled attacker.

Functional (F) Functional exploit code is available. The code works in most situations where the vulnerability exists.

Either the vulnerability is exploitable by functional mobile autonomous code, or no exploit is required
High (H) (manual trigger) and details are widely available. The code works in every situation, or is actively being
delivered via a mobile autonomous agent (such as a worm or virus).

Not Defined Assigning this value to the metric will not influence the score. It is a signal to the equation to skip this
(ND) metric.

Table 18: Exploitability Scoring

Remediation Level (RL)

The remediation level of a vulnerability is an important factor for prioritization. The typical vulnerability is unpatched when
initially published. Workarounds or hotfixes may offer interim remediation until an official patch or upgrade is issued. Each of
 these respective stages adjusts the temporal score downwards, reflecting the decreasing urgency as remediation becomes
final. The possible values are detailed in Table 19.

Score Description

A complete vendor solution is available. Either the vendor has issued an official patch, or an upgrade is
Official Fix (OF)
available.

Temporary Fix There is an official but temporary fix available. This includes instances where the vendor issues a
(TF) temporary hotfix, tool, or workaround.

Workaround There is an unofficial, non-vendor solution available. In some cases, users of the affected technology will
(W) create a patch of their own or provide steps to work around or otherwise mitigate the vulnerability.

Unavailable (U) There is either no solution available or it is impossible to apply.

Not Defined
Assigning this value to the metric will not influence the score.
(ND)

Table 19: Remediation Level Scoring

Report Confidence (RC)

This metric measures the degree of confidence in the existence of the vulnerability and the credibility of the known technical
details. Sometimes, only the existence of vulnerabilities are publicized, but without specific details. The vulnerability may later
be corroborated and then confirmed through acknowledgement by the author or vendor of the affected technology. The
urgency of a vulnerability is higher when a vulnerability is known to exist with certainty. This metric also suggests the level of
technical knowledge available to would-be attackers. The possible values are detailed in Table 20.

Score Description

Unconfirmed There is a single unconfirmed source or possibly multiple conflicting reports. There is little confidence
(UC) in the validity of the reports.

There are multiple non-official sources, possibly including independent security companies or
Uncorroborated
research organizations. At this point there may be conflicting technical details or some other lingering
(UR)
ambiguity.

The vulnerability has been acknowledged by the vendor or author of the affected technology. The
Confirmed (C) vulnerability may also be Confirmed when its existence is confirmed from an external event such as
publication of functional or proof-of-concept exploit code or widespread exploitation.

Not Defined (ND) Assigning this value to the metric will not influence the score.

Table 20: Report Confidence Scoring

Environmental Metrics

Different environments can have an immense bearing on the risk that a vulnerability poses to an organization and its
stakeholders. The CVSS environmental metric group captures the characteristics of a vulnerability that are associated with a user's
IT environment. Since environmental metrics are optional they each include a metric value that has no effect on the score. Those
metrics and scores are described in more detail in the following sub-sections.

Collateral Damage Potential (CDP)

 This metric measures the potential for loss of life or physical assets through damage or theft of property or equipment. The
metric may also measure economic loss of productivity or revenue. The possible values are detailed in Table 21.

Score Description

None (N) There is no potential for loss of life, physical assets, productivity or revenue.

A successful exploit of this vulnerability may result in slight physical or property damage. Or, there may
Low (L)
be a slight loss of revenue or productivity to the organization.

Low-Medium A successful exploit of this vulnerability may result in moderate physical or property damage. Or, there
(LM) may be a moderate loss of revenue or productivity to the organization.

Medium-High A successful exploit of this vulnerability may result in significant physical or property damage or loss. Or,
(MH) there may be a significant loss of revenue or productivity.

A successful exploit of this vulnerability may result in catastrophic physical or property damage and loss.
High (H)
Or, there may be a catastrophic loss of revenue or productivity.

Not Defined Assigning this value to the metric will not influence the score. It is a signal to the equation to skip this
(ND) metric.

Table 21: Collateral Damage Potential Scoring

Target Distribution (TD)

This metric measures the proportion of vulnerable systems. It is meant as an environment-specific indicator in order to
approximate the percentage of systems that could be affected by the vulnerability. The possible values are detailed in Table 22.

Score Description

No target systems exist, or targets are so highly specialized that they only exist in a laboratory setting.
None (N)
Effectively 0% of the environment is at risk.

Targets exist inside the environment, but on a small scale. Between 1% - 25% of the total environment is
Low (L)
at risk.

Targets exist inside the environment, but on a medium scale. Between 26% - 75% of the total
Medium (M)
environment is at risk.

Targets exist inside the environment on a considerable scale. Between 76% - 100% of the total
High (H)
environment is considered at risk.

Not Defined Assigning this value to the metric will not influence the score. It is a signal to the equation to skip this
(ND) metric.

Table 22: Target Distribution Scoring

Security Requirements (CR, IR, AR)

These metrics enable customization of the CVSS score depending on the importance of the affected IT asset to a users
organization, measured in terms of confidentiality, integrity, and availability, That is, if an IT asset supports a business function
for which availability is most important, the analyst can assign a greater value to availability, relative to confidentiality and
integrity. Each security requirement has three possible values: low, medium, or high. The possible values are detailed in Table
23.
 Score Description

Loss of [confidentiality / integrity / availability] is likely to have only a limited adverse effect on the
Low (L)
organization or individuals associated with the organization (e.g., employees, customers).

Loss of [confidentiality / integrity / availability] is likely to have a serious adverse effect on the organization
Medium (M)
or individuals associated with the organization (e.g., employees, customers).

Loss of [confidentiality / integrity / availability] is likely to have a catastrophic adverse effect on the
High (H)
organization or individuals associated with the organization (e.g., employees, customers).

Not Defined Assigning this value to the metric will not influence the score. It is a signal to the equation to skip this
(ND) metric.

Table 23: Security Requirements Scoring

Scoring and Rating

The CVSS v2 calculations will result in a score between 0 and 10. If temporal metrics and environment metrics are specified, then
further calculations are performed. However, you will end up with a score where 10 represents the most significant issues and 0
the least.

CVSS from v3 provides a qualitative severity rating mapping that maps the score to a rating. We use those mapping definitions for
all CVSS score.

CVSS Score Rating

9.0 - 10.0 Critical

7.0 - 8.9 High

4.0 - 6.9 Medium

0.1 - 3.9 Low

0 None

Table 24: CVSS qualitative severity rating scale

Further information on the CVSS v3.1 rating system and formula can be found at https://www.first.org.

CVSS v3.1 Ratings

Overview

This audit report includes issues that were rated using the industry standard CVSS version 3.1 rating system. The CVSS version 3.1
is composed of a number of detailed individual metrics which categorise the aspects of a vulnerbility. These metrics, when
combined using a well defined formula, result in a score between 0 and 10, with 10 being the most significant.

The CVSS metrics are grouped into three distinct groups; the base metric group, the temporal metric group and the
environmental metric group. Each group of metrics has a formula that results in a score for that group. The base metrics
represents the intrinsic and fundamental characteristics of the vulnerability that is constant over time and user environments. The
temporal metrics represents the characteristics of a vulnerability that changes over a period of time. The environmental metrics
represent the characteristics of a vulnerability that is unique to a specific environment.
Base Metrics

The Base metric group represents the intrinsic characteristics of a vulnerability that are constant over time and across user
environments. It is composed of two sets of metrics: the Exploitability metrics and the Impact metrics.

The Exploitability metrics reflect the ease and technical means by which the vulnerability can be exploited. That is, they represent
characteristics of the thing that is vulnerable, which we refer to formally as the vulnerable component. The Impact metrics reflect
the direct consequence of a successful exploit, and represent the consequence to the thing that suffers the impact, which we refer
to formally as the impacted component.

Exploitability Metrics - Attack Vector (AV)

This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the Base
Score) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable
component.

The possible Attack Vector (AV) values are detailed in Table 25.

Value Description

The vulnerable component is bound to the network stack, up to and including the entire Internet. Such a
Network
vulnerability is often termed “remotely exploitable” and can be thought of as an attack being exploitable at
(N)
the protocol level one or more network hops away (e.g., across one or more routers).

Adjacent The vulnerable component is bound to the network stack, but the attack is limited at the protocol level to a
(A) logically adjacent topology.

The vulnerable component is not bound to the network stack and the attacker’s path is via read/write/execute
Local (L)
capabilities.

Physical
The attack requires the attacker to physically touch or manipulate the vulnerable component.
(P)

Table 25: Attack Vector

Exploitability Metrics - Attack Complexity (AC)

This metric describes the conditions beyond the attacker’s control that must exist in order to exploit the vulnerability.

The possible Attack Complexity (AC) values are detailed in Table 26.

Value Description

Low Specialized access conditions or extenuating circumstances do not exist. An attacker can expect repeatable
(L) success when attacking the vulnerable component.

A successful attack depends on conditions beyond the attacker's control. That is, a successful attack cannot be
High
accomplished at will, but requires the attacker to invest in some measurable amount of effort in preparation or
(H)
execution against the vulnerable component before a successful attack can be expected.

Table 26: Attack Complexity

Exploitability Metrics - Privileges Required (PR)

This metric describes the level of privileges an attacker must possess before successfully exploiting the vulnerability. The Base
Score is greatest if no privileges are required.

The possible Privileges Required (PR) values are detailed in Table 27.

Value Description

None The attacker is unauthorized prior to attack, and therefore does not require any access to settings or files of the
(N) the vulnerable system to carry out an attack.

The attacker requires privileges that provide basic user capabilities that could normally affect only settings and
Low (L) files owned by a user. Alternatively, an attacker with Low privileges has the ability to access only non-sensitive
resources.

High The attacker requires privileges that provide significant (e.g., administrative) control over the vulnerable
(H) component allowing access to component-wide settings and files.

Table 27: Privileges Required

Exploitability Metrics - User Interaction (UI)

This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of
the vulnerable component. This metric determines whether the vulnerability can be exploited solely at the will of the attacker,
or whether a separate user (or user-initiated process) must participate in some manner. The Base Score is greatest when no
user interaction is required.

The possible User Interaction (UI) values are detailed in Table 28.

Value Description

None (N) The vulnerable system can be exploited without interaction from any user.

Required Successful exploitation of this vulnerability requires a user to take some action before the vulnerability can
(R) be exploited.

Table 28: User Interaction

Scope (S)

The Scope metric captures whether a vulnerability in one vulnerable component impacts resources in components beyond its
security scope. The possible User Interaction (UI) values are detailed in Table 29.

Value Description

An exploited vulnerability can only affect resources managed by the same security authority. In this case,
Unchanged
the vulnerable component and the impacted component are either the same, or both are managed by the
(U)
same security authority.

An exploited vulnerability can affect resources beyond the security scope managed by the security
Changed (C) authority of the vulnerable component. In this case, the vulnerable component and the impacted
component are different and managed by different security authorities.
 Table 29: Scope

Impact Metrics - Confidentiality (C)

This metric measures the impact to the confidentiality of the information resources managed by a software component due to
a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized
users, as well as preventing access by, or disclosure to, unauthorized ones. The Base Score is greatest when the loss to the
impacted component is highest.

The possible Confidentiality (C) values are detailed in Table 30.

Value Description

There is a total loss of confidentiality, resulting in all resources within the impacted component being divulged
High
to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed
(H)
information presents a direct, serious impact.

There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not
Low
have control over what information is obtained, or the amount or kind of loss is limited. The information
(L)
disclosure does not cause a direct, serious loss to the impacted component.

None
There is no loss of confidentiality within the impacted component.
(N)

Table 30: Confidentiality

Impact Metrics - Integrity (I)

This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and
veracity of information. The Base Score is greatest when the consequence to the impacted component is highest.

The possible Integrity (I) values are detailed in Table 31.

Value Description

High There is a total loss of integrity, or a complete loss of protection. Alternatively, only some files can be modified,
(H) but malicious modification would present a direct, serious consequence to the impacted component.

Modification of data is possible, but the attacker does not have control over the consequence of a modification,
Low (L) or the amount of modification is limited. The data modification does not have a direct, serious impact on the
impacted component.

None
There is no loss of integrity within the impacted component.
(N)

Table 31: Integrity

Impact Metrics - Availability (A)

This metric measures the impact to the availability of the impacted component resulting from a successfully exploited
vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g.,
information, files) used by the impacted component, this metric refers to the loss of availability of the impacted component
itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information
 resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of an impacted
component. The Base Score is greatest when the consequence to the impacted component is highest.

The possible Availability (A) values are detailed in Table 32.

Value Description

There is a total loss of availability, resulting in the attacker being able to fully deny access to resources in the
impacted component; this loss is either sustained (while the attacker continues to deliver the attack) or persistent
(the condition persists even after the attack has completed). Alternatively, the attacker has the ability to deny
High
some availability, but the loss of availability presents a direct, serious consequence to the impacted component
(H)
(e.g., the attacker cannot disrupt existing connections, but can prevent new connections; the attacker can
repeatedly exploit a vulnerability that, in each instance of a successful attack, leaks a only small amount of
memory, but after repeated exploitation causes a service to become completely unavailable).

Performance is reduced or there are interruptions in resource availability. Even if repeated exploitation of the
Low vulnerability is possible, the attacker does not have the ability to completely deny service to legitimate users. The
(L) resources in the impacted component are either partially available all of the time, or fully available only some of
the time, but overall there is no direct, serious consequence to the impacted component.

None
There is no impact to availability within the impacted component.
(N)

Table 32: Availability

Temporal Metrics

The Temporal metrics measure the current state of exploit techniques or code availability, the existence of any patches or
workarounds, or the confidence in the description of a vulnerability.

Exploit Code Maturity (E)

This metric measures the likelihood of the vulnerability being attacked, and is typically based on the current state of exploit
techniques, exploit code availability, or active, “in-the-wild” exploitation. Public availability of easy-to-use exploit code
increases the number of potential attackers by including those who are unskilled, thereby increasing the severity of the
vulnerability.

The possible Exploit Code Maturity (E) values are detailed in Table 33.

Value Description

Not Defined Assigning this value indicates there is insufficient information to choose one of the other values, and has
(X) no impact on the overall Temporal Score, i.e., it has the same effect on scoring as assigning High.

Functional autonomous code exists, or no exploit is required (manual trigger) and details are widely
available. Exploit code works in every situation, or is actively being delivered via an autonomous agent
High (H) (such as a worm or virus). Network-connected systems are likely to encounter scanning or exploitation
attempts. Exploit development has reached the level of reliable, widely available, easy-to-use automated
tools.

Functional
Functional exploit code is available. The code works in most situations where the vulnerability exists.
(F)
 Value Description

Proof-of-concept exploit code is available, or an attack demonstration is not practical for most systems.
Proof-of-
The code or technique is not functional in all situations and may require substantial modification by a
Concept (P)
skilled attacker.

Unproven
No exploit code is available, or an exploit is theoretical.
(U)

Table 33: Exploit Code Maturity

Remediation Level (RL)

The Remediation Level of a vulnerability is an important factor for prioritization. The typical vulnerability is unpatched when
initially published. Workarounds or hotfixes may offer interim remediation until an official patch or upgrade is issued. Each of
these respective stages adjusts the Temporal Score downwards, reflecting the decreasing urgency as remediation becomes
final.

The possible Exploit Code Maturity (E) values are detailed in Table 34.

Value Description

Not Defined Assigning this value indicates there is insufficient information to choose one of the other values, and has
(X) no impact on the overall Temporal Score, i.e., it has the same effect on scoring as assigning Unavailable.

Unavailable
There is either no solution available or it is impossible to apply.
(U)

Workaround There is an unofficial, non-vendor solution available. In some cases, users of the affected technology will
(W) create a patch of their own or provide steps to work around or otherwise mitigate the vulnerability.

Temporary Fix There is an official but temporary fix available. This includes instances where the vendor issues a
(T) temporary hotfix, tool, or workaround.

A complete vendor solution is available. Either the vendor has issued an official patch, or an upgrade is
Official Fix (O)
available.

Table 34: Remediation Level

Report Confidence (RC)

This metric measures the degree of confidence in the existence of the vulnerability and the credibility of the known technical
details. Sometimes only the existence of vulnerabilities is publicized, but without specific details.

The possible Report Confidence (RC) values are detailed in Table 35.

Value Description

Not Assigning this value indicates there is insufficient information to choose one of the other values, and has no
Defined (X) impact on the overall Temporal Score, i.e., it has the same effect on scoring as assigning Unavailable.

Detailed reports exist, or functional reproduction is possible (functional exploits may provide this). Source
Confirmed
code is available to independently verify the assertions of the research, or the author or vendor of the
(C)
affected code has confirmed the presence of the vulnerability.
 Value Description

Significant details are published, but researchers either do not have full confidence in the root cause, or do
not have access to source code to fully confirm all of the interactions that may lead to the result.
Reasonable Reasonable confidence exists, however, that the bug is reproducible and at least one impact is able to be
(R) verified (proof-of-concept exploits may provide this). An example is a detailed write-up of research into a
vulnerability with an explanation (possibly obfuscated or “left as an exercise to the reader”) that gives
assurances on how to reproduce the results.

There are reports of impacts that indicate a vulnerability is present. The reports indicate that the cause of
Unknown the vulnerability is unknown, or reports may differ on the cause or impacts of the vulnerability. Reporters
(U) are uncertain of the true nature of the vulnerability, and there is little confidence in the validity of the
reports or whether a static Base Score can be applied given the differences described.

Table 35: Report Confidence

Environmental Metrics

These metrics enable the customization of the CVSS score depending on the importance of the affected IT asset to a user’s
organization, measured in terms of complementary/alternative security controls in place, Confidentiality, Integrity, and Availability.
The metrics are the modified equivalent of Base metrics and are assigned values based on the component placement within
organizational infrastructure.

Security Requirements (CR, IR, AR)

These metrics enable the customization of the CVSS score depending on the importance of the affected IT asset to a user’s
organization, measured in terms of Confidentiality, Integrity, and Availability. That is, if an IT asset supports a business function
for which Availability is most important, a greater value can be given to Availability relative to Confidentiality and Integrity.

The possible Security Requirements (CR, IR, AR) values are detailed in Table 36.

Value Description

Not Assigning this value indicates there is insufficient information to choose one of the other values, and has no
Defined (X) impact on the overall Environmental Score, i.e., it has the same effect on scoring as assigning Medium.

Loss of [Confidentiality | Integrity | Availability] is likely to have a catastrophic adverse effect on the
High (H)
organization or individuals associated with the organization (e.g., employees, customers).

Medium Loss of [Confidentiality | Integrity | Availability] is likely to have a serious adverse effect on the organization
(M) or individuals associated with the organization (e.g., employees, customers).

Loss of [Confidentiality | Integrity | Availability] is likely to have only a limited adverse effect on the
Low (L)
organization or individuals associated with the organization (e.g., employees, customers).

Table 36: Security Requirements

Modified Base Metrics

These metrics enable the overriding of the individual Base metrics based on specific characteristics of a user’s environment.
Characteristics that affect Exploitability, Scope, or Impact can be reflected via an appropriately modified Environmental Score.
 These environmental metrics have the same values as their corresponding Base Metric (see Base Metrics above), as well as Not
Defined (the default). These modified metrics are listed below.

Modified Attack Vector (MAV);

Modified Attack Complexity (MAC);
Modified Privileges Required (MPR);
Modified User Interaction (MUI);
Modified Scope (MS);
Modified Confidentiality (MC);
Modified Integrity (MI);
Modified Availability (MA).

Scoring and Rating

The CVSS v3.1 calculations will result in a score between 0 and 10. If temporal metrics and environment metrics are specified, then
further calculations are performed. However, you will end up with a score where 10 represents the most significant issues and 0
the least.

CVSS v3.1 provides a qualitative severity rating mapping that maps the score to a rating.

CVSS Score Rating

9.0 - 10.0 Critical

7.0 - 8.9 High

4.0 - 6.9 Medium

0.1 - 3.9 Low

0 None

Table 37: CVSS qualitative severity rating scale

Further information on the CVSS v3.1 rating system and formula can be found at https://www.first.org.

DISA STIG Ratings

Severity Category Codes (referred to as CAT) are a measure of vulnerabilities used to assess a facility or system security posture. The
DISA STIG category codes are specified against each guidance check based on guidelines outlined in Table 38.

Rating DISA Category Code Guidelines

Any vulnerability, the exploitation of which will directly and immediately result in loss of Confidentiality, Availability,
CAT I
or Integrity.

CAT II Any vulnerability, the exploitation of which has a potential to result in loss of Confidentiality, Availability, or Integrity.

Any vulnerability, the existence of which degrades measures to protect against loss of Confidentiality, Availability, or
CAT III
Integrity.

Table 38: STIG Vulnerability Severity Category Code Definitions

Invictux Ratings
Each finding identified and scored using the Invictux rating system is rated against both the impact of the finding and how easy it
would be for an attacker to exploit. The fix rating provides a guide to the effort required to resolve the finding. The overall rating for
the finding is calculated based on the finding's impact and ease ratings.

Impact Rating

A finding's impact rating is determined using the criteria outlined in Table 39.

Rating Description

These findings can pose a very significant security risk. The findings that have a critical impact are typically
those that would allow an attacker to gain full administrative access to the device. For a firewall device,
Critical
allowing all traffic to pass through the device unfiltered would receive this rating as filtering traffic to
protect other devices is the primary purpose of a firewall.

These findings pose a significant risk to security, but have some limitations on the extent to which they can
be abused. User level access to a device and a DoS vulnerability in a critical service would fall into this
High category. A firewall device that allowed significant unfiltered access, such as allowing entire subnets
through or not filtering in all directions, would fall into this category. A router that allows significant
modification of its routing configuration would also fall into this category.

These findings have significant limitations on the direct impact they can cause. Typically, these findings
would include significant information leakage findings, less significant DoS findings or those that provide
Medium significantly limited access. An SNMP service that is secured with a default or a dictionary-based community
string would typically fall into this rating, as would a firewall that allows unfiltered access to a range of
services on a device.

These findings represent a low level security risk. A typical finding would involve information leakage that
Low could be useful to an attacker, such as a list of users or version details. A non-firewall device that was
configured with weak network filtering would fall into this category.

These findings represent a very low level of security risk. These findings include minor information leakage,
Informational
unnecessary services or legacy protocols that present no real risk to security.

Table 39: The impact rating

Ease Rating

A finding's ease rating is determined using the criteria outlined in Table 40.

Rating Description

The finding requires little-to-no knowledge on behalf of an attacker and can be exploited using standard
Trivial operating system tools. A firewall device which had a network filtering configuration that enables traffic to
pass through would fall into this category.

The finding requires some knowledge for an attacker to exploit, which could be performed using standard
Easy operating system tools or tools downloaded from the Internet. An administrative service without or with a
default password would fall into this category, as would a simple software vulnerability exploit.

The finding requires specific knowledge on behalf of an attacker. The finding could be exploited using a
Moderate
combination of operating system tools or publicly available tools downloaded from the Internet.

Challenging A security finding that falls into this category would require significant effort and knowledge on behalf of the
attacker. The attacker may require specific physical access to resources or to the network infrastructure in
 Rating Description
order to successfully exploit the vulnerability. Furthermore, a combination of attacks may be required.

Table 40: The ease rating

Fix Rating

A finding's fix rating is determined using the criteria outlined in Table 41.

Rating Description

The resolution of the finding will require significant resources to resolve and is likely to include disruption to
Involved network services, and possibly the modification of other network device configurations. The finding could involve
upgrading a device's OS and possible modifications to the hardware.

The finding resolution involves planning, testing and could cause some disruption to services. This finding could
Planned
involve changes to routing protocols and changes to network filtering.

The finding is quick to resolve. Typically this would just involve changing a small number of settings and would
Quick
have little-to-no effect on network services.

Table 41: The fix rating

Notes

It is worth noting that Invictux is unable to provide an accurate risk assessment due to a lack of contextual information. For
example, in the case where highly sensitive information is processed, a Denial of Service (DoS) vulnerability poses less of a risk
than the integrity of the data or an attacker gaining access to it. Similarly, for a situation where up-time is critical, a DoS
vulnerability could be more important than the leakage of sensitive information. Therefore the ratings provided by Invictux are
only intended to be a guide to an finding's significance.

Network Filtering Actions

This report includes a number of network filter rules. Table 42 describes the filter rule actions used within the report.

Action Description

Table 42: Network filtering actions

Network Filter Objects

This report details the type of network objects used within the filter rules. Table 43 describes the object types used within the report.

Object Description

Describes a single IPv4 or IPv6 address.

Specific IPv4 or IPv6 network address.

Table 43: Network filtering actions

 Best Practice Security

Introduction
Invictux performed a best practice security audit on Wednesday, December 11, 2024 of the device detailed in Table 44.

Device Name OS

Cisco Catalyst Switch JED-DC-CORE-SW.catrion.local IOS 17.9

Table 44: Best practice security audit device list

Security Issue Findings

Each security issue identified by Invictux is described with a finding, the impact of the issue, how easy it would be for an attacker
to exploit the issue and a recommendation.

Issue Finding

The issue finding describes what Invictux identified during the best practice security audit. Typically, the finding will include
background information on what particular configuration settings are prior to describing what was found.

Issue Impact

The issue impact describes what an attacker could achieve from exploiting the finding. However, it is worth noting that the
impact of an issue can often be influenced by other configuration settings, which could heighten or partially mitigate the issue.
For example, a weak password could be partially mitigated if the access gained from using it is restricted in some way.

Issue Ease

The issue ease describes the knowledge, skill, level of access and time scales that would be required by an attacker in order to
exploit an issue. The issue ease will describe, where relevant, if any Open Source or commercially available tools could be used
to exploit an issue.

Issue Recommendation

Each issue includes a recommendation section which describes the steps that Invictux recommends should be taken in order
to mitigate the issue. The recommendation includes, where relevant, the commands that can be used to resolve the issue.

Unicast RPF Verification Was Disabled HIGH

 Invictux Rating

Overall: High
Impact: High
Ease: Trivial
Fix: Quick

Affected Devices

Cisco Catalyst Switch JED-DC-CORE-SW.catrion.local

Finding

To help prevent IP spoofing attacks, you would typically configure network filtering rules to perform sanity checks on network
traffic and ensure that traffic being routed through the network originates from a valid IP address. These checks were typically
configured to ensure the traffic from an IP address on an internal interface was not allowed in from an outside interface. However,
new networks could be created or removed, which adds to the maintenance of the anti-spoofing rules on a device. Also, the
greater the number of network filtering rules configured on a device, the greater the impact on a device's performance.

Unicast Reverse Path Forwarding (RPF) verification enables sanity checks on network traffic without the administration and
performance impact of adding additional network filter rules. Furthermore, unicast RPF verification will dynamically adapt to
changes in the network topology.

Invictux examined the device configuration to determine if the threat protection feature "Unicast Reverse Path Forward" had been
configured to Protect against the threat.

JED-DC-CORE-SW.catrion.local Findings

Invictux identified the following threat protection configuration on JED-DC-CORE-SW.catrion.local:

Feature Description State

Unicast Unicast Reverse Path Forwarding anti-spoofing protection verifies that the GigabitEthernet0/0 (Interface -
RPF IPv4 source address can be reached on the appropriate interface, discarding Disabled) Disabled
packets with an invalid address. Vlan1 (Interface - Disabled)
Disabled
Vlan2 (Interface) Disabled
Vlan99 (Interface) Disabled
Vlan106 (Interface) Disabled
Vlan276 (Interface) Disabled
Vlan302 (Interface) Disabled
Vlan306 (Interface) Disabled
Vlan308 (Interface) Disabled
Vlan310 (Interface) Disabled
Vlan312 (Interface) Disabled
Vlan313 (Interface) Disabled
Vlan314 (Interface) Disabled
Vlan316 (Interface - Disabled)
 Feature Description State
Disabled
Vlan317 (Interface) Disabled
Vlan728 (Interface) Disabled
Vlan729 (Interface) Disabled
Vlan730 (Interface) Disabled
Vlan1800 (Interface) Disabled
Vlan874 (Interface - Disabled)
Disabled
Vlan870 (Interface - Disabled)
Disabled
Vlan862 (Interface - Disabled)
Disabled
Vlan3 (Interface - Disabled)
Disabled
Vlan5 (Interface - Disabled)
Disabled
Vlan6 (Interface - Disabled)
Disabled
Vlan7 (Interface - Disabled)
Disabled
Vlan8 (Interface - Disabled)
Disabled
Vlan9 (Interface - Disabled)
Disabled
Vlan10 (Interface - Disabled)
Disabled
Vlan11 (Interface - Disabled)
Disabled
Vlan12 (Interface - Disabled)
Disabled
Vlan13 (Interface - Disabled)
Disabled
Vlan14 (Interface - Disabled)
Disabled
Vlan15 (Interface - Disabled)
Disabled
Vlan16 (Interface - Disabled)
Disabled
Vlan17 (Interface - Disabled)
Disabled
Vlan18 (Interface - Disabled)
Disabled
Vlan19 (Interface - Disabled)
Disabled
Vlan20 (Interface - Disabled)

Table 45: Threat detection configuration

Impact
 If unicast RPF verification is not enabled and no anti-spoofing network filtering is configured, an attacker could be able to route
network packets using a spoofed source address.

Ease

For an attacker to perform a spoofing attack, they would have to be aware of the address range used on a device's other
interfaces. This could be made more difficult if anti-spoofing network filtering has been configured. However, a manual
configuration of anti-spoofing filter rules could leave out Internet network address ranges and may become out of date with
changes to the network topology. To make things easier for an attacker, tools can be downloaded from the Internet that can
perform an IP spoofing attack.

Recommendation

Invictux recommends that the unicast RPF verification feature should be enabled to help prevent IP spoofing attacks.

Additional Information

TID: TNA-IPS-0026

STP Not Enabled On All Interfaces HIGH

Invictux Rating

Overall: High
Impact: High
Ease: Easy
Fix: Quick

Affected Devices

Cisco Catalyst Switch JED-DC-CORE-SW.catrion.local

Finding

The Spanning Tree Protocol (STP) is used to help prevent network loops, which can cause significant network disruption. When a
loop is detected, STP can automatically perform an action, such as blocking a network interface, in order to prevent networking
issues caused by a loop. STP was originally standardized in the Institute of Electrical and Electronics Engineers (IEEE) 802.1D and
has since evolved in to other standards such as RSTP.

STP makes use of Bridge Protocol Data Unit (BPDU) network packets to send information about the network root bridges, link
priorities, topology updates and more. However, STP does not implement any authentication or encryption of this data. Most STP
capable switches have added the following security features:
 BPDU Guard - Protects against changes to network topology, root bridges and more
Root Guard - Prevents a port from becoming a root bridge
Loop Guard - Prevents a hardware/software failure from causing a network loop
TCN Guard - Protects against topology changes

Different devices provide different mechanisms for enabling and managing STP. Some devices enable STP centrally for the whole
device, whilst on others STP is enabled on individual network interfaces.

Invictux examined the device configuration to determine if STP was enabled on network interfaces.

JED-DC-CORE-SW.catrion.local Findings

Invictux identified one network interface that did not have STP enabled on JED-DC-CORE-SW.catrion.local. This interface is
detailed in the table below.

Interface Active STP Port Fast BPDU Guard BPDU Filter Root Guard Loop Guard Description

Loopback0 Yes Off N/A N/A N/A N/A N/A

Table 46: Interfaces with STP disabled on JED-DC-CORE-SW.catrion.local

Invictux identified 4121 network interfaces with STP enabled on JED-DC-CORE-SW.catrion.local. These interfaces are detailed
in the table below.

Interface Active STP Port Fast BPDU Guard BPDU Filter Root Guard Loop Guard Description

Table 47: STP interface status on JED-DC-CORE-SW.catrion.local

Impact

STP is designed to prevent loops in network topology where switches are interconnected. With no STP configured, an attacker
could perform a network DoS by flooding the network with traffic to unknown Media Access Control (MAC) addresses.

Ease

Tools are available on the Internet that could be used by an attacker to perform the type of network attacks that STP is designed
to prevent.

Recommendation

Invictux recommends that STP should be configured to help prevent network loops. Furthermore, Invictux recommends
that BPDU Guard, or filtering, should be configured on all non-bridging ports. On bridging ports, Invictux recommends that
Loop Guard and Root Guard should be configured.

Additional Information

TID: TNA-PRO-0016
IEEE: IEEE 802.1D, IEEE 802.1w and IEEE 802.1s
 Wikipedia: https://en.wikipedia.org/wiki/Spanning_Tree_Protocol

The following findings are related to this one:

STP BPDU Guard Was Not Enabled (see section TNA-PRO-0015);

STP Root Guard Not Enabled (see section TNA-PRO-0019);
STP Loop Guard Not Enabled (see section TNA-PRO-0017).

STP BPDU Guard Was Not Enabled HIGH

Invictux Rating

Overall: High
Impact: High
Ease: Easy
Fix: Quick

Affected Devices

Cisco Catalyst Switch JED-DC-CORE-SW.catrion.local

Finding

The STP is used to help prevent network loops, which can cause significant network disruption. When a loop is detected, STP can
automatically perform an action, such as blocking a network interface, in order to prevent networking issues caused by a loop.
STP was originally standardized in the IEEE 802.1D and has since evolved in to other standards such as RSTP.

STP makes use of BPDU network packets to send information about the network root bridges, link priorities, topology updates
and more. However, STP does not implement any authentication or encryption of this data. Therefore additional features, such as
BPDU Guard, have been added by most device manufacturers in order to provide a better level of security. The BPDU Guard
feature will disable a port which receives a BPDU in order to prevent unauthorized ports from participating in STP and receiving
malicious updates.

Invictux examined the device configuration to determine if theSTP BPDU Guard option was enabled.

JED-DC-CORE-SW.catrion.local Findings

Invictux determined that the STP BPDU Guard was disabled on JED-DC-CORE-SW.catrion.local.

Impact

Because STP does not provide any authentication or encryption, an attacker could inject a malicious BPDU which would force a
topology update. This attack could enable an attacker to perform a network DoS or a Man-In-The-Middle (MITM) attack and
capture potentially sensitive information.
 Ease

Tools are available on the Internet that would enable an attacker to inject malicious STP BPDU packets. Although the attacker
would need to be connected to the network, they would not require any specialist knowledge.

Recommendation

Invictux recommends that the BPDU Guard feature should be enabled device-wide and on all non-bridging network
interfaces, such as those directly connected to servers, workstations and printers.

Additional Information

TID: TNA-PRO-0015
IEEE: IEEE 802.1D, IEEE 802.1w and IEEE 802.1s
Wikipedia: https://en.wikipedia.org/wiki/Spanning_Tree_Protocol

The following findings are related to this one:

STP Not Enabled On All Interfaces (see section TNA-PRO-0016);

STP Root Guard Not Enabled (see section TNA-PRO-0019);
STP Loop Guard Not Enabled (see section TNA-PRO-0017).

STP Root Guard Not Enabled HIGH

Invictux Rating

Overall: High
Impact: High
Ease: Easy
Fix: Quick

Affected Devices

Cisco Catalyst Switch JED-DC-CORE-SW.catrion.local

Finding

The STP is used to help prevent network loops, which can cause significant network disruption. When a loop is detected, STP can
automatically perform an action, such as blocking a network interface, in order to prevent networking issues caused by a loop.
STP was originally standardized in the IEEE 802.1D and has since evolved in to other standards such as RSTP.

STP makes use of BPDU network packets to send information about the network root bridges, link priorities, topology updates
and more. However, STP does not implement any authentication or encryption of this data. When Root Guard is enabled on a port
and a superior BPDU is received, the port is disabled to help prevent a change to the root bridge. Depending on the type of
device, it can be possible for a port to become active once more when superior BPDU are no longer being received on a disabled
port.

Invictux examined the device configuration to determine if STP Loop Guard was enabled on STP network interfaces.

JED-DC-CORE-SW.catrion.local Findings

Invictux identified 4120 network interfaces that did not have STP Root Guard enabled on JED-DC-CORE-SW.catrion.local.
Those interfaces are detailed in the table below.

Port BPDU BPDU Root Loop

Interface Active STP Description
Fast Guard Filter Guard Guard

Port-
Yes On Off Off Off Off Off --- Uplink Port - Sophos Perimeter FW2 ---
channel2

Port- --- Uplink Port - Sophos B2B (XGS 2100)

Yes On Off Off Off Off Off
channel3 FW1 ---

Port- --- Uplink Port - Sophos B2B (XGS 2100)

Yes On Off Off Off Off Off
channel4 FW2 ---

Port- --- Uplink Port - Sophos Primary FW1 XGS

Yes On Off Off Off Off Off
channel5 4500 ---

Port- --- Uplink Port - Sophos Primary FW1 XGS

Yes On Off Off Off Off Off
channel6 4500 ---

Port- --- Uplink Port - Sophos Primary FW2 XGS

Yes On Off Off Off Off Off
channel7 4500 ---

Port- --- Uplink Port - Sophos Primary FW2 XGS

Yes On Off Off Off Off Off
channel8 4500 ---

Port- --- Uplink Port - Sophos B2B (XGS 2100)

Yes On Off Off Off Off Off
channel9 FW1 ---

Port- --- Uplink Port - Sophos B2B (XGS 2100)

Yes On Off Off Off Off Off
channel10 FW2 ---

Port- --- Connected to NAC-EM-(Enterprise-

Yes On Off Off Off Off Off
channel11 Manager) ---

Port-
Yes On Off Off Off Off Off --- Connected to nac-jed-SPAN ---
channel12

Port-
Yes On Off Off Off Off Off --- Connected to nac-jed ---
channel13

Port- --- Connected to LAN-870-Infra-SIEM-

Yes On Off Off Off Off Off
channel14 Server-1 ---

Port- --- Connected to LAN-870-Infra-SIEM-

Yes On Off Off Off Off Off
channel15 Server-2 ---

Port- --- Connected to LAN-870-Infra-SIEM-

Yes On Off Off Off Off Off
channel16 Server-3 ---

Port-
Yes On Off Off Off Off Off --- Connected to JED-SIEMXM1 ---
channel17
 Port BPDU BPDU Root Loop
Interface Active STP Description
Fast Guard Filter Guard Guard

Port-
Yes On Off Off Off Off Off --- Connected to jed-siempdih1 ---
channel18

Port-
Yes On Off Off Off Off Off --- Connected to Aruba-Controller-1 ---
channel19

Port-
Yes On Off Off Off Off Off --- Connected to Aruba-Controller-2 ---
channel20

Port-
Yes On Off Off Off Off Off --- Connected to Aruba-Controller-3 ---
channel21

Port-
Yes On Off Off Off Off Off --- Connected to Aruba-Conductor ---
channel22

Port-
Yes On Off Off Off Off Off --- Connected to Jed-CS-MISC ---
channel25

Port-
Yes On Off Off Off Off Off --- Connected to WAN-Server ---
channel26

Port-
Yes On Off Off Off Off Off --- Connected to JEDGIGMON ---
channel27

--- Core Switch Extension Catalyst 9200L 24-

Port-
Yes On Off Off Off Off Off port PoE+ x 2 for system with 1GB-TX
channel28
interface ---

Port-
Yes On Off Off Off Off Off --- Connected to JED-CORE-MGM-SW1 ---
channel30

Port-
Yes On Off Off Off Off Off --- Connected to JED-DC-ISP-SW ---
channel31

Port-
Yes On Off Off Off Off Off --- Uplink Port - Distribution Switch ---
channel100

Port-
Yes On Off Off Off Off Off --- Uplink Port - Service Switch ---
channel101

Vlan1 Yes On Off Off Off Off Off

Vlan2 Yes On Off Off Off Off Off --- Network-102 ---

Vlan99 Yes On Off Off Off Off Off --- Network-99 ---

Vlan106 Yes On Off Off Off Off Off

Vlan276 Yes On Off Off Off Off Off --- LAN-276-Infra-ArubaNetwork ---

Vlan302 Yes On Off Off Off Off Off --- WiFi_SACC_IPPhone ---

Vlan306 Yes On Off Off Off Off Off --- WiFi_SACC_CEO ---

Vlan308 Yes On Off Off Off Off Off --- WiFi_SACC_Executives ---

Vlan310 Yes On Off Off Off Off Off --- WiFi_SACC_System ---

Vlan312 Yes On Off Off Off Off Off --- WiFi_SACC_Guest ---

Vlan313 Yes On Off Off Off Off Off --- WiFi_SACC_IT-VIPGuest ---
 Port BPDU BPDU Root Loop
Interface Active STP Description
Fast Guard Filter Guard Guard

Vlan314 Yes On Off Off Off Off Off --- WiFi_Alfursan ---

Vlan316 Yes On Off Off Off Off Off --- WiFi_Airfi ---

Vlan317 Yes On Off Off Off Off Off --- Wifi_TMS ---

Vlan728 Yes On Off Off Off Off Off

---Point to Point to Primary-FW-for-USER-

Vlan729 Yes On Off Off Off Off Off
VRF ---

---Point to Point to Primary-FW-for-WIFI-

Vlan730 Yes On Off Off Off Off Off
VRF ---

---Point to Point to Distribution-SW-for-

Vlan1800 Yes On Off Off Off Off Off
USER-VRF ---

Vlan874 Yes On Off Off Off Off Off

Vlan870 Yes On Off Off Off Off Off

Vlan862 Yes On Off Off Off Off Off

Table 48: Interfaces with STP Root Guard disabled on JED-DC-CORE-SW.catrion.local

Invictux identified one network interface with STP Root Guard enabled, or was not using STP, on JED-DC-CORE-
SW.catrion.local. This interface is detailed in the table below.

Interface Active STP Port Fast BPDU Guard BPDU Filter Root Guard Loop Guard Description

Loopback0 Yes Off N/A N/A N/A N/A N/A

Table 49: STP Loop Guard interface status on JED-DC-CORE-SW.catrion.local

Impact

Because STP does not provide any authentication or encryption, an attacker could inject a malicious STP packet with a superior
BPDU in order to become the root bridge. This attack could enable an attacker to perform a network DoS or a MITM attack and
capture potentially sensitive information.

Ease

Tools are available on the Internet that would enable an attacker to inject malicious STP BPDU packets. Although the attacker
would need to be connected to the network, they would not require any specialist knowledge.

Recommendation

Invictux recommends that the STP Root Guard feature should be enabled on all bridging network interfaces.

Additional Information
 TID: TNA-PRO-0019
IEEE: IEEE 802.1D, IEEE 802.1w and IEEE 802.1s
Wikipedia: https://en.wikipedia.org/wiki/Spanning_Tree_Protocol

The following findings are related to this one:

STP Not Enabled On All Interfaces (see section TNA-PRO-0016);

STP BPDU Guard Was Not Enabled (see section TNA-PRO-0015);
STP Loop Guard Not Enabled (see section TNA-PRO-0017).

OSPF Routing Updates With No Authentication HIGH

Invictux Rating

Overall: High
Impact: High
Ease: Moderate
Fix: Involved

Affected Devices

Cisco Catalyst Switch JED-DC-CORE-SW.catrion.local

Finding

Open Shortest Path First (OSPF) is a routing protocol that allows network devices to dynamically adapt to changes to the network
topology. OSPF supports authentication using either clear-text or MD5 authentication methods. This ensures that routing updates
are sent from a trusted source.

Invictux examined the device configuration to determine if all OSPF routing interfaces were configured to provide authentication.

The scope was further limited to those network interfaces with a OSPF routing configuration.

JED-DC-CORE-SW.catrion.local Findings

Invictux identified the following OSPF routing configuration, applied to network interfaces, on JED-DC-CORE-SW.catrion.local:

Auth Route Hello Dead

Interface Active Passive Area Priority Type SPI Key
Mode Cost Interval Interval

Port-channel1 Yes Yes 1 Broadcast None N/A Default 0 seconds 0 seconds

Port-channel2 Yes Yes 1 Broadcast None N/A Default 0 seconds 0 seconds

Port-channel3 Yes Yes 1 Broadcast None N/A Default 0 seconds 0 seconds

Port-channel4 Yes Yes 1 Broadcast None N/A Default 0 seconds 0 seconds

Port-channel5 Yes Yes 1 Broadcast None N/A Default 0 seconds 0 seconds

 Auth Route Hello Dead
Interface Active Passive Area Priority Type SPI Key
Mode Cost Interval Interval

Port-channel6 Yes Yes 1 Broadcast None N/A Default 0 seconds 0 seconds

Port-channel7 Yes Yes 1 Broadcast None N/A Default 0 seconds 0 seconds

Port-channel8 Yes Yes 1 Broadcast None N/A Default 0 seconds 0 seconds

Port-channel9 Yes Yes 1 Broadcast None N/A Default 0 seconds 0 seconds

Port-
Yes Yes 1 Broadcast None N/A Default 0 seconds 0 seconds
channel10

Port-
Yes Yes 1 Broadcast None N/A Default 0 seconds 0 seconds
channel11

Port-
Yes Yes 1 Broadcast None N/A Default 0 seconds 0 seconds
channel12

Port-
Yes Yes 1 Broadcast None N/A Default 0 seconds 0 seconds
channel13

Port-
Yes Yes 1 Broadcast None N/A Default 0 seconds 0 seconds
channel14

Port-
Yes Yes 1 Broadcast None N/A Default 0 seconds 0 seconds
channel15

Port-
Yes Yes 1 Broadcast None N/A Default 0 seconds 0 seconds
channel16

Port-
Yes Yes 1 Broadcast None N/A Default 0 seconds 0 seconds
channel17

Port-
Yes Yes 1 Broadcast None N/A Default 0 seconds 0 seconds
channel18

Port-
Yes Yes 1 Broadcast None N/A Default 0 seconds 0 seconds
channel19

Port-
Yes Yes 1 Broadcast None N/A Default 0 seconds 0 seconds
channel20

Port-
Yes Yes 1 Broadcast None N/A Default 0 seconds 0 seconds
channel21

Port-
Yes Yes 1 Broadcast None N/A Default 0 seconds 0 seconds
channel22

Port-
Yes Yes 1 Broadcast None N/A Default 0 seconds 0 seconds
channel25

Port-
Yes Yes 1 Broadcast None N/A Default 0 seconds 0 seconds
channel26

Port-
Yes Yes 1 Broadcast None N/A Default 0 seconds 0 seconds
channel27

Port-
Yes Yes 1 Broadcast None N/A Default 0 seconds 0 seconds
channel28

Port-
Yes Yes 1 Broadcast None N/A Default 0 seconds 0 seconds
channel30
 Auth Route Hello Dead
Interface Active Passive Area Priority Type SPI Key
Mode Cost Interval Interval

Port-
Yes Yes 1 Broadcast None N/A Default 0 seconds 0 seconds
channel31

Port-
Yes Yes 1 Broadcast None N/A Default 0 seconds 0 seconds
channel100

Port-
Yes Yes 1 Broadcast None N/A Default 0 seconds 0 seconds
channel101

Table 50: OSPF authentication on interfaces

Auth Route Hello Dead

Interface Active Passive Area Priority Type SPI Key
Mode Cost Interval Interval

0 0
TwentyFiveGigE1/0/1 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE1/0/2 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE1/0/3 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE1/0/4 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE1/0/5 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE1/0/6 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE1/0/7 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE1/0/8 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE1/0/9 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE1/0/10 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE1/0/11 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE1/0/12 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE1/0/13 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE1/0/14 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE1/0/15 Yes Yes 1 Broadcast None N/A Default
seconds seconds
 Auth Route Hello Dead
Interface Active Passive Area Priority Type SPI Key
Mode Cost Interval Interval

0 0
TwentyFiveGigE1/0/16 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE1/0/17 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE1/0/18 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE1/0/19 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE1/0/20 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE1/0/21 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE1/0/22 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE1/0/23 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE1/0/24 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE1/0/25 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE1/0/26 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE1/0/27 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE1/0/28 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE1/0/29 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE1/0/30 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE1/0/31 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE1/0/32 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE1/0/33 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE1/0/34 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE1/0/35 Yes Yes 1 Broadcast None N/A Default
seconds seconds
 Auth Route Hello Dead
Interface Active Passive Area Priority Type SPI Key
Mode Cost Interval Interval

0 0
TwentyFiveGigE1/0/36 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE1/0/37 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE1/0/38 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE1/0/39 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE1/0/40 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE1/0/41 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE1/0/42 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE1/0/43 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE1/0/44 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE1/0/45 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE1/0/46 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE1/0/47 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE1/0/48 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE2/0/1 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE2/0/2 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE2/0/3 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE2/0/4 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE2/0/5 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE2/0/6 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE2/0/7 Yes Yes 1 Broadcast None N/A Default
seconds seconds
 Auth Route Hello Dead
Interface Active Passive Area Priority Type SPI Key
Mode Cost Interval Interval

0 0
TwentyFiveGigE2/0/8 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE2/0/9 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE2/0/10 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE2/0/11 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE2/0/12 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE2/0/13 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE2/0/14 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE2/0/15 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE2/0/16 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE2/0/17 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE2/0/18 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE2/0/19 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE2/0/20 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE2/0/21 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE2/0/22 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE2/0/23 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE2/0/24 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE2/0/25 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE2/0/26 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE2/0/27 Yes Yes 1 Broadcast None N/A Default
seconds seconds
 Auth Route Hello Dead
Interface Active Passive Area Priority Type SPI Key
Mode Cost Interval Interval

0 0
TwentyFiveGigE2/0/28 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE2/0/29 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE2/0/30 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE2/0/31 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE2/0/32 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE2/0/33 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE2/0/34 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE2/0/35 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE2/0/36 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE2/0/37 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE2/0/38 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE2/0/39 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE2/0/40 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE2/0/41 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE2/0/42 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE2/0/43 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE2/0/44 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE2/0/45 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE2/0/46 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE2/0/47 Yes Yes 1 Broadcast None N/A Default
seconds seconds
 Auth Route Hello Dead
Interface Active Passive Area Priority Type SPI Key
Mode Cost Interval Interval

0 0
TwentyFiveGigE2/0/48 Yes Yes 1 Broadcast None N/A Default
seconds seconds

Table 51: OSPF authentication on interfaces

Auth Route Hello Dead

Interface Active Passive Area Priority Type SPI Key
Mode Cost Interval Interval

HundredGigE1/0/49 Yes Yes 1 Broadcast None N/A Default 0 seconds 0 seconds

HundredGigE1/0/50 Yes Yes 1 Broadcast None N/A Default 0 seconds 0 seconds

HundredGigE1/0/51 Yes Yes 1 Broadcast None N/A Default 0 seconds 0 seconds

HundredGigE1/0/52 Yes Yes 1 Broadcast None N/A Default 0 seconds 0 seconds

HundredGigE2/0/49 Yes Yes 1 Broadcast None N/A Default 0 seconds 0 seconds

HundredGigE2/0/50 Yes Yes 1 Broadcast None N/A Default 0 seconds 0 seconds

HundredGigE2/0/51 Yes Yes 1 Broadcast None N/A Default 0 seconds 0 seconds

HundredGigE2/0/52 Yes Yes 1 Broadcast None N/A Default 0 seconds 0 seconds

Table 52: OSPF authentication on interfaces

Auth Route Hello Dead

Interface Active Passive Area Priority Type SPI Key
Mode Cost Interval Interval

Vlan1 Yes Yes 1 Broadcast None N/A Default 0 seconds 0 seconds

Vlan2 Yes Yes 1 Broadcast None N/A Default 0 seconds 0 seconds

Vlan99 Yes Yes 1 Broadcast None N/A Default 0 seconds 0 seconds

Vlan106 Yes Yes 1 Broadcast None N/A Default 0 seconds 0 seconds

Vlan276 Yes Yes 1 Broadcast None N/A Default 0 seconds 0 seconds

Vlan302 Yes Yes 1 Broadcast None N/A Default 0 seconds 0 seconds

Vlan306 Yes Yes 1 Broadcast None N/A Default 0 seconds 0 seconds

Vlan308 Yes Yes 1 Broadcast None N/A Default 0 seconds 0 seconds

Vlan310 Yes Yes 1 Broadcast None N/A Default 0 seconds 0 seconds

Vlan312 Yes Yes 1 Broadcast None N/A Default 0 seconds 0 seconds

Vlan313 Yes Yes 1 Broadcast None N/A Default 0 seconds 0 seconds

Vlan314 Yes Yes 1 Broadcast None N/A Default 0 seconds 0 seconds

Vlan316 Yes Yes 1 Broadcast None N/A Default 0 seconds 0 seconds

Vlan317 Yes Yes 1 Broadcast None N/A Default 0 seconds 0 seconds

Vlan728 Yes Yes 1 Broadcast None N/A Default 0 seconds 0 seconds

Vlan729 Yes Yes 1 Broadcast None N/A Default 10 seconds 40 seconds

Vlan730 Yes Yes 1 Broadcast None N/A Default 10 seconds 40 seconds

 Auth Route Hello Dead
Interface Active Passive Area Priority Type SPI Key
Mode Cost Interval Interval

Point to
Vlan1800 Yes Yes 1 None N/A Default 10 seconds 40 seconds
Point

Vlan874 Yes No 1 Broadcast None N/A Default 0 seconds 0 seconds

Vlan870 Yes No 1 Broadcast None N/A Default 0 seconds 0 seconds

Vlan862 Yes No 1 Broadcast None N/A Default 0 seconds 0 seconds

Table 53: OSPF authentication on interfaces

Impact

An attacker may attempt to modify the routing table of a routing device in an attempt to route network traffic through a device
that they control. If an attacker is able to control a routing device they would be able to:

monitor network traffic sent between network segments;

gain a list of network addresses the router knows about;
perform a man in the middle attack;
capture clear-text protocol authentication credentials;
capture encrypted authentication hashes which could be subjected to a brute-force attack;
perform a network wide DoS;
route updates could be redistributed by the device to other routing devices and possibly using other routing protocols and
authentication.

Ease

There are multiple methods an attacker could use to identify potentially vulnerable OSPF routers, such as by monitoring network
traffic to identify routers and examine their routing updates. With no authentication configured, an attacker would not have to
determine the authentication key prior to sending malicious OSPF route updates

An attacker would have to be able to create their own malicious routing updates to exploit this issue. To do this they could
configure their own router, using either Open Source routing software or their use their own physical router. The following are
examples of the Open Source software that could be used by the attacker to interact with the routing protocol:

Quagga (www.nongnu.org/quagga);
Bird (bird.network.cz).

Recommendation

Invictux recommends that strong OSPF authentication keys should be configured for all routing

updates. Invictux recommends that:

OSPF authentication keys should be at least ten characters in length;

characters in the OSPF authentication key should not be repeated more than three times;
OSPF authentication keys should include both upper case and lower case characters;
OSPF authentication keys should include numbers;
OSPF authentication keys should include punctuation characters;
 OSPF authentication keys should not include a device's name, make or model;
OSPF authentication keys should not be based on dictionary words.

Cisco IOS Information

OSPF authentication keys can be configured with MD5-based authentication with the following interface commands:

ip ospf authentication-key <key>

ip ospf authentication message-digest

Additional Information

TID: TNA-ROUT-0029
Classification: Authentication, Routing
RFCs: RFC 2328, RFC 5340
Wikipedia: https://en.wikipedia.org/wiki/Open_Shortest_Path_First

The following findings are related to this one:

Low OSPF Priorities (see section TNA-ROUT-0030);

No OSPF LSA Thresholds (see section TNA-ROUT-0031).

Users With A Weak Authentication Password MEDIUM

Invictux Rating

Overall: Medium
Impact: High
Ease: Moderate
Fix: Quick

Affected Devices

Cisco Catalyst Switch JED-DC-CORE-SW.catrion.local

Finding

Access to restricted network user and administration services are typically secured using username and password authentication
credentials. The strength of the authentication credentials is even more important if the service allows for devices to be
reconfigured or it allows access to potentially sensitive information.

Invictux examined the device configuration to determine if any enabled user accounts had weak authentication passwords. That
is a password which is not considered strong based on its length and composition.
JED-DC-CORE-SW.catrion.local Findings

The following table contains user accounts configured with a weak password on JED-DC-CORE-SW.catrion.local.

User Enabled Password Strength Policy

Console Line Yes CiscoAdmin No numbers

VTY 0 - 4 Line Yes CiscoAdmin No numbers

VTY 5 - 15 Line Yes CiscoAdmin No numbers

Table 54: Users on JED-DC-CORE-SW.catrion.local with a weak password

Impact

A malicious user, or remote attacker, who is able to connect to an administrative service will be able to authenticate to the device
without using a password. The attacker will then be able to perform the user level tasks permitted by that user. This could include
extracting potentially sensitive information from the device and reconfiguring a limited number of the device settings.

Ease

Password brute-forcing tools and techniques have been widely documented on the Internet and published media. Although there
are a number of different tools available, brute-forcing authentication credentials can be problematic.

1. Account lockout facilities can quickly prevent access to the account.

2. Device protection mechanisms may slow or disconnect connections where multiple authentication attempts are made in a
short period of time.
3. Brute-forcing can be very time consuming, especially if the password is long or made up of various character types.
4. Network administrators may be alerted to locked out accounts or authentication attempts.

Recommendation

Invictux strongly recommends that all user accounts should have strong passwords. If the user accounts are not being used
then Invictux recommends that they should be either removed or disabled.

Invictux recommends that:

user passwords should be at least ten characters in length;

characters in the user password should not be repeated more than three times;
user passwords should include both upper case and lower case characters;
user passwords should include numbers;
user passwords should include punctuation characters;
user passwords should not include a device's name, make or model;
user passwords should not be based on dictionary words.

Cisco IOS Information

 The following commands can be used on Cisco IOS devices to set the enable password, create a local user with a password and
to delete a local user:

enable secret <password>

username <user> secret <password>
no username <user>

Additional Information

TID: TNA-ATH-0031
Classification: Authentication

The following findings are related to this one:

Users Configured With Cisco Type 7 Password Hashing Algorithm (see section TNA-ATH-0003).

DTP Was Enabled MEDIUM

Invictux Rating

Overall: Medium
Impact: High
Ease: Moderate
Fix: Planned

Affected Devices

Cisco Catalyst Switch JED-DC-CORE-SW.catrion.local

Finding

Dynamic Trunking Protocol (DTP) is a proprietary protocol developed by Cisco for the purpose of negotiating Virtual Local Area
Network (VLAN) trunking between switches. When enabled the switch can dynamically negotiate trunking with an attached switch
without requiring any manual configuration. Once the negotiation is successful, any Virtual Local Area Networks (VLANs)
configured to trunk will then be transferred between the devices. If specific VLANs have not been specified then all VLANs will be
transferred.

Invictux examined the device configuration to determine that DTP was not configured to automatically negotiate VLAN trunks on
network interfaces.

JED-DC-CORE-SW.catrion.local Findings

Invictux determined that JED-DC-CORE-SW.catrion.local was configured to permit DTP auto-negotiation of VLAN trunks.
Interface Active Switchport Mode VLAN DTP Description

Yes (Layer Trunk (Tagged): All --- Uplink Port - Sophos

Port-channel1 Yes Trunk On
2) Native (Untagged): 1 Perimeter FW1 ---

Yes (Layer Trunk (Tagged): All --- Uplink Port - Sophos

Port-channel2 Yes Trunk On
2) Native (Untagged): 1 Perimeter FW2 ---

Yes (Layer Trunk (Tagged): All --- Uplink Port - Sophos B2B
Port-channel3 Yes Trunk On
2) Native (Untagged): 1 (XGS 2100) FW1 ---

Yes (Layer Trunk (Tagged): All --- Uplink Port - Sophos B2B
Port-channel4 Yes Trunk On
2) Native (Untagged): 1 (XGS 2100) FW2 ---

Yes (Layer Trunk (Tagged): All --- Uplink Port - Sophos Primary
Port-channel5 Yes Trunk On
2) Native (Untagged): 1 FW1 XGS 4500 ---

Yes (Layer Trunk (Tagged): All --- Uplink Port - Sophos Primary
Port-channel6 Yes Trunk On
2) Native (Untagged): 1 FW1 XGS 4500 ---

Yes (Layer Trunk (Tagged): All --- Uplink Port - Sophos Primary
Port-channel7 Yes Trunk On
2) Native (Untagged): 1 FW2 XGS 4500 ---

Yes (Layer Trunk (Tagged): All --- Uplink Port - Sophos Primary
Port-channel8 Yes Trunk On
2) Native (Untagged): 1 FW2 XGS 4500 ---

Yes (Layer Trunk (Tagged): All --- Uplink Port - Sophos B2B
Port-channel9 Yes Trunk On
2) Native (Untagged): 1 (XGS 2100) FW1 ---

Yes (Layer Trunk (Tagged): All --- Uplink Port - Sophos B2B
Port-channel10 Yes Trunk On
2) Native (Untagged): 1 (XGS 2100) FW2 ---

Yes (Layer Trunk (Tagged): All --- Connected to nac-jed-SPAN -

Port-channel12 Yes Trunk On
2) Native (Untagged): 1 --

Yes (Layer Trunk (Tagged): All --- Connected to Aruba-

Port-channel19 Yes Trunk On
2) Native (Untagged): 1 Controller-1 ---

Yes (Layer Trunk (Tagged): All --- Connected to Aruba-

Port-channel20 Yes Trunk On
2) Native (Untagged): 1 Controller-2 ---

Yes (Layer Trunk (Tagged): All --- Connected to Aruba-

Port-channel21 Yes Trunk On
2) Native (Untagged): 1 Controller-3 ---

Yes (Layer Trunk (Tagged): All

Port-channel26 Yes Trunk On --- Connected to WAN-Server ---
2) Native (Untagged): 1

Yes (Layer Trunk (Tagged): All --- Connected to JEDGIGMON --

Port-channel27 Yes Trunk On
2) Native (Untagged): 1 -

--- Core Switch Extension

Yes (Layer Trunk (Tagged): All Catalyst 9200L 24-port PoE+ x 2
Port-channel28 Yes Trunk On
2) Native (Untagged): 1 for system with 1GB-TX interface
---

Yes (Layer Trunk (Tagged): All --- Connected to JED-CORE-

Port-channel30 Yes Trunk On
2) Native (Untagged): 1 MGM-SW1 ---

Yes (Layer Trunk (Tagged): 99 --- Connected to JED-DC-ISP-SW

Port-channel31 Yes Trunk On
2) Native (Untagged): 1 ---

Port-channel100 Yes Yes (Layer Trunk Trunk (Tagged): 1, 2, 3, 5, On --- Uplink Port - Distribution
2) 6, 7, 8, 9, 10, 11, 12, 13, 14, Switch ---
Interface Active Switchport Mode VLAN DTP Description
15, 16, 17, 18, 19, 20
Native (Untagged): 1

Yes (Layer Trunk (Tagged): All --- Uplink Port - Service Switch --
Port-channel101 Yes Trunk On
2) Native (Untagged): 1 -

Yes (Layer Trunk (Tagged): All --- Uplink Port - Sophos

TwentyFiveGigE1/0/1 Yes Trunk On
2) Native (Untagged): 1 Perimeter FW1 ---

Yes (Layer Trunk (Tagged): All --- Uplink Port - Sophos

TwentyFiveGigE1/0/2 Yes Trunk On
2) Native (Untagged): 1 Perimeter FW2 ---

Yes (Layer Trunk (Tagged): All --- Uplink Port - Sophos B2B
TwentyFiveGigE1/0/3 Yes Trunk On
2) Native (Untagged): 1 (XGS 2100) FW1 ---

Yes (Layer Trunk (Tagged): All --- Uplink Port - Sophos B2B
TwentyFiveGigE1/0/4 Yes Trunk On
2) Native (Untagged): 1 (XGS 2100) FW2 ---

Yes (Layer Trunk (Tagged): All --- Uplink Port - Sophos Primary
TwentyFiveGigE1/0/5 Yes Trunk On
2) Native (Untagged): 1 FW1 XGS 4500 ---

Yes (Layer Trunk (Tagged): All --- Uplink Port - Sophos Primary
TwentyFiveGigE1/0/6 Yes Trunk On
2) Native (Untagged): 1 FW1 XGS 4500 ---

Yes (Layer Trunk (Tagged): All --- Uplink Port - Sophos Primary
TwentyFiveGigE1/0/7 Yes Trunk On
2) Native (Untagged): 1 FW2 XGS 4500 ---

Yes (Layer Trunk (Tagged): All --- Uplink Port - Sophos Primary
TwentyFiveGigE1/0/8 Yes Trunk On
2) Native (Untagged): 1 FW2 XGS 4500 ---

Access (Untagged): 1
Yes (Layer
TwentyFiveGigE1/0/9 Yes Auto Trunk (Tagged): All On
2)
Native (Untagged): 1

Access (Untagged): 1
Yes (Layer
TwentyFiveGigE1/0/10 Yes Auto Trunk (Tagged): All On
2)
Native (Untagged): 1

Access (Untagged): 1
Yes (Layer
TwentyFiveGigE1/0/12 Yes Auto Trunk (Tagged): All On
2)
Native (Untagged): 1

Access (Untagged): 1
Yes (Layer
TwentyFiveGigE1/0/13 Yes Auto Trunk (Tagged): All On
2)
Native (Untagged): 1

Access (Untagged): 1
Yes (Layer
TwentyFiveGigE1/0/14 Yes Auto Trunk (Tagged): All On
2)
Native (Untagged): 1

Access (Untagged): 1
Yes (Layer
TwentyFiveGigE1/0/16 Yes Auto Trunk (Tagged): All On
2)
Native (Untagged): 1

Access (Untagged): 1
Yes (Layer
TwentyFiveGigE1/0/17 Yes Auto Trunk (Tagged): All On
2)
Native (Untagged): 1

TwentyFiveGigE1/0/18 Yes Yes (Layer Auto Access (Untagged): 1 On

2) Trunk (Tagged): All
Interface Active Switchport Mode VLAN DTP Description
Native (Untagged): 1

Yes (Layer Trunk (Tagged): All --- Connected to Aruba-

TwentyFiveGigE1/0/19 Yes Trunk On
2) Native (Untagged): 276 Controller-1 ---

Yes (Layer Trunk (Tagged): All --- Connected to Aruba-

TwentyFiveGigE1/0/20 Yes Trunk On
2) Native (Untagged): 276 Controller-2 ---

Yes (Layer Trunk (Tagged): 241 --- Connected to AlFurfan-

TwentyFiveGigE1/0/21 Yes Trunk On
2) Native (Untagged): 276 Aruba-Controller-3 ---

Yes (Layer Trunk (Tagged): 644

TwentyFiveGigE1/0/23 Yes Trunk On --- Jed-CS-CL01-ESXi02 ---
2) Native (Untagged): 1

Yes (Layer Trunk (Tagged): 644

TwentyFiveGigE1/0/24 Yes Trunk On --- Jed-CS-CL01-ESXi03 ---
2) Native (Untagged): 1

Yes (Layer Trunk (Tagged): 644

TwentyFiveGigE1/0/25 Yes Trunk On --- Jed-CS-MISC ---
2) Native (Untagged): 1

Yes (Layer Trunk (Tagged): All

TwentyFiveGigE1/0/26 Yes Trunk On --- Connected to WAN-Server ---
2) Native (Untagged): 1

Yes (Layer Trunk (Tagged): All --- Connected to JEDGIGMON --

TwentyFiveGigE1/0/27 Yes Trunk On
2) Native (Untagged): 1 -

--- Core Switch Extension

Yes (Layer Trunk (Tagged): All Catalyst 9200L 24-port PoE+ x 2
TwentyFiveGigE1/0/28 Yes Trunk On
2) Native (Untagged): 1 for system with 1GB-TX interface
---

Access (Untagged): 1
Yes (Layer
TwentyFiveGigE1/0/29 Yes Auto Trunk (Tagged): All On
2)
Native (Untagged): 1

Yes (Layer Trunk (Tagged): All --- Connected to JED-CORE-

TwentyFiveGigE1/0/30 Yes Trunk On
2) Native (Untagged): 1 MGM-SW1 ---

Yes (Layer Trunk (Tagged): 99 --- Connected to JED-DC-ISP-SW

TwentyFiveGigE1/0/31 Yes Trunk On
2) Native (Untagged): 1 ---

Access (Untagged): 1
Yes (Layer
TwentyFiveGigE1/0/32 Yes Auto Trunk (Tagged): All On
2)
Native (Untagged): 1

Access (Untagged): 1
Yes (Layer
TwentyFiveGigE1/0/33 Yes Auto Trunk (Tagged): All On
2)
Native (Untagged): 1

Trunk (Tagged): 1, 2, 3, 5,
Yes (Layer 6, 7, 8, 9, 10, 11, 12, 13, 14, --- Uplink Port - Distribution
TwentyFiveGigE1/0/34 Yes Trunk On
2) 15, 16, 17, 18, 19, 20 Switch ---
Native (Untagged): 1

Trunk (Tagged): 1, 2, 3, 5,
Yes (Layer 6, 7, 8, 9, 10, 11, 12, 13, 14, --- Uplink Port - Distribution
TwentyFiveGigE1/0/35 Yes Trunk On
2) 15, 16, 17, 18, 19, 20 Switch ---
Native (Untagged): 1
Interface Active Switchport Mode VLAN DTP Description

Access (Untagged): 1
Yes (Layer
TwentyFiveGigE1/0/36 Yes Auto Trunk (Tagged): All On
2)
Native (Untagged): 1

Access (Untagged): 1
Yes (Layer
TwentyFiveGigE1/0/37 Yes Auto Trunk (Tagged): All On
2)
Native (Untagged): 1

Yes (Layer Trunk (Tagged): All --- Uplink Port - Service Switch --
TwentyFiveGigE1/0/38 Yes Trunk On
2) Native (Untagged): 1 -

Yes (Layer Trunk (Tagged): All --- Uplink Port - Service Switch --
TwentyFiveGigE1/0/39 Yes Trunk On
2) Native (Untagged): 1 -

Access (Untagged): 1
Yes (Layer
TwentyFiveGigE1/0/40 Yes Auto Trunk (Tagged): All On
2)
Native (Untagged): 1

Yes (Layer Trunk (Tagged): All --- MICROWAVE-AMAZNET-ISP-

TwentyFiveGigE1/0/41 Yes Trunk On
2) Native (Untagged): 99 SW ---

Access (Untagged): 1
Yes (Layer
TwentyFiveGigE1/0/42 Yes Auto Trunk (Tagged): All On
2)
Native (Untagged): 1

Access (Untagged): 1
Yes (Layer
TwentyFiveGigE1/0/43 Yes Auto Trunk (Tagged): All On
2)
Native (Untagged): 1

Access (Untagged): 1
Yes (Layer
TwentyFiveGigE1/0/44 Yes Auto Trunk (Tagged): All On
2)
Native (Untagged): 1

Access (Untagged): 1
Yes (Layer
TwentyFiveGigE1/0/45 Yes Auto Trunk (Tagged): All On
2)
Native (Untagged): 1

Access (Untagged): 1
Yes (Layer
TwentyFiveGigE1/0/46 Yes Auto Trunk (Tagged): All On
2)
Native (Untagged): 1

Access (Untagged): 1
Yes (Layer
TwentyFiveGigE1/0/47 Yes Auto Trunk (Tagged): All On
2)
Native (Untagged): 1

Access (Untagged): 1
Yes (Layer
TwentyFiveGigE1/0/48 Yes Auto Trunk (Tagged): All On
2)
Native (Untagged): 1

Yes (Layer Trunk (Tagged): All --- Uplink Port - Sophos

TwentyFiveGigE2/0/1 Yes Trunk On
2) Native (Untagged): 1 Perimeter FW1 ---

Yes (Layer Trunk (Tagged): All --- Uplink Port - Sophos

TwentyFiveGigE2/0/2 Yes Trunk On
2) Native (Untagged): 1 Perimeter FW2 ---

Yes (Layer Trunk (Tagged): All --- Uplink Port - Sophos B2B
TwentyFiveGigE2/0/3 Yes Trunk On
2) Native (Untagged): 1 (XGS 2100) FW1 ---
Interface Active Switchport Mode VLAN DTP Description

Yes (Layer Trunk (Tagged): All --- Uplink Port - Sophos B2B
TwentyFiveGigE2/0/4 Yes Trunk On
2) Native (Untagged): 1 (XGS 2100) FW2 ---

Yes (Layer Trunk (Tagged): All --- Uplink Port - Sophos Primary
TwentyFiveGigE2/0/5 Yes Trunk On
2) Native (Untagged): 1 FW1 XGS 4500 ---

Yes (Layer Trunk (Tagged): All --- Uplink Port - Sophos Primary
TwentyFiveGigE2/0/6 Yes Trunk On
2) Native (Untagged): 1 FW1 XGS 4500 ---

Yes (Layer Trunk (Tagged): All --- Uplink Port - Sophos Primary
TwentyFiveGigE2/0/7 Yes Trunk On
2) Native (Untagged): 1 FW2 XGS 4500 ---

Yes (Layer Trunk (Tagged): All --- Uplink Port - Sophos Primary
TwentyFiveGigE2/0/8 Yes Trunk On
2) Native (Untagged): 1 FW2 XGS 4500 ---

Access (Untagged): 1
Yes (Layer
TwentyFiveGigE2/0/9 Yes Auto Trunk (Tagged): All On
2)
Native (Untagged): 1

Access (Untagged): 1
Yes (Layer
TwentyFiveGigE2/0/10 Yes Auto Trunk (Tagged): All On
2)
Native (Untagged): 1

Access (Untagged): 1
Yes (Layer
TwentyFiveGigE2/0/12 Yes Auto Trunk (Tagged): All On
2)
Native (Untagged): 1

Access (Untagged): 1
Yes (Layer
TwentyFiveGigE2/0/13 Yes Auto Trunk (Tagged): All On
2)
Native (Untagged): 1

Access (Untagged): 1
Yes (Layer
TwentyFiveGigE2/0/14 Yes Auto Trunk (Tagged): All On
2)
Native (Untagged): 1

Access (Untagged): 1
Yes (Layer
TwentyFiveGigE2/0/16 Yes Auto Trunk (Tagged): All On
2)
Native (Untagged): 1

Access (Untagged): 1
Yes (Layer
TwentyFiveGigE2/0/17 Yes Auto Trunk (Tagged): All On
2)
Native (Untagged): 1

Access (Untagged): 1
Yes (Layer
TwentyFiveGigE2/0/18 Yes Auto Trunk (Tagged): All On
2)
Native (Untagged): 1

Yes (Layer Trunk (Tagged): All --- Connected to Aruba-

TwentyFiveGigE2/0/19 Yes Trunk On
2) Native (Untagged): 276 Controller-1 ---

Yes (Layer Trunk (Tagged): All --- Connected to Aruba-

TwentyFiveGigE2/0/20 Yes Trunk On
2) Native (Untagged): 276 Controller-2 ---

Yes (Layer Trunk (Tagged): 241 --- Connected to AlFurfan-

TwentyFiveGigE2/0/21 Yes Trunk On
2) Native (Untagged): 276 Aruba-Controller-3 ---

Yes (Layer Trunk (Tagged): 644

TwentyFiveGigE2/0/23 Yes Trunk On --- Jed-CS-CL01-ESXi02 ---
2) Native (Untagged): 1
Interface Active Switchport Mode VLAN DTP Description

Yes (Layer Trunk (Tagged): 644

TwentyFiveGigE2/0/24 Yes Trunk On --- Jed-CS-CL01-ESXi03 ---
2) Native (Untagged): 1

Yes (Layer Trunk (Tagged): 644

TwentyFiveGigE2/0/25 Yes Trunk On --- Jed-CS-MISC ---
2) Native (Untagged): 1

Yes (Layer Trunk (Tagged): All

TwentyFiveGigE2/0/26 Yes Trunk On --- Connected to WAN-Server ---
2) Native (Untagged): 1

Yes (Layer Trunk (Tagged): All --- Connected to JEDGIGMON --

TwentyFiveGigE2/0/27 Yes Trunk On
2) Native (Untagged): 1 -

--- Core Switch Extension

Yes (Layer Trunk (Tagged): All Catalyst 9200L 24-port PoE+ x 2
TwentyFiveGigE2/0/28 Yes Trunk On
2) Native (Untagged): 1 for system with 1GB-TX interface
---

Access (Untagged): 1
Yes (Layer
TwentyFiveGigE2/0/29 Yes Auto Trunk (Tagged): All On
2)
Native (Untagged): 1

Yes (Layer Trunk (Tagged): All --- Connected to JED-CORE-

TwentyFiveGigE2/0/30 Yes Trunk On
2) Native (Untagged): 1 MGM-SW1 ---

Yes (Layer Trunk (Tagged): 99 --- Connected to JED-DC-ISP-SW

TwentyFiveGigE2/0/31 Yes Trunk On
2) Native (Untagged): 1 ---

Access (Untagged): 1
Yes (Layer
TwentyFiveGigE2/0/32 Yes Auto Trunk (Tagged): All On
2)
Native (Untagged): 1

Access (Untagged): 1
Yes (Layer
TwentyFiveGigE2/0/33 Yes Auto Trunk (Tagged): All On
2)
Native (Untagged): 1

Trunk (Tagged): 1, 2, 3, 5,
Yes (Layer 6, 7, 8, 9, 10, 11, 12, 13, 14, --- Uplink Port - Distribution
TwentyFiveGigE2/0/34 Yes Trunk On
2) 15, 16, 17, 18, 19, 20 Switch ---
Native (Untagged): 1

Trunk (Tagged): 1, 2, 3, 5,
Yes (Layer 6, 7, 8, 9, 10, 11, 12, 13, 14, --- Uplink Port - Distribution
TwentyFiveGigE2/0/35 Yes Trunk On
2) 15, 16, 17, 18, 19, 20 Switch ---
Native (Untagged): 1

Access (Untagged): 1
Yes (Layer
TwentyFiveGigE2/0/36 Yes Auto Trunk (Tagged): All On
2)
Native (Untagged): 1

Access (Untagged): 1
Yes (Layer
TwentyFiveGigE2/0/37 Yes Auto Trunk (Tagged): All On
2)
Native (Untagged): 1

Yes (Layer Trunk (Tagged): All --- Uplink Port - Service Switch --
TwentyFiveGigE2/0/38 Yes Trunk On
2) Native (Untagged): 1 -

Yes (Layer Trunk (Tagged): All --- Uplink Port - Service Switch --
TwentyFiveGigE2/0/39 Yes Trunk On
2) Native (Untagged): 1 -
Interface Active Switchport Mode VLAN DTP Description

Access (Untagged): 1
Yes (Layer
TwentyFiveGigE2/0/40 Yes Auto Trunk (Tagged): All On
2)
Native (Untagged): 1

Yes (Layer Trunk (Tagged): All

TwentyFiveGigE2/0/41 Yes Trunk On
2) Native (Untagged): 99

Access (Untagged): 1
Yes (Layer
TwentyFiveGigE2/0/42 Yes Auto Trunk (Tagged): All On
2)
Native (Untagged): 1

Access (Untagged): 1
Yes (Layer
TwentyFiveGigE2/0/43 Yes Auto Trunk (Tagged): All On
2)
Native (Untagged): 1

Access (Untagged): 1
Yes (Layer
TwentyFiveGigE2/0/44 Yes Auto Trunk (Tagged): All On
2)
Native (Untagged): 1

Access (Untagged): 1
Yes (Layer
TwentyFiveGigE2/0/45 Yes Auto Trunk (Tagged): All On
2)
Native (Untagged): 1

Access (Untagged): 1
Yes (Layer
TwentyFiveGigE2/0/46 Yes Auto Trunk (Tagged): All On
2)
Native (Untagged): 1

Access (Untagged): 1
Yes (Layer
TwentyFiveGigE2/0/47 Yes Auto Trunk (Tagged): All On
2)
Native (Untagged): 1

Access (Untagged): 1
Yes (Layer
TwentyFiveGigE2/0/48 Yes Auto Trunk (Tagged): All On
2)
Native (Untagged): 1

Access (Untagged): 1
Yes (Layer
HundredGigE1/0/49 Yes Auto Trunk (Tagged): All On
2)
Native (Untagged): 1

Access (Untagged): 1
Yes (Layer
HundredGigE1/0/50 Yes Auto Trunk (Tagged): All On
2)
Native (Untagged): 1

Access (Untagged): 1
Yes (Layer
HundredGigE1/0/51 Yes Auto Trunk (Tagged): All On
2)
Native (Untagged): 1

Access (Untagged): 1
Yes (Layer
HundredGigE1/0/52 Yes Auto Trunk (Tagged): All On
2)
Native (Untagged): 1

Access (Untagged): 1
Yes (Layer
HundredGigE2/0/49 Yes Auto Trunk (Tagged): All On
2)
Native (Untagged): 1

Access (Untagged): 1
Yes (Layer
HundredGigE2/0/50 Yes Auto Trunk (Tagged): All On
2)
Native (Untagged): 1
 Interface Active Switchport Mode VLAN DTP Description

Access (Untagged): 1
Yes (Layer
HundredGigE2/0/51 Yes Auto Trunk (Tagged): All On
2)
Native (Untagged): 1

Access (Untagged): 1
Yes (Layer
HundredGigE2/0/52 Yes Auto Trunk (Tagged): All On
2)
Native (Untagged): 1

Table 55: DTP enabled interfaces on JED-DC-CORE-SW.catrion.local

Impact

An attacker could attempt to negotiate a trunk with the device in order to gain access to all the VLANs configured for the trunk.
This will enable an attacker to bypass any network filtering provided to restrict access between VLANs. For example, if a
management network were to be available then the attacker will be able to connect to all the devices and services offered on that
network as if they were attached to it directly.

Ease

Software to enable an attacker to negotiate a trunk is available on the Internet. Alternatively an attacker could make use of their
own DTP capable network device.

Recommendation

Invictux recommends that, if not required, DTP should be disabled. Invictux recommends that switch ports should be configured
to either trunk or not and those ports where trunking is required should only be configured to trunk the required VLANs.

Cisco IOS Information

Switch ports can be configured to either trunk or not and DTP negotiation disabled using the following interface commands:

switchport mode {access | trunk}

switchport nonegotiate

Additional Information

TID: TNA-PRO-0003
Wikipedia: https://en.wikipedia.org/wiki/Dynamic_Trunking_Protocol

Users Configured With Cisco Type 7 Password Hashing MEDIUM

Algorithm
 Invictux Rating

Overall: Medium
Impact: High
Ease: Challenging
Fix: Quick

Affected Devices

Cisco Catalyst Switch JED-DC-CORE-SW.catrion.local

Finding

User passwords on Cisco Internet Operating System (IOS)-based devices can be configured to store user passwords using either a
variety of hashing algorithms, including the Cisco Type 7 password encoding algorithm. Whilst the Cisco Type-7 password
encoding can be easily reversed to reveal the original password. Instead if the original password needs to be determined from a
hash, the passwords must be guessed and then put through the hashing process. The resulting hashes can then be compared in
order to determine if the passwords match.

Invictux examined the device configuration to determine if all user passwords used Cisco Type-7 encryption. User accounts that
were not usable (i.e. disabled or expired) are excluded from the check.

JED-DC-CORE-SW.catrion.local Findings

User Enabled Password Privilege Filter Policy

Console Line Yes CiscoAdmin 1

VTY 0 - 4 Line Yes CiscoAdmin 1

VTY 5 - 15 Line Yes CiscoAdmin 1

Table 56: Identified local users

Impact

A strong password stored using a modern hashing algorithm can take a significant period of time to brute-force. However, the
same password stored in the Cisco Type 7 encoded form can be reversed in a fraction of a second. An attacker could use decoded
passwords from a Cisco device in order to gain a level of access to the device and potentially modify its configuration.

Ease

An attacker who had access to the Cisco configuration file would easily be able to retrieve and decode passwords that are stored
using the Cisco Type-7 encoding scheme. However, an attacker who had access to a Cisco configuration file could attempt a
brute-force attack against the stronger modern hashing algorithm. Tools can be downloaded from the Internet that are capable of
 reversing Cisco Type 7 passwords. However, an attacker would need to obtain a copy of the configuration file and would need to
be able to gain initial access to the device before they could make use of an enable password.

Recommendation

Invictux recommends that all user passwords should be stored using newer hashing algorithms, such as Cisco Type-8 (PBKDF2)
or Type-9 (SCRYPT). The following command can be used to remove users using the Cisco Type 5 password:

no username

Users can configure the device to store passwords using newer hashing algorithms by using the following command:

username <user-name> secret <8-9> <password>

Additional Information

TID: TNA-ATH-0003
Classification: Authentication

The following findings are related to this one:

Users With A Weak Authentication Password (see section TNA-ATH-0031).

STP Loop Guard Not Enabled MEDIUM

Invictux Rating

Overall: Medium
Impact: High
Ease: Challenging
Fix: Quick

Affected Devices

Cisco Catalyst Switch JED-DC-CORE-SW.catrion.local

Finding

The STP is used to help prevent network loops, which can cause significant network disruption. When a loop is detected, STP can
automatically perform an action, such as blocking a network interface, in order to prevent networking issues caused by a loop.
STP was originally standardized in the IEEE 802.1D and has since evolved in to other standards such as RSTP.

Occasionally a software/hardware failure can cause STP to fail, creating STP forwarding loops that can cause a network failure
where unidirectional links are used. The STP Loop Guard feature will prevent a port from automatically transitioning from a
blocking state to forwarding network traffic when BPDU are no longer being received. Instead the port will be placed in a loop
inconsistant state. If no BPDU have been received after a timeout has expired, the port continue to transition to a forwarding
state. However, if BPDU are received then the port will be placed back in to a blocking state. This helps to prevent the creation of
a STP forwarding loop.

Invictux examined the device configuration to determine if STP Loop Guard was enabled on STP network interfaces.

JED-DC-CORE-SW.catrion.local Findings

Invictux identified 4121 network interfaces that did not have STP Loop Guard enabled on JED-DC-CORE-SW.catrion.local.
Those interfaces are detailed in the table below.

Port BPDU BPDU Root Loop

Interface Active STP Description
Fast Guard Filter Guard Guard

Port-
Yes On Off Off Off Off Off --- Uplink Port - Sophos Perimeter FW1 ---
channel1

Port-
Yes On Off Off Off Off Off --- Uplink Port - Sophos Perimeter FW2 ---
channel2

Port- --- Uplink Port - Sophos B2B (XGS 2100)

Yes On Off Off Off Off Off
channel3 FW1 ---

Port- --- Uplink Port - Sophos B2B (XGS 2100)

Yes On Off Off Off Off Off
channel4 FW2 ---

Port- --- Uplink Port - Sophos Primary FW1 XGS

Yes On Off Off Off Off Off
channel5 4500 ---

Port- --- Uplink Port - Sophos Primary FW1 XGS

Yes On Off Off Off Off Off
channel6 4500 ---

Port- --- Uplink Port - Sophos Primary FW2 XGS

Yes On Off Off Off Off Off
channel7 4500 ---

Port- --- Uplink Port - Sophos Primary FW2 XGS

Yes On Off Off Off Off Off
channel8 4500 ---

Port- --- Uplink Port - Sophos B2B (XGS 2100)

Yes On Off Off Off Off Off
channel9 FW1 ---

Port- --- Uplink Port - Sophos B2B (XGS 2100)

Yes On Off Off Off Off Off
channel10 FW2 ---

Port- --- Connected to NAC-EM-(Enterprise-

Yes On Off Off Off Off Off
channel11 Manager) ---

Port-
Yes On Off Off Off Off Off --- Connected to nac-jed-SPAN ---
channel12

Port-
Yes On Off Off Off Off Off --- Connected to nac-jed ---
channel13

Port- --- Connected to LAN-870-Infra-SIEM-

Yes On Off Off Off Off Off
channel14 Server-1 ---

Port- --- Connected to LAN-870-Infra-SIEM-

Yes On Off Off Off Off Off
channel15 Server-2 ---
 Port BPDU BPDU Root Loop
Interface Active STP Description
Fast Guard Filter Guard Guard

Port- --- Connected to LAN-870-Infra-SIEM-

Yes On Off Off Off Off Off
channel16 Server-3 ---

Port-
Yes On Off Off Off Off Off --- Connected to JED-SIEMXM1 ---
channel17

Port-
Yes On Off Off Off Off Off --- Connected to jed-siempdih1 ---
channel18

Port-
Yes On Off Off Off Off Off --- Connected to Aruba-Controller-1 ---
channel19

Port-
Yes On Off Off Off Off Off --- Connected to Aruba-Controller-2 ---
channel20

Port-
Yes On Off Off Off Off Off --- Connected to Aruba-Controller-3 ---
channel21

Port-
Yes On Off Off Off Off Off --- Connected to Aruba-Conductor ---
channel22

Port-
Yes On Off Off Off Off Off --- Connected to Jed-CS-MISC ---
channel25

Port-
Yes On Off Off Off Off Off --- Connected to WAN-Server ---
channel26

Port-
Yes On Off Off Off Off Off --- Connected to JEDGIGMON ---
channel27

--- Core Switch Extension Catalyst 9200L 24-

Port-
Yes On Off Off Off Off Off port PoE+ x 2 for system with 1GB-TX
channel28
interface ---

Port-
Yes On Off Off Off Off Off --- Connected to JED-CORE-MGM-SW1 ---
channel30

Port-
Yes On Off Off Off Off Off --- Connected to JED-DC-ISP-SW ---
channel31

Port-
Yes On Off Off Off Off Off --- Uplink Port - Distribution Switch ---
channel100

Port-
Yes On Off Off Off Off Off --- Uplink Port - Service Switch ---
channel101

Vlan1 Yes On Off Off Off Off Off

Vlan2 Yes On Off Off Off Off Off --- Network-102 ---

Vlan99 Yes On Off Off Off Off Off --- Network-99 ---

Vlan106 Yes On Off Off Off Off Off

Vlan276 Yes On Off Off Off Off Off --- LAN-276-Infra-ArubaNetwork ---

Vlan302 Yes On Off Off Off Off Off --- WiFi_SACC_IPPhone ---

Vlan306 Yes On Off Off Off Off Off --- WiFi_SACC_CEO ---

Vlan308 Yes On Off Off Off Off Off --- WiFi_SACC_Executives ---
 Port BPDU BPDU Root Loop
Interface Active STP Description
Fast Guard Filter Guard Guard

Vlan310 Yes On Off Off Off Off Off --- WiFi_SACC_System ---

Vlan312 Yes On Off Off Off Off Off --- WiFi_SACC_Guest ---

Vlan313 Yes On Off Off Off Off Off --- WiFi_SACC_IT-VIPGuest ---

Vlan314 Yes On Off Off Off Off Off --- WiFi_Alfursan ---

Vlan316 Yes On Off Off Off Off Off --- WiFi_Airfi ---

Vlan317 Yes On Off Off Off Off Off --- Wifi_TMS ---

Vlan728 Yes On Off Off Off Off Off

---Point to Point to Primary-FW-for-USER-

Vlan729 Yes On Off Off Off Off Off
VRF ---

---Point to Point to Primary-FW-for-WIFI-

Vlan730 Yes On Off Off Off Off Off
VRF ---

---Point to Point to Distribution-SW-for-

Vlan1800 Yes On Off Off Off Off Off
USER-VRF ---

Vlan874 Yes On Off Off Off Off Off

Vlan870 Yes On Off Off Off Off Off

Vlan862 Yes On Off Off Off Off Off

Table 57: Interfaces with STP Loop Guard disabled on JED-DC-CORE-SW.catrion.local

Invictux identified one network interface with STP Loop Guard enabled, or was not using STP, on JED-DC-
CORE-SW.catrion.local. This interface is detailed in the table below.

Interface Active STP Port Fast BPDU Guard BPDU Filter Root Guard Loop Guard Description

Loopback0 Yes Off N/A N/A N/A N/A N/A

Table 58: STP Loop Guard interface status on JED-DC-CORE-SW.catrion.local

Impact

An attacker, who is able to disrupt STP, could cause a network DoS if STP incorrectly transitions a blocking port to a forwarding
port.

Ease

An attacker would need to temporarily disrupt STP on a device. This could either by attacking STP directly or by causing CPU
utilization issues on the device.

Recommendation

Invictux recommends that the STP Loop Guard feature should be enabled on all bridging network interfaces.
 Additional Information

TID: TNA-PRO-0017
IEEE: IEEE 802.1D, IEEE 802.1w and IEEE 802.1s
Wikipedia: https://en.wikipedia.org/wiki/Spanning_Tree_Protocol

The following findings are related to this one:

STP Not Enabled On All Interfaces (see section TNA-PRO-0016);

STP BPDU Guard Was Not Enabled (see section TNA-PRO-0015);
STP Root Guard Not Enabled (see section TNA-PRO-0019).

Low OSPF Priorities MEDIUM

Invictux Rating

Overall: Medium
Impact: High
Ease: Moderate
Fix: Planned

Affected Devices

Cisco Catalyst Switch JED-DC-CORE-SW.catrion.local

Finding

OSPF is a routing protocol that can be configured to dynamically update the routing table with changes to the network topology.
Multiple routers can be configured on a network for fault tolerance, in that situation the router with the highest priority will take
precedence. Router priorities can be between 0 and 255, if set to 0 the router will not become the designated or backup router. If
two routers have the same priority, the router with the highest router Identifier (ID) will then take precedence.

Invictux examined the device configuration OSPF routing to determine that the priority had been set to 255.

The scope was further limited to those network interfaces with an enabled OSPF configuration.

JED-DC-CORE-SW.catrion.local Findings

Invictux identified the following OSPF routing configuration on JED-DC-CORE-SW.catrion.local with a priority not equal to 255:

Auth Route Hello Dead

Interface Active Passive Area Priority Type SPI Key
Mode Cost Interval Interval

0 0
Port-channel1 Yes Yes 1 Broadcast None N/A Default
seconds seconds
 Auth Route Hello Dead
Interface Active Passive Area Priority Type SPI Key
Mode Cost Interval Interval

0 0
Port-channel2 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
Port-channel3 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
Port-channel4 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
Port-channel5 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
Port-channel6 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
Port-channel7 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
Port-channel8 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
Port-channel9 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
Port-channel10 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
Port-channel11 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
Port-channel12 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
Port-channel13 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
Port-channel14 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
Port-channel15 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
Port-channel16 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
Port-channel17 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
Port-channel18 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
Port-channel19 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
Port-channel20 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
Port-channel21 Yes Yes 1 Broadcast None N/A Default
seconds seconds
 Auth Route Hello Dead
Interface Active Passive Area Priority Type SPI Key
Mode Cost Interval Interval

0 0
Port-channel22 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
Port-channel25 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
Port-channel26 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
Port-channel27 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
Port-channel28 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
Port-channel30 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
Port-channel31 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
Port-channel100 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
Port-channel101 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE1/0/1 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE1/0/2 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE1/0/3 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE1/0/4 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE1/0/5 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE1/0/6 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE1/0/7 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE1/0/8 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE1/0/9 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE1/0/10 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE1/0/11 Yes Yes 1 Broadcast None N/A Default
seconds seconds
 Auth Route Hello Dead
Interface Active Passive Area Priority Type SPI Key
Mode Cost Interval Interval

0 0
TwentyFiveGigE1/0/12 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE1/0/13 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE1/0/14 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE1/0/15 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE1/0/16 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE1/0/17 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE1/0/18 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE1/0/19 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE1/0/20 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE1/0/21 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE1/0/22 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE1/0/23 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE1/0/24 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE1/0/25 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE1/0/26 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE1/0/27 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE1/0/28 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE1/0/29 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE1/0/30 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE1/0/31 Yes Yes 1 Broadcast None N/A Default
seconds seconds
 Auth Route Hello Dead
Interface Active Passive Area Priority Type SPI Key
Mode Cost Interval Interval

0 0
TwentyFiveGigE1/0/32 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE1/0/33 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE1/0/34 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE1/0/35 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE1/0/36 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE1/0/37 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE1/0/38 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE1/0/39 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE1/0/40 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE1/0/41 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE1/0/42 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE1/0/43 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE1/0/44 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE1/0/45 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE1/0/46 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE1/0/47 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE1/0/48 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE2/0/1 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE2/0/2 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE2/0/3 Yes Yes 1 Broadcast None N/A Default
seconds seconds
 Auth Route Hello Dead
Interface Active Passive Area Priority Type SPI Key
Mode Cost Interval Interval

0 0
TwentyFiveGigE2/0/4 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE2/0/5 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE2/0/6 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE2/0/7 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE2/0/8 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE2/0/9 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE2/0/10 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE2/0/11 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE2/0/12 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE2/0/13 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE2/0/14 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE2/0/15 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE2/0/16 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE2/0/17 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE2/0/18 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE2/0/19 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE2/0/20 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE2/0/21 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE2/0/22 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE2/0/23 Yes Yes 1 Broadcast None N/A Default
seconds seconds
 Auth Route Hello Dead
Interface Active Passive Area Priority Type SPI Key
Mode Cost Interval Interval

0 0
TwentyFiveGigE2/0/24 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE2/0/25 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE2/0/26 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE2/0/27 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE2/0/28 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE2/0/29 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE2/0/30 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE2/0/31 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE2/0/32 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE2/0/33 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE2/0/34 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE2/0/35 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE2/0/36 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE2/0/37 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE2/0/38 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE2/0/39 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE2/0/40 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE2/0/41 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE2/0/42 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE2/0/43 Yes Yes 1 Broadcast None N/A Default
seconds seconds
 Auth Route Hello Dead
Interface Active Passive Area Priority Type SPI Key
Mode Cost Interval Interval

0 0
TwentyFiveGigE2/0/44 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE2/0/45 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE2/0/46 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE2/0/47 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE2/0/48 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
HundredGigE1/0/49 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
HundredGigE1/0/50 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
HundredGigE1/0/51 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
HundredGigE1/0/52 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
HundredGigE2/0/49 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
HundredGigE2/0/50 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
HundredGigE2/0/51 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
HundredGigE2/0/52 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
Vlan1 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
Vlan2 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
Vlan99 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
Vlan106 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
Vlan276 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
Vlan302 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
Vlan306 Yes Yes 1 Broadcast None N/A Default
seconds seconds
 Auth Route Hello Dead
Interface Active Passive Area Priority Type SPI Key
Mode Cost Interval Interval

0 0
Vlan308 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
Vlan310 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
Vlan312 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
Vlan313 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
Vlan314 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
Vlan316 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
Vlan317 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
Vlan728 Yes Yes 1 Broadcast None N/A Default
seconds seconds

10 40
Vlan729 Yes Yes 1 Broadcast None N/A Default
seconds seconds

10 40
Vlan730 Yes Yes 1 Broadcast None N/A Default
seconds seconds

Point to 10 40
Vlan1800 Yes Yes 1 None N/A Default
Point seconds seconds

0 0
Vlan874 Yes No 1 Broadcast None N/A Default
seconds seconds

0 0
Vlan870 Yes No 1 Broadcast None N/A Default
seconds seconds

0 0
Vlan862 Yes No 1 Broadcast None N/A Default
seconds seconds

Table 59: OSPF with a weak priority

Impact

An attacker who is able to configure OSPF with the relevant authentication configuration, could configure a higher priority in
order to take precedence over the existing router. If an attacker is able to control a routing device they would be able to:

monitor network traffic sent between network segments;

gain a list of network addresses the router knows about;
perform a man in the middle attack;
capture clear-text protocol authentication credentials;
capture encrypted authentication hashes which could be subjected to a brute-force attack;
perform a network wide DoS;
 route updates could be redistributed by the device to other routing devices and possibly using other routing protocols and
authentication.

Ease

To perform this attack, the attacker would first have to determine the existing OSPF configuration. If authentication credentials are
used, the attacker could extract them from the captured network packets. With MD5- based authentication, the attacker would
have use a dictionary/brute-force attack in order to determine the authentication key. Additionally, the attacker would require
access to a network segment where they could participate in OSPF routing. The attacker could then configure their router with a
higher priority in order to perform the attack. All of the software required to complete each of these components can be
downloaded from the Internet.

Recommendation

Invictux recommends that the OSPF priority of 255 should be configured. If two or more routers are present, Invictux
recommends that each of the routers should be configured with high numbered priorities.

Cisco IOS Information

A high OSPF priority can be configured on Cisco IOS devices with the following interface command:

ip ospf priority <priority-no>

Additional Information

TID: TNA-ROUT-0030
Classification: Routing
RFCs: RFC 2328, RFC 5340
Wikipedia: https://en.wikipedia.org/wiki/Open_Shortest_Path_First

The following findings are related to this one:

OSPF Routing Updates With No Authentication (see section TNA-ROUT-0029);

No OSPF LSA Thresholds (see section TNA-ROUT-0031).

Weak User Account Lockout Policy Setting LOW

Invictux Rating

Overall: Low
Impact: Medium
Ease: Easy
Fix: Quick
 Affected Devices

Cisco Catalyst Switch JED-DC-CORE-SW.catrion.local

Finding

When configured, the user account lockout policy setting will prevent a user account from authenticating if the user has failed to
logon the number of times defined by the threshold.

Invictux examined the device configuration to determine if the maximum number of failed login attempts was set to three or
less.

JED-DC-CORE-SW.catrion.local Findings
User Finding Status

test The device was not configured to lock the account after failed login attempts. FAIL

malmalki The device was not configured to lock the account after failed login attempts. FAIL

radelarosa The device was not configured to lock the account after failed login attempts. FAIL

msamir The device was not configured to lock the account after failed login attempts. FAIL

joey The device was not configured to lock the account after failed login attempts. FAIL

Table 60: Users on JED-DC-CORE-SW.catrion.local failed login attempt account lockout policy

The User maximum login attempts feature is not supported on Cisco Catalyst Switch devices.

Impact

A malicious user, or attacker, may attempt to determine a password for a specific user account by repeatedly attempting to logon
using a different password each time. If no user account lockout policy setting has been configured then an attacker could brute-
force a password by going through each character combination until a valid password is found. However, if a user account lockout
policy setting has been defined, the attacker will be limited to a far smaller number of guesses before the account becomes
unusable.

Ease

Brute-force and dictionary-based password guessing attacks have been widely documented on the Internet and published media,
enabling an attacker with very little knowledge or experience to perform the attack. However, it is also worth noting that there are
a number of factors that may discourage an attacker from performing a password guessing attack.

If a user account lockout policy setting has been configured the user account could quickly become disabled.
Device protection mechanisms may slow or disconnect connections where multiple authentication attempts are made in a
short period of time.
Brute-forcing can be very time consuming, especially if the password is long or made up of various character types.
Network administrators may be alerted to locked out accounts or authentication attempts.
 Recommendation

Invictux recommends that a user account lockout threshold of three should be configured in order to help prevent
unauthorized access to user accounts.

Additional Information

TID: TNA-ATH-0010
Classification: Authentication

The following findings are related to this one:

Weak Password Age Policy Setting (see section TNA-ATH-0018);

Weak Minimum Password Length Policy Setting (see section TNA-ATH-0020);
Weak Lowercase Password Character Policy Setting (see section TNA-ATH-0027);
Weak Uppercase Password Character Policy Setting (see section TNA-ATH-0030);
Weak Numbers Password Character Policy Setting (see section TNA-ATH-0028);
Weak Specials Password Character Policy Setting (see section TNA-ATH-0029).

No OSPF LSA Thresholds LOW

Invictux Rating

Overall: Low
Impact: Medium
Ease: Moderate
Fix: Planned

Affected Devices

Cisco Catalyst Switch JED-DC-CORE-SW.catrion.local

Finding

OSPF is a routing protocol that can be configured to dynamically update the routing table with changes to the network topology.
OSPF uses Link State Advertisement (LSA) to communicate changes to other routers and update the routers own Link State
Database (LSDB). Devices can be configured with a LSA message threshold in order to limit the number of LSA messages being
processed by the device.

Invictux examined the device configuration OSPF routing to determine that a maximum LSA limit had been configured.

JED-DC-CORE-SW.catrion.local Findings
 Invictux identified two OSPF configurations with no maximum LSA configured on JED-DC-CORE-SW.catrion.local. These
are listed in the table below.

Process Name Router ID IPv6 Maximum LSA

3 No 0

2 No 0

Table 61: OSPF maximum LSA limit

Impact

An attacker may be able to perform an OSPF DoS by flooding the device with LSA messages.

Ease

Tools can be downloaded from the Internet that can be used to perform a DoS by flooding the device with LSA messages.

Recommendation

Invictux recommends that the number of OSPF LSA messages accepted by the device should be
limited.

Cisco IOS Information

The number of OSPF LSA messages can be limited on Cisco IOS devices with the following router command:

max-lsa <threshold>

Additional Information

TID: TNA-ROUT-0031
Classification: Routing
RFCs: RFC 2328, RFC 5340
Wikipedia: https://en.wikipedia.org/wiki/Open_Shortest_Path_First

The following findings are related to this one:

OSPF Routing Updates With No Authentication (see section TNA-ROUT-0029);

Low OSPF Priorities (see section TNA-ROUT-0030).

No SNMP TFTP Server Access List Configured LOW

Invictux Rating
 Overall: Low
Impact: Medium
Ease: Moderate
Fix: Quick

Affected Devices

Cisco Catalyst Switch JED-DC-CORE-SW.catrion.local

Finding

Using Simple Network Management Protocol (SNMP), some network devices can be instructed to send its configuration to a file
on a specified Trivial File Transfer Protocol (TFTP) server. This feature enables network administrators and management software to
quickly obtain a copy of a device's configuration. A network access list can be configured on those devices to help secure access
to this functionality (supported on Cisco IOS devices from version 10.2).

Invictux examined the device configuration to determine if a TFTP server Access Control List (ACL) had been configured to restrict
the SNMP servers TFTP access to specific hosts.

JED-DC-CORE-SW.catrion.local Findings

Invictux determined that there was no TFTP server ACL configured on JED-DC-CORE-SW.catrion.local to restrict the
SNMP service access.

Impact

An attacker who had SNMP write access could remotely obtain a copy of a device's configuration. The configuration would
include any passwords for the device and include the configuration of the administrative services.

Ease

For an attacker to exploit this issue they would require SNMP query tools, a TFTP server and a community string with write access
to the SNMP Management Information Base (MIB). SNMP query tools and TFTP server software can be downloaded from the
Internet and some Operating System (OS) install them by default. If the attacker does not know the community string it may be
possible to determine it by monitoring the network traffic or by brute-forcing the community string.

Recommendation

Invictux recommends that a SNMP TFTP server list ACL should be configured to ensure that configurations are only saved
to specific hosts.

Cisco IOS Information

 The following example configures ACL number 20 for use as a SNMP TFTP server list and gives access to a single host with
logging.

access-list 20 permit 192.168.0.50 255.255.255.255 log

access-list 20 deny any log

The ACL can then be assigned as the SNMP TFTP server list with the following command:

snmp-server tftp-server-list 20

Additional Information

TID: TNA-SNMP-0011
Classification: Administration, Filtering
RFCs: RFC 1157, RFC 3416, RFC 1350
Wikipedia: https://en.wikipedia.org/wiki/Simple_Network_Management_Protocol,
https://en.wikipedia.org/wiki/Trivial_File_Transfer_Protocol

NTP Authentication Was Disabled LOW

Invictux Rating

Overall: Low
Impact: Low
Ease: Trivial
Fix: Planned

Affected Devices

Cisco Catalyst Switch JED-DC-CORE-SW.catrion.local

Finding

Time synchronization for network devices is inherently important, not just for the various services that make use of time, but also
for the accurate logging of events. Therefore network devices can be configured to synchronize their time against a network time
source in order to ensure that the time is synchronized.

Network Time Protocol (NTP) (described in RFC 5905) is a complex time synchronization protocol with a number of different
features and options such as time update authentication.

Invictux examined the device configuration to determine if NTP authentication was enabled.

JED-DC-CORE-SW.catrion.local Findings
 Invictux determined that the NTP client authentication was disabled on JED-DC-CORE-SW.catrion.local.

Impact

If an attacker is able to modify a device's time with an inaccurate time update then it would be more difficult during an
examination to correlate the system logs. Furthermore, any systems that depend on accurate time, such as some authentication
systems, could be disrupted and potentially cause a DoS.

Ease

With NTP time authentication disabled, an attacker could attempt to update the time by sending malicious time updates. An
attacker could do this using open source code or by sending customized network packets and spoofing the source address.

Recommendation

Invictux recommends that NTP time authentication should be

enabled.

Cisco IOS Information

Authenticated NTP time updates can be configured on Cisco IOS devices with the following commands:

ntp authenticate
ntp authentication-key <key-num> md5 <key-string>
ntp server <ip-address> key <key-num> [prefer]

If access restrictions are in place, you will need to ensure that you allow time synchronization with the following command

ntp access-group peer <acl>

Additional Information

TID: TNA-TME-0002
Classification: Authentication
RFCs: RFC 1305, RFC 5905
Wikipedia: https://en.wikipedia.org/wiki/Network_Time_Protocol

The BOOTP Service Was Not Disabled LOW

Invictux Rating

Overall: Low
Impact: Low
 Ease: Easy
Fix: Quick

Affected Devices

Cisco Catalyst Switch JED-DC-CORE-SW.catrion.local

Finding

BOOTstrap Protocol (BOOTP) (described in RFC 951) is a datagram protocol that enables compatible hosts to load their operating
system over the network from a BOOTP server. However, these days BOOTP services are rarely used.

Invictux examined the device configuration to determine if the BOOTP service had been disabled. However, it is worth noting that
not all device models will support the BOOTP service and therefore this can be falsely determined.

JED-DC-CORE-SW.catrion.local Findings

Invictux determined that the BOOTP service was enabled on JED-DC-CORE-SW.catrion.local.

Impact

An attacker could use a device that offers a BOOTP service to download a copy of the device's OS software.

Ease

Tools that can interact with BOOTP services can be downloaded from the Internet.

Recommendation

Invictux recommends that, if not required, the BOOTP service should be

disabled.

Cisco IOS Information

The BOOTP service can be disabled using one of the following commands:
ip dhcp bootp ignore
no ip bootp server

Additional Information
 TID: TNA-ADM-0002
Classification: Administration
RFCs: RFC 951
Wikipedia: https://en.wikipedia.org/wiki/Bootstrap_Protocol

Weak Password Age Policy Setting LOW

Invictux Rating

Overall: Low
Impact: Low
Ease: Easy
Fix: Quick

Affected Devices

Cisco Catalyst Switch JED-DC-CORE-SW.catrion.local

Finding

The password age policy setting is used to determine how much time can pass before a user will be forced to change their
password. The more frequently a password is changed the smaller the time window that an attacker will have if they have gained
a list of compromised user credentials. However, it is important to balance the frequency of password changes with peoples
ability to remember the modified credentials. If passwords are changed too frequently then users may resort to noting their
passwords somewhere and potentially open themselves up to alternative attack vector.

Invictux examined the device configuration to determine if the maximum password age policy setting was configured to be 60
days or less.

JED-DC-CORE-SW.catrion.local Findings

User Finding Status

test There was no policy applied to the user. FAIL

malmalki There was no policy applied to the user. FAIL

radelarosa There was no policy applied to the user. FAIL

msamir There was no policy applied to the user. FAIL

joey There was no policy applied to the user. FAIL

Table 62: Users on JED-DC-CORE-SW.catrion.local maximum password age policy

Impact
 Strong authentication credentials are a key component of a systems security. It is therefore important that a user chooses a strong
password and that it is changed on a regular basis.

The younger a passwords age the better it is for security because of a number of reasons. For example, if given enough time it
may be possible for an attacker who had captured some encrypted network traffic to decrypt and identify the user authentication
credentials. Over time any password is likely to be used and be present in a greater number of locations, such as on other devices,
system backups and temporary files. It is also possible that over a period of time a password may become known to co-workers or
passersby from casual or intentional shoulder surfing.

Ease

A malicious user, or attacker, who has gained access to a password would have a far greater chance of the password continuing to
work in the future if the device does not enforce a maximum password age.

Recommendation

Invictux recommends that a user password age policy setting of 60 days should be configured.

Additional Information

TID: TNA-ATH-0018
Classification: Authentication

The following findings are related to this one:

Weak User Account Lockout Policy Setting (see section TNA-ATH-0010);

Weak Minimum Password Length Policy Setting (see section TNA-ATH-0020);
Weak Lowercase Password Character Policy Setting (see section TNA-ATH-0027);
Weak Uppercase Password Character Policy Setting (see section TNA-ATH-0030);
Weak Numbers Password Character Policy Setting (see section TNA-ATH-0028);
Weak Specials Password Character Policy Setting (see section TNA-ATH-0029).

Weak Minimum Password Length Policy Setting LOW

Invictux Rating

Overall: Low
Impact: Low
Ease: Easy
Fix: Quick

Affected Devices

Cisco Catalyst Switch JED-DC-CORE-SW.catrion.local

Finding

The minimum password length policy setting is used to force users to set passwords that are at least the specified number of
characters in length. Generally the longer the password, combining different charater types, the stronger the password.

Invictux examined the device configuration to determine if the force password length policy setting was configured to be ten
characters or more.

JED-DC-CORE-SW.catrion.local Findings

User Finding Status

There was no policy applied to the user and the device was configured to require a minimum
test FAIL
password length of six characters.

There was no policy applied to the user and the device was configured to require a minimum
malmalki FAIL
password length of six characters.

There was no policy applied to the user and the device was configured to require a minimum
radelarosa FAIL
password length of six characters.

There was no policy applied to the user and the device was configured to require a minimum
msamir FAIL
password length of six characters.

There was no policy applied to the user and the device was configured to require a minimum
joey FAIL
password length of six characters.

Table 63: Users on JED-DC-CORE-SW.catrion.local minimum password length policy

Impact

Strong authentication credentials are a key component of a systems security. It is therefore important that a user chooses a strong
password and that it is changed on a regular basis. Generally, the greater the number of characters within a password the
stronger the password will be. With a short minimum password length configured a user could set a short password, requiring
less time for an attacker to brute-force the authentication password.

Ease

It takes far less time for an attacker to brute-force the authentication credentials for a user account that has a short password.

Recommendation

Invictux recommends that a minimum password length policy setting of ten characters should be
configured.

Cisco IOS Information

A minimum password length can be configured with the following command:
 security passwords min-length <length>

A minimum password policy length can be configured with the following command:

aaa common-criteria policy <policy name> min-length <length>

Additional Information

TID: TNA-ATH-0020
Classification: Authentication

The following findings are related to this one:

Weak User Account Lockout Policy Setting (see section TNA-ATH-0010);

Weak Password Age Policy Setting (see section TNA-ATH-0018);
Weak Lowercase Password Character Policy Setting (see section TNA-ATH-0027);
Weak Uppercase Password Character Policy Setting (see section TNA-ATH-0030);
Weak Numbers Password Character Policy Setting (see section TNA-ATH-0028);
Weak Specials Password Character Policy Setting (see section TNA-ATH-0029).

Weak Lowercase Password Character Policy Setting LOW

Invictux Rating

Overall: Low
Impact: Low
Ease: Easy
Fix: Quick

Affected Devices

Cisco Catalyst Switch JED-DC-CORE-SW.catrion.local

Finding

Password composition policy options are designed to enforce the use of strong password choices by a user. So when a user sets a
password it will be compared to the specified criteria and either accepted or rejected. When the lower case password character
policy setting is enabled, the device will ensure that when a user sets a password that contains lower case characters or it is
rejected.

Invictux examined the device configuration to determine if the lowercase characters password policy setting was configured to
require at least eight lowercase characters.

JED-DC-CORE-SW.catrion.local Findings
 User Finding Status

test There was no policy applied to the user. FAIL

malmalki There was no policy applied to the user. FAIL

radelarosa There was no policy applied to the user. FAIL

msamir There was no policy applied to the user. FAIL

joey There was no policy applied to the user. FAIL

Table 64: Users on JED-DC-CORE-SW.catrion.local minimum lowercase password characters policy

Impact

Strong authentication credentials are a key component of a systems security. It is therefore important that a user chooses a strong
password and that it is changed on a regular basis. If the password complexity policy setting is disabled, the device will not check
to ensure that the users password is sufficiently complex enabling a user to set a simple password made up of few character
types.

Ease

It takes far less time for an attacker to brute-force the authentication credentials for a user account that is not made up of
different character types.

Recommendation

Invictux recommends that the password policy should be reconfigured to require passwords to include lowercase characters.

Additional Information

TID: TNA-ATH-0027
Classification: Authentication

The following findings are related to this one:

Weak User Account Lockout Policy Setting (see section TNA-ATH-0010);

Weak Password Age Policy Setting (see section TNA-ATH-0018);
Weak Minimum Password Length Policy Setting (see section TNA-ATH-0020);
Weak Uppercase Password Character Policy Setting (see section TNA-ATH-0030);
Weak Numbers Password Character Policy Setting (see section TNA-ATH-0028);
Weak Specials Password Character Policy Setting (see section TNA-ATH-0029).

Weak Uppercase Password Character Policy Setting LOW

Invictux Rating
 Overall: Low
Impact: Low
Ease: Easy
Fix: Quick

Affected Devices

Cisco Catalyst Switch JED-DC-CORE-SW.catrion.local

Finding

Password composition policy options are designed to enforce the use of strong password choices by a user. So when a user sets a
password it will be compared to the specified criteria and either accepted or rejected. When the upper case password character
policy setting is enabled, the device will ensure that when a user sets a password that contains upper case characters or it is
rejected.

Invictux examined the device configuration to determine if the uppercase characters password policy setting was configured to
require at least eight uppercase characters.

JED-DC-CORE-SW.catrion.local Findings

User Finding Status

test There was no policy applied to the user. FAIL

malmalki There was no policy applied to the user. FAIL

radelarosa There was no policy applied to the user. FAIL

msamir There was no policy applied to the user. FAIL

joey There was no policy applied to the user. FAIL

Table 65: Users on JED-DC-CORE-SW.catrion.local minimum uppercase password characters policy

Impact

Strong authentication credentials are a key component of a systems security. It is therefore important that a user chooses a strong
password and that it is changed on a regular basis. If the password complexity policy setting is disabled, the device will not check
to ensure that the users password is sufficiently complex enabling a user to set a simple password made up of few character
types.

Ease

It takes far less time for an attacker to brute-force the authentication credentials for a user account that is not made up of
different character types.
 Recommendation

Invictux recommends that the password policy should be reconfigured to require passwords to include uppercase characters.

Additional Information

TID: TNA-ATH-0030
Classification: Authentication

The following findings are related to this one:

Weak User Account Lockout Policy Setting (see section TNA-ATH-0010);

Weak Password Age Policy Setting (see section TNA-ATH-0018);
Weak Minimum Password Length Policy Setting (see section TNA-ATH-0020);
Weak Lowercase Password Character Policy Setting (see section TNA-ATH-0027);
Weak Numbers Password Character Policy Setting (see section TNA-ATH-0028);
Weak Specials Password Character Policy Setting (see section TNA-ATH-0029).

Weak Numbers Password Character Policy Setting LOW

Invictux Rating

Overall: Low
Impact: Low
Ease: Easy
Fix: Quick

Affected Devices

Cisco Catalyst Switch JED-DC-CORE-SW.catrion.local

Finding

Password composition policy options are designed to enforce the use of strong password choices by a user. So when a user sets a
password it will be compared to the specified criteria and either accepted or rejected. When the upper case password character
policy setting is enabled, the device will ensure that when a user sets a password that contains upper case characters or it is
rejected.

Invictux examined the device configuration to determine if the numeric character password policy setting was configured to
require at least eight numeric characters.

JED-DC-CORE-SW.catrion.local Findings
 User Finding Status

test There was no policy applied to the user. FAIL

malmalki There was no policy applied to the user. FAIL

radelarosa There was no policy applied to the user. FAIL

msamir There was no policy applied to the user. FAIL

joey There was no policy applied to the user. FAIL

Table 66: Users on JED-DC-CORE-SW.catrion.local minimum numerical password characters policy

Impact

Strong authentication credentials are a key component of a systems security. It is therefore important that a user chooses a strong
password and that it is changed on a regular basis. If the password complexity policy setting is disabled, the device will not check
to ensure that the users password is sufficiently complex enabling a user to set a simple password made up of few character
types.

Ease

It takes far less time for an attacker to brute-force the authentication credentials for a user account that is not made up of
different character types.

Recommendation

Invictux recommends that the password policy should be reconfigured to require passwords to include numerical characters.

Additional Information

TID: TNA-ATH-0028
Classification: Authentication

The following findings are related to this one:

Weak User Account Lockout Policy Setting (see section TNA-ATH-0010);

Weak Password Age Policy Setting (see section TNA-ATH-0018);
Weak Minimum Password Length Policy Setting (see section TNA-ATH-0020);
Weak Lowercase Password Character Policy Setting (see section TNA-ATH-0027);
Weak Uppercase Password Character Policy Setting (see section TNA-ATH-0030);
Weak Specials Password Character Policy Setting (see section TNA-ATH-0029).

Weak Specials Password Character Policy Setting LOW

Invictux Rating
 Overall: Low
Impact: Low
Ease: Easy
Fix: Quick

Affected Devices

Cisco Catalyst Switch JED-DC-CORE-SW.catrion.local

Finding

Password composition policy options are designed to enforce the use of strong password choices by a user. So when a user sets a
password it will be compared to the specified criteria and either accepted or rejected. When the upper case password character
policy setting is enabled, the device will ensure that when a user sets a password that contains upper case characters or it is
rejected.

Invictux examined the device configuration to determine if the special (punctuation) character password policy setting was
configured to require at least eight special characters.

JED-DC-CORE-SW.catrion.local Findings

User Finding Status

test There was no policy applied to the user. FAIL

malmalki There was no policy applied to the user. FAIL

radelarosa There was no policy applied to the user. FAIL

msamir There was no policy applied to the user. FAIL

joey There was no policy applied to the user. FAIL

Table 67: Users on JED-DC-CORE-SW.catrion.local minimum special password characters policy

Impact

Strong authentication credentials are a key component of a systems security. It is therefore important that a user chooses a strong
password and that it is changed on a regular basis. If the password complexity policy setting is disabled, the device will not check
to ensure that the users password is sufficiently complex enabling a user to set a simple password made up of few character
types.

Ease

It takes far less time for an attacker to brute-force the authentication credentials for a user account that is not made up of
different character types.
 Recommendation

Invictux recommends that the password policy should be reconfigured to require passwords to include special characters, such
as punctuation.

Additional Information

TID: TNA-ATH-0029
Classification: Authentication

The following findings are related to this one:

Weak User Account Lockout Policy Setting (see section TNA-ATH-0010);

Weak Password Age Policy Setting (see section TNA-ATH-0018);
Weak Minimum Password Length Policy Setting (see section TNA-ATH-0020);
Weak Lowercase Password Character Policy Setting (see section TNA-ATH-0027);
Weak Uppercase Password Character Policy Setting (see section TNA-ATH-0030);
Weak Numbers Password Character Policy Setting (see section TNA-ATH-0028).

Switch Port Security Disabled LOW

Invictux Rating

Overall: Low
Impact: Low
Ease: Moderate
Fix: Planned

Affected Devices

Cisco Catalyst Switch JED-DC-CORE-SW.catrion.local

Finding

Switch port security is used to monitor and restrict the number of network devices that can be connected to a single switch port.
The switch does this by monitoring the MAC addresses that originate from the switch port. The MAC addresses can either be
specified for a particular switch port or they can be dynamically learned in order to significantly reduce the administrative
overhead. When the number of permitted number of MAC addresses connected to a single switch port is exceeded then a
number of different actions can be performed, such as disabling the switch port.

Invictux examined the device configuration to determine that all interfaces have port security, or IEEE 802.1x port authentication,
enabled.

JED-DC-CORE-SW.catrion.local Findings
Invictux identified the following 134 interfaces on JED-DC-CORE-SW.catrion.local that did not have port security enabled
and did not have IEEE 802.1x port authentication enabled.

Max Age
Interface Active Security Aging Sticky MAC Description
MAC Type

--- Uplink Port - Sophos Perimeter

Port-channel1 Yes Off N/A N/A N/A N/A
FW1 ---

--- Uplink Port - Sophos Perimeter

Port-channel2 Yes Off N/A N/A N/A N/A
FW2 ---

--- Uplink Port - Sophos B2B (XGS

Port-channel3 Yes Off N/A N/A N/A N/A
2100) FW1 ---

--- Uplink Port - Sophos B2B (XGS

Port-channel4 Yes Off N/A N/A N/A N/A
2100) FW2 ---

--- Uplink Port - Sophos Primary FW1

Port-channel5 Yes Off N/A N/A N/A N/A
XGS 4500 ---

--- Uplink Port - Sophos Primary FW1

Port-channel6 Yes Off N/A N/A N/A N/A
XGS 4500 ---

--- Uplink Port - Sophos Primary FW2

Port-channel7 Yes Off N/A N/A N/A N/A
XGS 4500 ---

--- Uplink Port - Sophos Primary FW2

Port-channel8 Yes Off N/A N/A N/A N/A
XGS 4500 ---

--- Uplink Port - Sophos B2B (XGS

Port-channel9 Yes Off N/A N/A N/A N/A
2100) FW1 ---

--- Uplink Port - Sophos B2B (XGS

Port-channel10 Yes Off N/A N/A N/A N/A
2100) FW2 ---

--- Connected to NAC-EM-(Enterprise-

Port-channel11 Yes Off N/A N/A N/A N/A
Manager) ---

Port-channel12 Yes Off N/A N/A N/A N/A --- Connected to nac-jed-SPAN ---

Port-channel13 Yes Off N/A N/A N/A N/A --- Connected to nac-jed ---

--- Connected to LAN-870-Infra-SIEM-

Port-channel14 Yes Off N/A N/A N/A N/A
Server-1 ---

--- Connected to LAN-870-Infra-SIEM-

Port-channel15 Yes Off N/A N/A N/A N/A
Server-2 ---

--- Connected to LAN-870-Infra-SIEM-

Port-channel16 Yes Off N/A N/A N/A N/A
Server-3 ---

Port-channel17 Yes Off N/A N/A N/A N/A --- Connected to JED-SIEMXM1 ---

Port-channel18 Yes Off N/A N/A N/A N/A --- Connected to jed-siempdih1 ---

--- Connected to Aruba-Controller-1 --

Port-channel19 Yes Off N/A N/A N/A N/A
-

--- Connected to Aruba-Controller-2 --

Port-channel20 Yes Off N/A N/A N/A N/A
-
 Max Age
Interface Active Security Aging Sticky MAC Description
MAC Type

--- Connected to Aruba-Controller-3 --

Port-channel21 Yes Off N/A N/A N/A N/A
-

Port-channel22 Yes Off N/A N/A N/A N/A --- Connected to Aruba-Conductor ---

Port-channel25 Yes Off N/A N/A N/A N/A --- Connected to Jed-CS-MISC ---

Port-channel26 Yes Off N/A N/A N/A N/A --- Connected to WAN-Server ---

Port-channel27 Yes Off N/A N/A N/A N/A --- Connected to JEDGIGMON ---

--- Core Switch Extension Catalyst

Port-channel28 Yes Off N/A N/A N/A N/A 9200L 24-port PoE+ x 2 for system
with 1GB-TX interface ---

--- Connected to JED-CORE-MGM-

Port-channel30 Yes Off N/A N/A N/A N/A
SW1 ---

Port-channel31 Yes Off N/A N/A N/A N/A --- Connected to JED-DC-ISP-SW ---

Port-channel100 Yes Off N/A N/A N/A N/A --- Uplink Port - Distribution Switch ---

Port-channel101 Yes Off N/A N/A N/A N/A --- Uplink Port - Service Switch ---

--- Uplink Port - Sophos Perimeter

TwentyFiveGigE1/0/1 Yes Off N/A N/A N/A N/A
FW1 ---

--- Uplink Port - Sophos Perimeter

TwentyFiveGigE1/0/2 Yes Off N/A N/A N/A N/A
FW2 ---

--- Uplink Port - Sophos B2B (XGS

TwentyFiveGigE1/0/3 Yes Off N/A N/A N/A N/A
2100) FW1 ---

--- Uplink Port - Sophos B2B (XGS

TwentyFiveGigE1/0/4 Yes Off N/A N/A N/A N/A
2100) FW2 ---

--- Uplink Port - Sophos Primary FW1

TwentyFiveGigE1/0/5 Yes Off N/A N/A N/A N/A
XGS 4500 ---

--- Uplink Port - Sophos Primary FW1

TwentyFiveGigE1/0/6 Yes Off N/A N/A N/A N/A
XGS 4500 ---

--- Uplink Port - Sophos Primary FW2

TwentyFiveGigE1/0/7 Yes Off N/A N/A N/A N/A
XGS 4500 ---

--- Uplink Port - Sophos Primary FW2

TwentyFiveGigE1/0/8 Yes Off N/A N/A N/A N/A
XGS 4500 ---

TwentyFiveGigE1/0/9 Yes Off N/A N/A N/A N/A

TwentyFiveGigE1/0/10 Yes Off N/A N/A N/A N/A

TwentyFiveGigE1/0/11 Yes Off N/A N/A N/A N/A --- Old Sophos B2B 3100 - Temp ---

TwentyFiveGigE1/0/12 Yes Off N/A N/A N/A N/A

TwentyFiveGigE1/0/13 Yes Off N/A N/A N/A N/A

TwentyFiveGigE1/0/14 Yes Off N/A N/A N/A N/A

TwentyFiveGigE1/0/15 Yes Off N/A N/A N/A N/A --- LAN Probe - Blue Moon ---

TwentyFiveGigE1/0/16 Yes Off N/A N/A N/A N/A

 Max Age
Interface Active Security Aging Sticky MAC Description
MAC Type

TwentyFiveGigE1/0/17 Yes Off N/A N/A N/A N/A

TwentyFiveGigE1/0/18 Yes Off N/A N/A N/A N/A

--- Connected to Aruba-Controller-1 --

TwentyFiveGigE1/0/19 Yes Off N/A N/A N/A N/A
-

--- Connected to Aruba-Controller-2 --

TwentyFiveGigE1/0/20 Yes Off N/A N/A N/A N/A
-

--- Connected to AlFurfan-Aruba-

TwentyFiveGigE1/0/21 Yes Off N/A N/A N/A N/A
Controller-3 ---

TwentyFiveGigE1/0/22 Yes Off N/A N/A N/A N/A --- Connected to Aruba-Conductor ---

TwentyFiveGigE1/0/23 Yes Off N/A N/A N/A N/A --- Jed-CS-CL01-ESXi02 ---

TwentyFiveGigE1/0/24 Yes Off N/A N/A N/A N/A --- Jed-CS-CL01-ESXi03 ---

TwentyFiveGigE1/0/25 Yes Off N/A N/A N/A N/A --- Jed-CS-MISC ---

TwentyFiveGigE1/0/26 Yes Off N/A N/A N/A N/A --- Connected to WAN-Server ---

TwentyFiveGigE1/0/27 Yes Off N/A N/A N/A N/A --- Connected to JEDGIGMON ---

--- Core Switch Extension Catalyst

TwentyFiveGigE1/0/28 Yes Off N/A N/A N/A N/A 9200L 24-port PoE+ x 2 for system
with 1GB-TX interface ---

TwentyFiveGigE1/0/29 Yes Off N/A N/A N/A N/A

--- Connected to JED-CORE-MGM-

TwentyFiveGigE1/0/30 Yes Off N/A N/A N/A N/A
SW1 ---

TwentyFiveGigE1/0/31 Yes Off N/A N/A N/A N/A --- Connected to JED-DC-ISP-SW ---

TwentyFiveGigE1/0/32 Yes Off N/A N/A N/A N/A

TwentyFiveGigE1/0/33 Yes Off N/A N/A N/A N/A

TwentyFiveGigE1/0/34 Yes Off N/A N/A N/A N/A --- Uplink Port - Distribution Switch ---

TwentyFiveGigE1/0/35 Yes Off N/A N/A N/A N/A --- Uplink Port - Distribution Switch ---

TwentyFiveGigE1/0/36 Yes Off N/A N/A N/A N/A

TwentyFiveGigE1/0/37 Yes Off N/A N/A N/A N/A

TwentyFiveGigE1/0/38 Yes Off N/A N/A N/A N/A --- Uplink Port - Service Switch ---

TwentyFiveGigE1/0/39 Yes Off N/A N/A N/A N/A --- Uplink Port - Service Switch ---

TwentyFiveGigE1/0/40 Yes Off N/A N/A N/A N/A

TwentyFiveGigE1/0/41 Yes Off N/A N/A N/A N/A --- MICROWAVE-AMAZNET-ISP-SW ---

TwentyFiveGigE1/0/42 Yes Off N/A N/A N/A N/A

TwentyFiveGigE1/0/43 Yes Off N/A N/A N/A N/A

TwentyFiveGigE1/0/44 Yes Off N/A N/A N/A N/A

TwentyFiveGigE1/0/45 Yes Off N/A N/A N/A N/A

TwentyFiveGigE1/0/46 Yes Off N/A N/A N/A N/A

 Max Age
Interface Active Security Aging Sticky MAC Description
MAC Type

TwentyFiveGigE1/0/47 Yes Off N/A N/A N/A N/A

TwentyFiveGigE1/0/48 Yes Off N/A N/A N/A N/A

--- Uplink Port - Sophos Perimeter

TwentyFiveGigE2/0/1 Yes Off N/A N/A N/A N/A
FW1 ---

--- Uplink Port - Sophos Perimeter

TwentyFiveGigE2/0/2 Yes Off N/A N/A N/A N/A
FW2 ---

--- Uplink Port - Sophos B2B (XGS

TwentyFiveGigE2/0/3 Yes Off N/A N/A N/A N/A
2100) FW1 ---

--- Uplink Port - Sophos B2B (XGS

TwentyFiveGigE2/0/4 Yes Off N/A N/A N/A N/A
2100) FW2 ---

--- Uplink Port - Sophos Primary FW1

TwentyFiveGigE2/0/5 Yes Off N/A N/A N/A N/A
XGS 4500 ---

--- Uplink Port - Sophos Primary FW1

TwentyFiveGigE2/0/6 Yes Off N/A N/A N/A N/A
XGS 4500 ---

--- Uplink Port - Sophos Primary FW2

TwentyFiveGigE2/0/7 Yes Off N/A N/A N/A N/A
XGS 4500 ---

--- Uplink Port - Sophos Primary FW2

TwentyFiveGigE2/0/8 Yes Off N/A N/A N/A N/A
XGS 4500 ---

TwentyFiveGigE2/0/9 Yes Off N/A N/A N/A N/A

TwentyFiveGigE2/0/10 Yes Off N/A N/A N/A N/A

TwentyFiveGigE2/0/11 Yes Off N/A N/A N/A N/A --- Old Sophos B2B 3100 - Temp ---

TwentyFiveGigE2/0/12 Yes Off N/A N/A N/A N/A

TwentyFiveGigE2/0/13 Yes Off N/A N/A N/A N/A

TwentyFiveGigE2/0/14 Yes Off N/A N/A N/A N/A

TwentyFiveGigE2/0/15 Yes Off N/A N/A N/A N/A --- LAN Probe - Blue Moon ---

TwentyFiveGigE2/0/16 Yes Off N/A N/A N/A N/A

TwentyFiveGigE2/0/17 Yes Off N/A N/A N/A N/A

TwentyFiveGigE2/0/18 Yes Off N/A N/A N/A N/A

--- Connected to Aruba-Controller-1 --

TwentyFiveGigE2/0/19 Yes Off N/A N/A N/A N/A
-

--- Connected to Aruba-Controller-2 --

TwentyFiveGigE2/0/20 Yes Off N/A N/A N/A N/A
-

--- Connected to AlFurfan-Aruba-

TwentyFiveGigE2/0/21 Yes Off N/A N/A N/A N/A
Controller-3 ---

TwentyFiveGigE2/0/22 Yes Off N/A N/A N/A N/A --- Connected to Aruba-Conductor ---

TwentyFiveGigE2/0/23 Yes Off N/A N/A N/A N/A --- Jed-CS-CL01-ESXi02 ---

TwentyFiveGigE2/0/24 Yes Off N/A N/A N/A N/A --- Jed-CS-CL01-ESXi03 ---
 Max Age
Interface Active Security Aging Sticky MAC Description
MAC Type

TwentyFiveGigE2/0/25 Yes Off N/A N/A N/A N/A --- Jed-CS-MISC ---

TwentyFiveGigE2/0/26 Yes Off N/A N/A N/A N/A --- Connected to WAN-Server ---

TwentyFiveGigE2/0/27 Yes Off N/A N/A N/A N/A --- Connected to JEDGIGMON ---

--- Core Switch Extension Catalyst

TwentyFiveGigE2/0/28 Yes Off N/A N/A N/A N/A 9200L 24-port PoE+ x 2 for system
with 1GB-TX interface ---

TwentyFiveGigE2/0/29 Yes Off N/A N/A N/A N/A

--- Connected to JED-CORE-MGM-

TwentyFiveGigE2/0/30 Yes Off N/A N/A N/A N/A
SW1 ---

TwentyFiveGigE2/0/31 Yes Off N/A N/A N/A N/A --- Connected to JED-DC-ISP-SW ---

TwentyFiveGigE2/0/32 Yes Off N/A N/A N/A N/A

TwentyFiveGigE2/0/33 Yes Off N/A N/A N/A N/A

TwentyFiveGigE2/0/34 Yes Off N/A N/A N/A N/A --- Uplink Port - Distribution Switch ---

TwentyFiveGigE2/0/35 Yes Off N/A N/A N/A N/A --- Uplink Port - Distribution Switch ---

TwentyFiveGigE2/0/36 Yes Off N/A N/A N/A N/A

TwentyFiveGigE2/0/37 Yes Off N/A N/A N/A N/A

TwentyFiveGigE2/0/38 Yes Off N/A N/A N/A N/A --- Uplink Port - Service Switch ---

TwentyFiveGigE2/0/39 Yes Off N/A N/A N/A N/A --- Uplink Port - Service Switch ---

TwentyFiveGigE2/0/40 Yes Off N/A N/A N/A N/A

TwentyFiveGigE2/0/41 Yes Off N/A N/A N/A N/A

TwentyFiveGigE2/0/42 Yes Off N/A N/A N/A N/A

TwentyFiveGigE2/0/43 Yes Off N/A N/A N/A N/A

TwentyFiveGigE2/0/44 Yes Off N/A N/A N/A N/A

TwentyFiveGigE2/0/45 Yes Off N/A N/A N/A N/A

TwentyFiveGigE2/0/46 Yes Off N/A N/A N/A N/A

TwentyFiveGigE2/0/47 Yes Off N/A N/A N/A N/A

TwentyFiveGigE2/0/48 Yes Off N/A N/A N/A N/A

HundredGigE1/0/49 Yes Off N/A N/A N/A N/A

HundredGigE1/0/50 Yes Off N/A N/A N/A N/A

HundredGigE1/0/51 Yes Off N/A N/A N/A N/A

HundredGigE1/0/52 Yes Off N/A N/A N/A N/A

HundredGigE2/0/49 Yes Off N/A N/A N/A N/A

HundredGigE2/0/50 Yes Off N/A N/A N/A N/A

HundredGigE2/0/51 Yes Off N/A N/A N/A N/A

HundredGigE2/0/52 Yes Off N/A N/A N/A N/A

 Table 68: Network interfaces with port security disabled on JED-DC-CORE-SW.catrion.local

Impact

A switch port with no configured port security could allow an attacker to attach an unauthorized device and gain access to the
network.

Ease

An attacker would have to gain access to a switch port with no security configured. If the switch port is not directly patched to a
wall socket, the attacker would have to gain physical access to the device. It is worth noting that an attacker could assume the
MAC address of a device already attached to the port in order to gain access and bypass the port security feature.

Recommendation

Invictux recommends that, where possible, port security should be enabled on all switch ports. Furthermore, Invictux
recommends that all switch ports that are not used should be shutdown.

Cisco IOS Information

Switch port security with MAC address learning and port shutdown on a violation can be configured for each interface with the
following commands:

switchport port-security
switchport port-security violation shutdown
switchport port-security mac-address sticky

Additional Information

TID: TNA-INTR-0003

ICMP Unreachable Messages Were Enabled LOW

Invictux Rating

Overall: Low
Impact: Low
Ease: Trivial
Fix: Quick
 Affected Devices

Cisco Catalyst Switch JED-DC-CORE-SW.catrion.local

Finding

When a network packet is sent to a destination host or service that is unreachable, a Internet Control Message Protocol (ICMP)
unreachable message can be sent from a network gateway or the destination host to inform the requester that it was
unreachable. If it is a host that is unreachable the message will be in the form of an ICMP host unreachable message. ICMP
unreachable messages are described in more detail in RFC 792.

Invictux examined the device configuration to determine if IP Unreachables had been disabled.

JED-DC-CORE-SW.catrion.local Findings

Invictux determined that JED-DC-CORE-SW.catrion.local was configured to send ICMP IP Unreachables messages.

Interface Active Address Unreachables Redirects Mask Reply Info Reply

Vlan2 Yes 192.168.102.10 On On Off Off

Vlan99 Yes 192.168.99.101 On On Off Off

Vlan106 Yes 10.240.16.10 On On Off Off

Vlan276 Yes 10.240.176.10 On On Off Off

Vlan302 Yes 10.10.102.10 On On Off Off

Vlan306 Yes 10.10.105.10 On On Off Off

Vlan308 Yes 10.10.107.10 On On Off Off

Vlan310 Yes 10.10.109.10 On On Off Off

Vlan312 Yes 10.10.12.10 On On Off Off

Vlan313 Yes 10.10.100.10 On On Off Off

Vlan314 Yes 10.10.20.10 On On Off Off

Vlan317 Yes 10.10.152.10 On On Off Off

Vlan728 Yes 10.50.0.1 On On Off Off

Vlan729 Yes 10.50.0.117 On On Off Off

Vlan730 Yes 10.50.0.121 On On Off Off

Vlan1800 Yes 10.50.2.221 On On Off Off

Table 69: Interfaces with ICMP IP Unreachables enabled

Impact
 An attacker who was performing network scans to determine what services were available would be able to scan a device more
quickly. If the device being scanned sends ICMP unreachable messages, informing the attacker that a network or protocol is not
supported, the attacker will not have to wait for a connection time-out.

Ease

The ICMP messages are automatically returned by a device with the ICMP unreachable feature enabled. Network scanning tools
can be downloaded from the Internet that are able to perform a wide variety of scan types and take into account ICMP
unreachable messages.

Recommendation

Invictux recommends that, if not required, ICMP unreachable messages should be disabled. However, it is important to note
that whilst disabling of ICMP unreachable messages will not stop a network scan, it will make the scan more time consuming for
the attacker to perform.

Cisco IOS Information

ICMP unreachable message sending can be disabled on network interfaces with the following command:

no ip unreachables

Additional Information

TID: TNA-PRO-0020
Wikipedia: https://en.wikipedia.org/wiki/Internet_Control_Message_Protocol

The following findings are related to this one:

ICMP Redirect Messages Were Enabled (see section TNA-PRO-0013).

CDP Was Enabled LOW

Invictux Rating

Overall: Low
Impact: Low
Ease: Easy
Fix: Quick

Affected Devices
Cisco Catalyst Switch JED-DC-CORE-SW.catrion.local

Finding

Cisco Discovery Protocol (CDP) is a proprietary protocol that was developed and is primarily used by Cisco. A CDP enabled device
can be configured to broadcast CDP packets on the network enabling network management applications and CDP aware devices
to identify each other. CDP packets include the following information about the sending device:

The OS version details of the device.

IP address details of the device.
The devices name.
Details of the devices hardware platform, model and capabilities.
Information about the network interface and VLAN used to send the CDP message.

Invictux examined the device configuration to determine if CDP was

disabled.

JED-DC-CORE-SW.catrion.local Findings
Invictux determined that CDP was enabled on JED-DC-CORE-SW.catrion.local. The following table shows the CDP status
on individual network interfaces.

Interface Active Description CDP

GigabitEthernet0/0 No On

TwentyFiveGigE1/0/1 Yes --- Uplink Port - Sophos Perimeter FW1 --- On

TwentyFiveGigE1/0/2 Yes --- Uplink Port - Sophos Perimeter FW2 --- On

TwentyFiveGigE1/0/3 Yes --- Uplink Port - Sophos B2B (XGS 2100) FW1 --- On

TwentyFiveGigE1/0/4 Yes --- Uplink Port - Sophos B2B (XGS 2100) FW2 --- On

TwentyFiveGigE1/0/5 Yes --- Uplink Port - Sophos Primary FW1 XGS 4500 --- On

TwentyFiveGigE1/0/6 Yes --- Uplink Port - Sophos Primary FW1 XGS 4500 --- On

TwentyFiveGigE1/0/7 Yes --- Uplink Port - Sophos Primary FW2 XGS 4500 --- On

TwentyFiveGigE1/0/8 Yes --- Uplink Port - Sophos Primary FW2 XGS 4500 --- On

TwentyFiveGigE1/0/9 Yes On

TwentyFiveGigE1/0/10 Yes On

TwentyFiveGigE1/0/11 Yes --- Old Sophos B2B 3100 - Temp --- On

TwentyFiveGigE1/0/12 Yes On

TwentyFiveGigE1/0/13 Yes On

TwentyFiveGigE1/0/14 Yes On

TwentyFiveGigE1/0/15 Yes --- LAN Probe - Blue Moon --- On

TwentyFiveGigE1/0/16 Yes On

TwentyFiveGigE1/0/17 Yes On

TwentyFiveGigE1/0/18 Yes On
Interface Active Description CDP

TwentyFiveGigE1/0/19 Yes --- Connected to Aruba-Controller-1 --- On

TwentyFiveGigE1/0/20 Yes --- Connected to Aruba-Controller-2 --- On

TwentyFiveGigE1/0/21 Yes --- Connected to AlFurfan-Aruba-Controller-3 --- On

TwentyFiveGigE1/0/22 Yes --- Connected to Aruba-Conductor --- On

TwentyFiveGigE1/0/23 Yes --- Jed-CS-CL01-ESXi02 --- On

TwentyFiveGigE1/0/24 Yes --- Jed-CS-CL01-ESXi03 --- On

TwentyFiveGigE1/0/25 Yes --- Jed-CS-MISC --- On

TwentyFiveGigE1/0/26 Yes --- Connected to WAN-Server --- On

TwentyFiveGigE1/0/27 Yes --- Connected to JEDGIGMON --- On

--- Core Switch Extension Catalyst 9200L 24-port PoE+ x 2 for system with 1GB-TX
TwentyFiveGigE1/0/28 Yes On
interface ---

TwentyFiveGigE1/0/29 Yes On

TwentyFiveGigE1/0/30 Yes --- Connected to JED-CORE-MGM-SW1 --- On

TwentyFiveGigE1/0/31 Yes --- Connected to JED-DC-ISP-SW --- On

TwentyFiveGigE1/0/32 Yes On

TwentyFiveGigE1/0/33 Yes On

TwentyFiveGigE1/0/34 Yes --- Uplink Port - Distribution Switch --- On

TwentyFiveGigE1/0/35 Yes --- Uplink Port - Distribution Switch --- On

TwentyFiveGigE1/0/36 Yes On

TwentyFiveGigE1/0/37 Yes On

TwentyFiveGigE1/0/38 Yes --- Uplink Port - Service Switch --- On

TwentyFiveGigE1/0/39 Yes --- Uplink Port - Service Switch --- On

TwentyFiveGigE1/0/40 Yes On

TwentyFiveGigE1/0/41 Yes --- MICROWAVE-AMAZNET-ISP-SW --- On

TwentyFiveGigE1/0/42 Yes On

TwentyFiveGigE1/0/43 Yes On

TwentyFiveGigE1/0/44 Yes On

TwentyFiveGigE1/0/45 Yes On

TwentyFiveGigE1/0/46 Yes On

TwentyFiveGigE1/0/47 Yes On

TwentyFiveGigE1/0/48 Yes On

TwentyFiveGigE2/0/1 Yes --- Uplink Port - Sophos Perimeter FW1 --- On

TwentyFiveGigE2/0/2 Yes --- Uplink Port - Sophos Perimeter FW2 --- On

TwentyFiveGigE2/0/3 Yes --- Uplink Port - Sophos B2B (XGS 2100) FW1 --- On

TwentyFiveGigE2/0/4 Yes --- Uplink Port - Sophos B2B (XGS 2100) FW2 --- On
Interface Active Description CDP

TwentyFiveGigE2/0/5 Yes --- Uplink Port - Sophos Primary FW1 XGS 4500 --- On

TwentyFiveGigE2/0/6 Yes --- Uplink Port - Sophos Primary FW1 XGS 4500 --- On

TwentyFiveGigE2/0/7 Yes --- Uplink Port - Sophos Primary FW2 XGS 4500 --- On

TwentyFiveGigE2/0/8 Yes --- Uplink Port - Sophos Primary FW2 XGS 4500 --- On

TwentyFiveGigE2/0/9 Yes On

TwentyFiveGigE2/0/10 Yes On

TwentyFiveGigE2/0/11 Yes --- Old Sophos B2B 3100 - Temp --- On

TwentyFiveGigE2/0/12 Yes On

TwentyFiveGigE2/0/13 Yes On

TwentyFiveGigE2/0/14 Yes On

TwentyFiveGigE2/0/15 Yes --- LAN Probe - Blue Moon --- On

TwentyFiveGigE2/0/16 Yes On

TwentyFiveGigE2/0/17 Yes On

TwentyFiveGigE2/0/18 Yes On

TwentyFiveGigE2/0/19 Yes --- Connected to Aruba-Controller-1 --- On

TwentyFiveGigE2/0/20 Yes --- Connected to Aruba-Controller-2 --- On

TwentyFiveGigE2/0/21 Yes --- Connected to AlFurfan-Aruba-Controller-3 --- On

TwentyFiveGigE2/0/22 Yes --- Connected to Aruba-Conductor --- On

TwentyFiveGigE2/0/23 Yes --- Jed-CS-CL01-ESXi02 --- On

TwentyFiveGigE2/0/24 Yes --- Jed-CS-CL01-ESXi03 --- On

TwentyFiveGigE2/0/25 Yes --- Jed-CS-MISC --- On

TwentyFiveGigE2/0/26 Yes --- Connected to WAN-Server --- On

TwentyFiveGigE2/0/27 Yes --- Connected to JEDGIGMON --- On

--- Core Switch Extension Catalyst 9200L 24-port PoE+ x 2 for system with 1GB-TX
TwentyFiveGigE2/0/28 Yes On
interface ---

TwentyFiveGigE2/0/29 Yes On

TwentyFiveGigE2/0/30 Yes --- Connected to JED-CORE-MGM-SW1 --- On

TwentyFiveGigE2/0/31 Yes --- Connected to JED-DC-ISP-SW --- On

TwentyFiveGigE2/0/32 Yes On

TwentyFiveGigE2/0/33 Yes On

TwentyFiveGigE2/0/34 Yes --- Uplink Port - Distribution Switch --- On

TwentyFiveGigE2/0/35 Yes --- Uplink Port - Distribution Switch --- On

TwentyFiveGigE2/0/36 Yes On

TwentyFiveGigE2/0/37 Yes On

TwentyFiveGigE2/0/38 Yes --- Uplink Port - Service Switch --- On

 Interface Active Description CDP

TwentyFiveGigE2/0/39 Yes --- Uplink Port - Service Switch --- On

TwentyFiveGigE2/0/40 Yes On

TwentyFiveGigE2/0/41 Yes On

TwentyFiveGigE2/0/42 Yes On

TwentyFiveGigE2/0/43 Yes On

TwentyFiveGigE2/0/44 Yes On

TwentyFiveGigE2/0/45 Yes On

TwentyFiveGigE2/0/46 Yes On

TwentyFiveGigE2/0/47 Yes On

TwentyFiveGigE2/0/48 Yes On

HundredGigE1/0/49 Yes On

HundredGigE1/0/50 Yes On

HundredGigE1/0/51 Yes On

HundredGigE1/0/52 Yes On

HundredGigE2/0/49 Yes On

HundredGigE2/0/50 Yes On

HundredGigE2/0/51 Yes On

HundredGigE2/0/52 Yes On

Table 70: CDP interface status on JED-DC-CORE-SW.catrion.local

Impact

CDP packets contain information about the sender, such as hardware model information, operating system version and IP address
details. This information would give an attacker valuable information about the device. The attacker could then use this
information as part of a targeted attack.

The following is an example capture of CDP information using the "tcpdump" tool. It shows the types of information an attacker
would gain by capturing CDP packets.

tcpdump: listening on bond0, link-type EN10MB (Ethernet), capture size 1500 bytes
08:50:11.768298 CDPv2, ttl: 180s, checksum: 0xb08a (unverified), length 271
Device-ID (0x01), value length: 40 bytes: ‘test1-demo-sw28b.test.com(FDO2116225P)’
Address (0x02), value length: 13 bytes: IPv4 (1) test1-demo-sw28b.test.com
Port-ID (0x03), value length: 11 bytes: ‘Ethernet1/1’
Capability (0x04), value length: 4 bytes: (0x00000229): Router, L2 Switch, IGMP snoopi
Version String (0x05), value length: 66 bytes:
Cisco Nexus Operating System (NX-OS) Software, Version 7.0(3)I6(1)
Platform (0x06), value length: 15 bytes: ‘N9K-C9xx3180YC-EX’
Native VLAN ID (0x0a), value length: 2 bytes: 985
Duplex (0x0b), value length: 1 byte: full
MTU (0x11), value length: 4 bytes: 1500 bytes
 System Name (0x14), value length: 17 bytes: ‘test1-demo-sw28b’
System Object ID (not decoded) (0x15), value length: 14 bytes:
0x0000: 060c 2b06 0104 0109 0c03 0103 8e14
Management Addresses (0x16), value length: 13 bytes: IPv4 (1) test1-demo-sw28b.test.co
Physical Location (0x17), value length: 15 bytes: 0x00/test1

The example CDP information above, includes the platform and software version details. Using that information an attacker could
then search vulnerability databases, such as NVD to identify any vulnerabilities that could be exploited. If the attacker identifies a
vulnerability, they could then follow the information described to exploit the issue or search the Internet for exploit code.

Ease

CDP packets are broadcast to an entire network segment. The attacker or malicious user would require access to a network
segment on which the CDP packets are broadcast and network monitoring software. A wide variety of network monitoring, packet
capture and analysis tools can be downloaded from the Internet. Tools like:

Wireshark, which is a graphical packet capture tool used by networking specialists (https://www.wireshark.org/)
TCPDump, which is a command line packet capture tool (https://www.tcpdump.org/)

Recommendation

Invictux recommends that, if not required, CDP should be disabled. However, in some configurations with IP phones, deployed
using either Auto Discovery or Dynamic Host Configuration Protocol (DHCP), the CDP service may need to be enabled. However,
if the device supports disabling CDP on individual interfaces, then Invictux recommends that it should be disabled on all the
interfaces where it is not required.

Cisco IOS Information

The following commands can be used to disable CDP on Cisco IOS devices. The first command disables CDP for the entire
device, whilst the second can be used to disable CDP on individual interfaces.

no cdp run
no cdp enable

Additional Information

TID: TNA-PRO-0001
Wikipedia: https://en.wikipedia.org/wiki/Cisco_Discovery_Protocol

The following findings are related to this one:

LLDP Was Enabled (see section TNA-PRO-0008).

LLDP Was Enabled LOW

 Invictux Rating

Overall: Low
Impact: Low
Ease: Easy
Fix: Quick

Affected Devices

Cisco Catalyst Switch JED-DC-CORE-SW.catrion.local

Finding

Link Layer Discovery Protocol (LLDP) is an industry standard protocol specified in IEEE 802.1AB. A LLDP enabled device can be
configured to broadcast and receive LLDP packets on the network enabling network management applications and LLDP aware
devices to identify each other. LLDP packets may include the following sender information:

System name and description.

Network interface name, description and VLAN details.
IP management address.
System capabilities.
MAC address information.
Power over ethernet details.
Link aggregation information.

Invictux examined the device configuration to determine if LLDP was

disabled.

JED-DC-CORE-SW.catrion.local Findings
Invictux determined that JED-DC-CORE-SW.catrion.local was configured to send and receive LLDP. The following table
shows the LLDP status on individual network interfaces.

LLDP LLDP
Interface Active Description
Send Receive

GigabitEthernet0/0 No On On

TwentyFiveGigE1/0/1 Yes On On --- Uplink Port - Sophos Perimeter FW1 ---

TwentyFiveGigE1/0/2 Yes On On --- Uplink Port - Sophos Perimeter FW2 ---

TwentyFiveGigE1/0/3 Yes On On --- Uplink Port - Sophos B2B (XGS 2100) FW1 ---

TwentyFiveGigE1/0/4 Yes On On --- Uplink Port - Sophos B2B (XGS 2100) FW2 ---

TwentyFiveGigE1/0/5 Yes On On --- Uplink Port - Sophos Primary FW1 XGS 4500 ---

TwentyFiveGigE1/0/6 Yes On On --- Uplink Port - Sophos Primary FW1 XGS 4500 ---

TwentyFiveGigE1/0/7 Yes On On --- Uplink Port - Sophos Primary FW2 XGS 4500 ---

TwentyFiveGigE1/0/8 Yes On On --- Uplink Port - Sophos Primary FW2 XGS 4500 ---
 LLDP LLDP
Interface Active Description
Send Receive

TwentyFiveGigE1/0/9 Yes On On

TwentyFiveGigE1/0/10 Yes On On

TwentyFiveGigE1/0/11 Yes On On --- Old Sophos B2B 3100 - Temp ---

TwentyFiveGigE1/0/12 Yes On On

TwentyFiveGigE1/0/13 Yes On On

TwentyFiveGigE1/0/14 Yes On On

TwentyFiveGigE1/0/15 Yes On On --- LAN Probe - Blue Moon ---

TwentyFiveGigE1/0/16 Yes On On

TwentyFiveGigE1/0/17 Yes On On

TwentyFiveGigE1/0/18 Yes On On

TwentyFiveGigE1/0/19 Yes On On --- Connected to Aruba-Controller-1 ---

TwentyFiveGigE1/0/20 Yes On On --- Connected to Aruba-Controller-2 ---

TwentyFiveGigE1/0/21 Yes On On --- Connected to AlFurfan-Aruba-Controller-3 ---

TwentyFiveGigE1/0/22 Yes On On --- Connected to Aruba-Conductor ---

TwentyFiveGigE1/0/23 Yes On On --- Jed-CS-CL01-ESXi02 ---

TwentyFiveGigE1/0/24 Yes On On --- Jed-CS-CL01-ESXi03 ---

TwentyFiveGigE1/0/25 Yes On On --- Jed-CS-MISC ---

TwentyFiveGigE1/0/26 Yes On On --- Connected to WAN-Server ---

TwentyFiveGigE1/0/27 Yes On On --- Connected to JEDGIGMON ---

--- Core Switch Extension Catalyst 9200L 24-port PoE+ x 2 for

TwentyFiveGigE1/0/28 Yes On On
system with 1GB-TX interface ---

TwentyFiveGigE1/0/29 Yes On On

TwentyFiveGigE1/0/30 Yes On On --- Connected to JED-CORE-MGM-SW1 ---

TwentyFiveGigE1/0/31 Yes On On --- Connected to JED-DC-ISP-SW ---

TwentyFiveGigE1/0/32 Yes On On

TwentyFiveGigE1/0/33 Yes On On

TwentyFiveGigE1/0/34 Yes On On --- Uplink Port - Distribution Switch ---

TwentyFiveGigE1/0/35 Yes On On --- Uplink Port - Distribution Switch ---

TwentyFiveGigE1/0/36 Yes On On

TwentyFiveGigE1/0/37 Yes On On

TwentyFiveGigE1/0/38 Yes On On --- Uplink Port - Service Switch ---

TwentyFiveGigE1/0/39 Yes On On --- Uplink Port - Service Switch ---

TwentyFiveGigE1/0/40 Yes On On

TwentyFiveGigE1/0/41 Yes On On --- MICROWAVE-AMAZNET-ISP-SW ---

 LLDP LLDP
Interface Active Description
Send Receive

TwentyFiveGigE1/0/42 Yes On On

TwentyFiveGigE1/0/43 Yes On On

TwentyFiveGigE1/0/44 Yes On On

TwentyFiveGigE1/0/45 Yes On On

TwentyFiveGigE1/0/46 Yes On On

TwentyFiveGigE1/0/47 Yes On On

TwentyFiveGigE1/0/48 Yes On On

TwentyFiveGigE2/0/1 Yes On On --- Uplink Port - Sophos Perimeter FW1 ---

TwentyFiveGigE2/0/2 Yes On On --- Uplink Port - Sophos Perimeter FW2 ---

TwentyFiveGigE2/0/3 Yes On On --- Uplink Port - Sophos B2B (XGS 2100) FW1 ---

TwentyFiveGigE2/0/4 Yes On On --- Uplink Port - Sophos B2B (XGS 2100) FW2 ---

TwentyFiveGigE2/0/5 Yes On On --- Uplink Port - Sophos Primary FW1 XGS 4500 ---

TwentyFiveGigE2/0/6 Yes On On --- Uplink Port - Sophos Primary FW1 XGS 4500 ---

TwentyFiveGigE2/0/7 Yes On On --- Uplink Port - Sophos Primary FW2 XGS 4500 ---

TwentyFiveGigE2/0/8 Yes On On --- Uplink Port - Sophos Primary FW2 XGS 4500 ---

TwentyFiveGigE2/0/9 Yes On On

TwentyFiveGigE2/0/10 Yes On On

TwentyFiveGigE2/0/11 Yes On On --- Old Sophos B2B 3100 - Temp ---

TwentyFiveGigE2/0/12 Yes On On

TwentyFiveGigE2/0/13 Yes On On

TwentyFiveGigE2/0/14 Yes On On

TwentyFiveGigE2/0/15 Yes On On --- LAN Probe - Blue Moon ---

TwentyFiveGigE2/0/16 Yes On On

TwentyFiveGigE2/0/17 Yes On On

TwentyFiveGigE2/0/18 Yes On On

TwentyFiveGigE2/0/19 Yes On On --- Connected to Aruba-Controller-1 ---

TwentyFiveGigE2/0/20 Yes On On --- Connected to Aruba-Controller-2 ---

TwentyFiveGigE2/0/21 Yes On On --- Connected to AlFurfan-Aruba-Controller-3 ---

TwentyFiveGigE2/0/22 Yes On On --- Connected to Aruba-Conductor ---

TwentyFiveGigE2/0/23 Yes On On --- Jed-CS-CL01-ESXi02 ---

TwentyFiveGigE2/0/24 Yes On On --- Jed-CS-CL01-ESXi03 ---

TwentyFiveGigE2/0/25 Yes On On --- Jed-CS-MISC ---

TwentyFiveGigE2/0/26 Yes On On --- Connected to WAN-Server ---

TwentyFiveGigE2/0/27 Yes On On --- Connected to JEDGIGMON ---

 LLDP LLDP
Interface Active Description
Send Receive

--- Core Switch Extension Catalyst 9200L 24-port PoE+ x 2 for

TwentyFiveGigE2/0/28 Yes On On
system with 1GB-TX interface ---

TwentyFiveGigE2/0/29 Yes On On

TwentyFiveGigE2/0/30 Yes On On --- Connected to JED-CORE-MGM-SW1 ---

TwentyFiveGigE2/0/31 Yes On On --- Connected to JED-DC-ISP-SW ---

TwentyFiveGigE2/0/32 Yes On On

TwentyFiveGigE2/0/33 Yes On On

TwentyFiveGigE2/0/34 Yes On On --- Uplink Port - Distribution Switch ---

TwentyFiveGigE2/0/35 Yes On On --- Uplink Port - Distribution Switch ---

TwentyFiveGigE2/0/36 Yes On On

TwentyFiveGigE2/0/37 Yes On On

TwentyFiveGigE2/0/38 Yes On On --- Uplink Port - Service Switch ---

TwentyFiveGigE2/0/39 Yes On On --- Uplink Port - Service Switch ---

TwentyFiveGigE2/0/40 Yes On On

TwentyFiveGigE2/0/41 Yes On On

TwentyFiveGigE2/0/42 Yes On On

TwentyFiveGigE2/0/43 Yes On On

TwentyFiveGigE2/0/44 Yes On On

TwentyFiveGigE2/0/45 Yes On On

TwentyFiveGigE2/0/46 Yes On On

TwentyFiveGigE2/0/47 Yes On On

TwentyFiveGigE2/0/48 Yes On On

HundredGigE1/0/49 Yes On On

HundredGigE1/0/50 Yes On On

HundredGigE1/0/51 Yes On On

HundredGigE1/0/52 Yes On On

HundredGigE2/0/49 Yes On On

HundredGigE2/0/50 Yes On On

HundredGigE2/0/51 Yes On On

HundredGigE2/0/52 Yes On On

Table 71: LLDP interface status on JED-DC-CORE-SW.catrion.local

Impact
LLDP packets contain information about the sender and the network that an attacker would find useful as part of a targeted
attack. The following is an example capture using the "tcpdump" tool. It provides a good example of some of the information an
attacker could obtain from LLDP.

16:42:20.305995 LLDP, length 523

Chassis ID TLV (1), length 7
Subtype MAC address (4): cc:d5:39:33:46:00 (oui Unknown)
Port ID TLV (2), length 9
Subtype Interface Name (5): Gi2/0/40
Time to Live TLV (3), length 2: TTL 120s
System Name TLV (5), length 19: switch-01.mg-it.net
System Description TLV (6), length 248
Cisco IOS Software, C2960S Software (C2960S-UNIVERSALK9-M), Version 12.2(58)SE2, REL
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2011 by Cisco Systems, Inc.
Compiled Thu 21-Jul-11 02:22 by prod_rel_team
Port Description TLV (4), length 21: GigabitEthernet2/0/40
System Capabilities TLV (7), length 4
System Capabilities [Bridge, Router] (0x0014)
Enabled Capabilities [Bridge] (0x0004)
Management Address TLV (8), length 12
Management Address length 5, AFI IPv4 (1): 172.42.24.10
System Port Number Interface Numbering (3): 0
Organization specific TLV (127), length 7: OUI ANSI/TIA (0x0012bb)
LLDP-MED Capabilities Subtype (1)
Media capabilities [LLDP-MED capabilities, network policy, location identification
Device type [network connectivity] (0x04)

The example LLDP information above, includes the platform and software version details. Using that information an attacker could
then search vulnerability databases, such as NVD to identify any vulnerabilities that could be exploited. If the attacker identifies a
vulnerability, they could then follow the information described to exploit the issue or search the Internet for exploit code.

Ease

LLDP packets are broadcast to an entire network segment. The attacker or malicious user would require access to a network
segment on which the LLDP packets are broadcast and network monitoring software. A wide variety of network monitoring,
packet capture and analysis tools can be downloaded from the Internet. Tools like:

Wireshark, which is a graphical packet capture tool used by networking specialists (https://www.wireshark.org/)
TCPDump, which is a command line packet capture tool (https://www.tcpdump.org/)

Recommendation

Invictux recommends that, if not required, LLDP should be

disabled.

Cisco IOS Information

LLDP can be disabled globally or on individual interfaces using the following Cisco IOS device commands:
 no lldp run
interface <interface>
no lldp transmit
no lldp receive

Additional Information

TID: TNA-PRO-0008
IEEE: IEEE 802.1ab
Wikipedia: https://en.wikipedia.org/wiki/Link_Layer_Discovery_Protocol

The following findings are related to this one:

CDP Was Enabled (see section TNA-PRO-0001).

Proxy ARP Was Enabled LOW

Invictux Rating

Overall: Low
Impact: Low
Ease: Easy
Fix: Quick

Affected Devices

Cisco Catalyst Switch JED-DC-CORE-SW.catrion.local

Finding

Address Resolution Protocol (ARP) is a protocol that network hosts use to translate network IP addresses into MAC addresses.
Under normal circumstances, ARP packets are confined to the sender's network segment. However, some network devices can be
configured to act as a proxy for ARP requests, retransmitting an ARP request on other network segments and sending any
response back to the originator of the request.

Invictux examined the device configuration to determine if Proxy ARP had been disabled.

JED-DC-CORE-SW.catrion.local Findings

Invictux determined that JED-DC-CORE-SW.catrion.local was configured to enable Proxy ARP.

Interface Active Address Proxy-ARP Directed ACL In ACL Out

Vlan2 Yes 192.168.102.10 On Off

 Interface Active Address Proxy-ARP Directed ACL In ACL Out

Vlan99 Yes 192.168.99.101 On Off

Vlan106 Yes 10.240.16.10 On Off

Vlan276 Yes 10.240.176.10 On Off

Vlan302 Yes 10.10.102.10 On Off

Vlan306 Yes 10.10.105.10 On Off

Vlan308 Yes 10.10.107.10 On Off

Vlan310 Yes 10.10.109.10 On Off

Vlan312 Yes 10.10.12.10 On Off

Vlan313 Yes 10.10.100.10 On Off

Vlan314 Yes 10.10.20.10 On Off

Vlan317 Yes 10.10.152.10 On Off

Vlan728 Yes 10.50.0.1 On Off

Vlan729 Yes 10.50.0.117 On Off

Vlan730 Yes 10.50.0.121 On Off

Vlan1800 Yes 10.50.2.221 On Off

Table 72: Interfaces with Proxy ARP enabled

Impact

A router that acts as a proxy for ARP requests will extend layer two access across multiple network segments, potentially breaking
perimeter security.

Ease

A network device with proxy ARP enabled will proxy ARP requests for all hosts on those interfaces. A number of ARP tools can be
downloaded from the Internet for use in exploiting this issue.

Recommendation

Invictux recommends that, if not required, the Proxy ARP feature should be disabled on all
interfaces.

Cisco IOS Information

Proxy ARP can be disabled on interfaces using the following command:

no ip proxy-arp
 Additional Information

TID: TNA-PRO-0012
RFCs: RFC 925, RFC 1027
Wikipedia: https://en.wikipedia.org/wiki/Proxy_ARP

IP Source Routing Was Enabled LOW

Invictux Rating

Overall: Low
Impact: Low
Ease: Moderate
Fix: Quick

Affected Devices

Cisco Catalyst Switch JED-DC-CORE-SW.catrion.local

Finding

TCP/IP packets can contain source route information, this can enable a packet to define its own route through a network rather
than using a route defined by static routes or routing protocols. The source route option functionality was defined in RFC 791.

Some network routers, and multipurpose devices, include facilities that enable them to ignore the source route defined in a
packet or block the packets entirely.

JED-DC-CORE-SW.catrion.local Findings

Invictux determined that IP source routing was enabled on JED-DC-CORE-SW.catrion.local.

Impact

IP source routing can allow an attacker to specify a route for a network packet to follow, possibly to bypass a Firewall device or an
Intrusion Detection System (IDS). An attacker could also use source routing to capture network traffic by routing it through a
system controlled by the attacker.

Ease

An attacker would have to control either a routing device or an end point device in order to modify a packets route through the
network. However, tools can be downloaded from the Internet that would allow an attacker to specify source routes. Tools are
 also available to modify network routing using vulnerabilities in some routing protocols.

Recommendation

Invictux recommends that IP source routing information contained in network packets should be
ignored.

Cisco IOS Information

IP source routing can be disabled on Cisco IOS devices using the following command:

no ip source-route

Additional Information

TID: TNA-ROUT-0020
Classification: Routing
Wikipedia: Disable *ABBREV*IP*-ABBREV* source routing

DNS Lookups Were Enabled INFORMATIONA

Invictux Rating

Overall: Informational
Impact: Informational
Ease: Moderate
Fix: Quick

Affected Devices

Cisco Catalyst Switch JED-DC-CORE-SW.catrion.local

Finding

Some network devices can be configured to make use of Domain Name System (DNS) to perform lookups of addresses that have
been specified using a DNS name. In addition to being used for connecting to other devices, the DNS lookup functionality could
be used for auditing purposes.

Invictux examined the device configuration to determine if DNS Lookups were disabled.

JED-DC-CORE-SW.catrion.local Findings
 Invictux determined that the DNS lookup feature was enabled on JED-DC-CORE-SW.catrion.local.

Impact

An attacker who is able to monitor DNS queries from the device that could then potentially be used as part of a targeted attack.
Some devices include functionality to automatically connect to a device if an administrator simply types in a device's DNS name.
Unfortunately this also means that if an administrator mistypes an administrative command the device will automatically perform
a lookup for the device and attempt to connect to it. Cisco IOS-based devices perform this action, but it could enable an attacker
to perform a MITM attack if the attacker were to immediately respond to the DNS query, allow the incoming connection to
attackers system and then connect straight back to the sender.

Ease

Tools that can monitor DNS queries can be downloaded from the Internet.

Recommendation

Invictux suggests that, if not required, DNS lookups should be

disabled.

Cisco IOS Information

Domain lookups can be disabled on Cisco IOS devices with the following commands (the latter command is for Cisco IOS 12.1
and older):

no ip domain lookup
no ip domain-lookup

Additional Information

TID: TNA-DNS-0001
RFCs: RFC 1033, RFC 1034, RFC 1035
Wikipedia: https://en.wikipedia.org/wiki/Domain_Name_System

No Network Filtering Rules Were Configured INFORMATIONA

Invictux Rating

Overall: Informational
Impact: Informational
Ease: Trivial
Fix: Planned
 Affected Devices

Cisco Catalyst Switch JED-DC-CORE-SW.catrion.local

Finding

Network filtering can be configured to restrict access to network services from only those hosts that require the access, helping to
prevent unauthorized access. When configured, network filter rules are processed sequentially and the first rule in the filter rule
list which matches the network packet is applied.

Invictux examined the device configuration to determine that network filter rules had been configured to help prevent unwanted
access.

JED-DC-CORE-SW.catrion.local Findings

Invictux determined that JED-DC-CORE-SW.catrion.local does not have any filter rules configured.

Impact

Typically firewall appliances will drop network traffic by default if there are no network filtering rules configured on the device.
Therefore an attacker would automatically be prevented from exploiting this issue. However, most non-firewall appliances will
typically allow all network traffic if no network filtering rules have been configured. This would enable an attacker to connect to
network services without the device filtering their access.

Ease

The attacker would not have to perform any actions to exploit this issue. Therefore, no specialist skills or tools are required by the
attacker.

Recommendation

Invictux strongly recommends that network filter rules should be configured to help prevent unauthorized access to
network services.

Cisco IOS Information

On Cisco IOS devices network filter rules are added to ACL which can then be used when configuring interfaces, services and
other options. ACL can be either named or numbered. If numbered a standard ACL will be numbered between 1-99 and 1300-
1999, all others will be extended ACL. The following commands show how to create both named and numbered standard and
extended ACL and filter rules:

ip access-list standard <list-name>

[permit | deny] <source-address> [log]
 exit
access-list <number> [permit | deny] <source-address> [log]
ip access-list extended <list-name>
[permit | deny] <protocol> <source-address> [<source-port>] <dest-address> [<dest-port
exit
access-list <number> [permit | deny] <protocol> <source-address> [<source-port>] <dest-a

On Cisco IOS devices Internet Protocol version 6 (IPv6) network filter rules are added to ACL which can then be used when
configuring interfaces, services and other options. The following commands show how to create add an Access Control Entry
(ACE) to a named IPv6 ACL:

ipv6 access-list <list-name>

[permit | deny] <protocol> <source-address/prefix> [<source-port>] <dest-address/prefi
exit

Additional Information

TID: TNA-FLT-0011
Classification: Filtering

Interfaces Were Configured With No Filtering INFORMATIONA

Invictux Rating

Overall: Informational
Impact: Informational
Ease: Trivial
Fix: Quick

Affected Devices

Cisco Catalyst Switch JED-DC-CORE-SW.catrion.local

Finding

Network filtering is used to restrict access to network services and devices from only those systems that are authorized to access
them. For public facing services this could be allowing all remote hosts to connect to a specific service. For remote administrative
services this could be to allow only a specific address access to a range of administrative services.

Whilst many devices define filter rules in a single list for the entire device, or network. Some network devices define filter rule lists
that are then assigned to specific network interfaces, applying filtering to only the traffic entering or leaving those interfaces.

Invictux examined the device configuration to determine if inbound or outbound filtering had been configured.
JED-DC-CORE-SW.catrion.local Findings

Interface Class Active Unsecure Address Filtering Description

Port-channel1 None Yes Unknown --- Uplink Port - Sophos Perimeter FW1 ---

Port-channel2 None Yes Unknown --- Uplink Port - Sophos Perimeter FW2 ---

--- Uplink Port - Sophos B2B (XGS 2100)

Port-channel3 None Yes Unknown
FW1 ---

--- Uplink Port - Sophos B2B (XGS 2100)

Port-channel4 None Yes Unknown
FW2 ---

--- Uplink Port - Sophos Primary FW1 XGS

Port-channel5 None Yes Unknown
4500 ---

--- Uplink Port - Sophos Primary FW1 XGS

Port-channel6 None Yes Unknown
4500 ---

--- Uplink Port - Sophos Primary FW2 XGS

Port-channel7 None Yes Unknown
4500 ---

--- Uplink Port - Sophos Primary FW2 XGS

Port-channel8 None Yes Unknown
4500 ---

--- Uplink Port - Sophos B2B (XGS 2100)

Port-channel9 None Yes Unknown
FW1 ---

--- Uplink Port - Sophos B2B (XGS 2100)

Port-channel10 None Yes Unknown
FW2 ---

--- Connected to NAC-EM-(Enterprise-

Port-channel11 None Yes Unknown
Manager) ---

Port-channel12 None Yes Unknown --- Connected to nac-jed-SPAN ---

Port-channel13 None Yes Unknown --- Connected to nac-jed ---

--- Connected to LAN-870-Infra-SIEM-

Port-channel14 None Yes Unknown
Server-1 ---

--- Connected to LAN-870-Infra-SIEM-

Port-channel15 None Yes Unknown
Server-2 ---

--- Connected to LAN-870-Infra-SIEM-

Port-channel16 None Yes Unknown
Server-3 ---

Port-channel17 None Yes Unknown --- Connected to JED-SIEMXM1 ---

Port-channel18 None Yes Unknown --- Connected to jed-siempdih1 ---

Port-channel19 None Yes Unknown --- Connected to Aruba-Controller-1 ---

Port-channel20 None Yes Unknown --- Connected to Aruba-Controller-2 ---

Port-channel21 None Yes Unknown --- Connected to Aruba-Controller-3 ---

Port-channel22 None Yes Unknown --- Connected to Aruba-Conductor ---

Port-channel25 None Yes Unknown --- Connected to Jed-CS-MISC ---

Port-channel26 None Yes Unknown --- Connected to WAN-Server ---

Interface Class Active Unsecure Address Filtering Description

Port-channel27 None Yes Unknown --- Connected to JEDGIGMON ---

--- Core Switch Extension Catalyst 9200L

Port-channel28 None Yes Unknown 24-port PoE+ x 2 for system with 1GB-TX
interface ---

--- Connected to JED-CORE-MGM-SW1 --

Port-channel30 None Yes Unknown
-

Port-channel31 None Yes Unknown --- Connected to JED-DC-ISP-SW ---

Port-channel100 None Yes Unknown --- Uplink Port - Distribution Switch ---

Port-channel101 None Yes Unknown --- Uplink Port - Service Switch ---

TwentyFiveGigE1/0/1 None Yes Unknown --- Uplink Port - Sophos Perimeter FW1 ---

TwentyFiveGigE1/0/2 None Yes Unknown --- Uplink Port - Sophos Perimeter FW2 ---

--- Uplink Port - Sophos B2B (XGS 2100)

TwentyFiveGigE1/0/3 None Yes Unknown
FW1 ---

--- Uplink Port - Sophos B2B (XGS 2100)

TwentyFiveGigE1/0/4 None Yes Unknown
FW2 ---

--- Uplink Port - Sophos Primary FW1 XGS

TwentyFiveGigE1/0/5 None Yes Unknown
4500 ---

--- Uplink Port - Sophos Primary FW1 XGS

TwentyFiveGigE1/0/6 None Yes Unknown
4500 ---

--- Uplink Port - Sophos Primary FW2 XGS

TwentyFiveGigE1/0/7 None Yes Unknown
4500 ---

--- Uplink Port - Sophos Primary FW2 XGS

TwentyFiveGigE1/0/8 None Yes Unknown
4500 ---

TwentyFiveGigE1/0/9 None Yes Unknown

TwentyFiveGigE1/0/10 None Yes Unknown

TwentyFiveGigE1/0/11 None Yes Unknown --- Old Sophos B2B 3100 - Temp ---

TwentyFiveGigE1/0/12 None Yes Unknown

TwentyFiveGigE1/0/13 None Yes Unknown

TwentyFiveGigE1/0/14 None Yes Unknown

TwentyFiveGigE1/0/15 None Yes Unknown --- LAN Probe - Blue Moon ---

TwentyFiveGigE1/0/16 None Yes Unknown

TwentyFiveGigE1/0/17 None Yes Unknown

TwentyFiveGigE1/0/18 None Yes Unknown

TwentyFiveGigE1/0/19 None Yes Unknown --- Connected to Aruba-Controller-1 ---

TwentyFiveGigE1/0/20 None Yes Unknown --- Connected to Aruba-Controller-2 ---

--- Connected to AlFurfan-Aruba-

TwentyFiveGigE1/0/21 None Yes Unknown
Controller-3 ---

TwentyFiveGigE1/0/22 None Yes Unknown --- Connected to Aruba-Conductor ---

Interface Class Active Unsecure Address Filtering Description

TwentyFiveGigE1/0/23 None Yes Unknown --- Jed-CS-CL01-ESXi02 ---

TwentyFiveGigE1/0/24 None Yes Unknown --- Jed-CS-CL01-ESXi03 ---

TwentyFiveGigE1/0/25 None Yes Unknown --- Jed-CS-MISC ---

TwentyFiveGigE1/0/26 None Yes Unknown --- Connected to WAN-Server ---

TwentyFiveGigE1/0/27 None Yes Unknown --- Connected to JEDGIGMON ---

--- Core Switch Extension Catalyst 9200L

TwentyFiveGigE1/0/28 None Yes Unknown 24-port PoE+ x 2 for system with 1GB-TX
interface ---

TwentyFiveGigE1/0/29 None Yes Unknown

--- Connected to JED-CORE-MGM-SW1 --

TwentyFiveGigE1/0/30 None Yes Unknown
-

TwentyFiveGigE1/0/31 None Yes Unknown --- Connected to JED-DC-ISP-SW ---

TwentyFiveGigE1/0/32 None Yes Unknown

TwentyFiveGigE1/0/33 None Yes Unknown

TwentyFiveGigE1/0/34 None Yes Unknown --- Uplink Port - Distribution Switch ---

TwentyFiveGigE1/0/35 None Yes Unknown --- Uplink Port - Distribution Switch ---

TwentyFiveGigE1/0/36 None Yes Unknown

TwentyFiveGigE1/0/37 None Yes Unknown

TwentyFiveGigE1/0/38 None Yes Unknown --- Uplink Port - Service Switch ---

TwentyFiveGigE1/0/39 None Yes Unknown --- Uplink Port - Service Switch ---

TwentyFiveGigE1/0/40 None Yes Unknown

TwentyFiveGigE1/0/41 None Yes Unknown --- MICROWAVE-AMAZNET-ISP-SW ---

TwentyFiveGigE1/0/42 None Yes Unknown

TwentyFiveGigE1/0/43 None Yes Unknown

TwentyFiveGigE1/0/44 None Yes Unknown

TwentyFiveGigE1/0/45 None Yes Unknown

TwentyFiveGigE1/0/46 None Yes Unknown

TwentyFiveGigE1/0/47 None Yes Unknown

TwentyFiveGigE1/0/48 None Yes Unknown

TwentyFiveGigE2/0/1 None Yes Unknown --- Uplink Port - Sophos Perimeter FW1 ---

TwentyFiveGigE2/0/2 None Yes Unknown --- Uplink Port - Sophos Perimeter FW2 ---

--- Uplink Port - Sophos B2B (XGS 2100)

TwentyFiveGigE2/0/3 None Yes Unknown
FW1 ---

--- Uplink Port - Sophos B2B (XGS 2100)

TwentyFiveGigE2/0/4 None Yes Unknown
FW2 ---
Interface Class Active Unsecure Address Filtering Description

--- Uplink Port - Sophos Primary FW1 XGS

TwentyFiveGigE2/0/5 None Yes Unknown
4500 ---

--- Uplink Port - Sophos Primary FW1 XGS

TwentyFiveGigE2/0/6 None Yes Unknown
4500 ---

--- Uplink Port - Sophos Primary FW2 XGS

TwentyFiveGigE2/0/7 None Yes Unknown
4500 ---

--- Uplink Port - Sophos Primary FW2 XGS

TwentyFiveGigE2/0/8 None Yes Unknown
4500 ---

TwentyFiveGigE2/0/9 None Yes Unknown

TwentyFiveGigE2/0/10 None Yes Unknown

TwentyFiveGigE2/0/11 None Yes Unknown --- Old Sophos B2B 3100 - Temp ---

TwentyFiveGigE2/0/12 None Yes Unknown

TwentyFiveGigE2/0/13 None Yes Unknown

TwentyFiveGigE2/0/14 None Yes Unknown

TwentyFiveGigE2/0/15 None Yes Unknown --- LAN Probe - Blue Moon ---

TwentyFiveGigE2/0/16 None Yes Unknown

TwentyFiveGigE2/0/17 None Yes Unknown

TwentyFiveGigE2/0/18 None Yes Unknown

TwentyFiveGigE2/0/19 None Yes Unknown --- Connected to Aruba-Controller-1 ---

TwentyFiveGigE2/0/20 None Yes Unknown --- Connected to Aruba-Controller-2 ---

--- Connected to AlFurfan-Aruba-

TwentyFiveGigE2/0/21 None Yes Unknown
Controller-3 ---

TwentyFiveGigE2/0/22 None Yes Unknown --- Connected to Aruba-Conductor ---

TwentyFiveGigE2/0/23 None Yes Unknown --- Jed-CS-CL01-ESXi02 ---

TwentyFiveGigE2/0/24 None Yes Unknown --- Jed-CS-CL01-ESXi03 ---

TwentyFiveGigE2/0/25 None Yes Unknown --- Jed-CS-MISC ---

TwentyFiveGigE2/0/26 None Yes Unknown --- Connected to WAN-Server ---

TwentyFiveGigE2/0/27 None Yes Unknown --- Connected to JEDGIGMON ---

--- Core Switch Extension Catalyst 9200L

TwentyFiveGigE2/0/28 None Yes Unknown 24-port PoE+ x 2 for system with 1GB-TX
interface ---

TwentyFiveGigE2/0/29 None Yes Unknown

--- Connected to JED-CORE-MGM-SW1 --

TwentyFiveGigE2/0/30 None Yes Unknown
-

TwentyFiveGigE2/0/31 None Yes Unknown --- Connected to JED-DC-ISP-SW ---

TwentyFiveGigE2/0/32 None Yes Unknown

TwentyFiveGigE2/0/33 None Yes Unknown

Interface Class Active Unsecure Address Filtering Description

TwentyFiveGigE2/0/34 None Yes Unknown --- Uplink Port - Distribution Switch ---

TwentyFiveGigE2/0/35 None Yes Unknown --- Uplink Port - Distribution Switch ---

TwentyFiveGigE2/0/36 None Yes Unknown

TwentyFiveGigE2/0/37 None Yes Unknown

TwentyFiveGigE2/0/38 None Yes Unknown --- Uplink Port - Service Switch ---

TwentyFiveGigE2/0/39 None Yes Unknown --- Uplink Port - Service Switch ---

TwentyFiveGigE2/0/40 None Yes Unknown

TwentyFiveGigE2/0/41 None Yes Unknown

TwentyFiveGigE2/0/42 None Yes Unknown

TwentyFiveGigE2/0/43 None Yes Unknown

TwentyFiveGigE2/0/44 None Yes Unknown

TwentyFiveGigE2/0/45 None Yes Unknown

TwentyFiveGigE2/0/46 None Yes Unknown

TwentyFiveGigE2/0/47 None Yes Unknown

TwentyFiveGigE2/0/48 None Yes Unknown

HundredGigE1/0/49 None Yes Unknown

HundredGigE1/0/50 None Yes Unknown

HundredGigE1/0/51 None Yes Unknown

HundredGigE1/0/52 None Yes Unknown

HundredGigE2/0/49 None Yes Unknown

HundredGigE2/0/50 None Yes Unknown

HundredGigE2/0/51 None Yes Unknown

HundredGigE2/0/52 None Yes Unknown

Vlan1 None Yes N/A

Vlan2 None Yes N/A --- Network-102 ---

192.168.102.10

Vlan99 None Yes N/A --- Network-99 ---

192.168.99.101

Vlan106 None Yes N/A 10.240.16.10

Vlan276 None Yes N/A --- LAN-276-Infra-ArubaNetwork ---

10.240.176.10

Vlan302 None Yes N/A 10.10.102.10 --- WiFi_SACC_IPPhone ---

Vlan306 None Yes N/A 10.10.105.10 --- WiFi_SACC_CEO ---

Vlan308 None Yes N/A 10.10.107.10 --- WiFi_SACC_Executives ---

Vlan310 None Yes N/A 10.10.109.10 --- WiFi_SACC_System ---

 Interface Class Active Unsecure Address Filtering Description

Vlan312 None Yes N/A 10.10.12.10 --- WiFi_SACC_Guest ---

Vlan313 None Yes N/A 10.10.100.10 --- WiFi_SACC_IT-VIPGuest ---

Vlan314 None Yes N/A 10.10.20.10 --- WiFi_Alfursan ---

Vlan316 None Yes N/A --- WiFi_Airfi ---

Vlan317 None Yes N/A 10.10.152.10 --- Wifi_TMS ---

Vlan728 None Yes N/A 10.50.0.1

---Point to Point to Primary-FW-for-USER-

Vlan729 None Yes N/A 10.50.0.117
VRF ---

---Point to Point to Primary-FW-for-WIFI-

Vlan730 None Yes N/A 10.50.0.121
VRF ---

---Point to Point to Distribution-SW-for-

Vlan1800 None Yes N/A 10.50.2.221
USER-VRF ---

Vlan874 None Yes N/A

Vlan870 None Yes N/A

Vlan862 None Yes N/A

Table 73: Network interfaces with inadequate filtering assigned

Impact

The network traffic from an attacker attached to one of the network interfaces detailed in the finding would not be subjected to
filtering, potentially providing unrestricted access to network services.

Ease

The network traffic would not be subjected to filtering.

Recommendation

Invictux recommends that all network interfaces should be configured with filtering to help prevent unauthorized access
to network services and hosts.

Cisco IOS Information

Cisco IOS device filtering can be configured on interfaces with the following command:

ip access-group <ACL> [in | out]

 Additional Information

TID: TNA-INTR-0001
Classification: Filtering

ICMP Redirect Messages Were Enabled INFORMATIONA

Invictux Rating

Overall: Informational
Impact: Informational
Ease: Trivial
Fix: Quick

Affected Devices

Cisco Catalyst Switch JED-DC-CORE-SW.catrion.local

Finding

When sending network traffic through a router, ICMP redirect messages could be sent to the router in order to indicate a specific
route that the sending host would like the network traffic to take. On a router that accepts ICMP redirect message the network
traffic will be forwarded using the specified route. Furthermore, some routers will cache the new routing information for use with
future network packets.

Invictux examined the device configuration to determine if ICMP IP Redirects had been disabled.

JED-DC-CORE-SW.catrion.local Findings

Invictux determined that JED-DC-CORE-SW.catrion.local was configured to send ICMP IP Redirects messages.

Interface Active Address Unreachables Redirects Mask Reply Info Reply

Vlan2 Yes 192.168.102.10 On On Off Off

Vlan99 Yes 192.168.99.101 On On Off Off

Vlan106 Yes 10.240.16.10 On On Off Off

Vlan276 Yes 10.240.176.10 On On Off Off

Vlan302 Yes 10.10.102.10 On On Off Off

Vlan306 Yes 10.10.105.10 On On Off Off

Vlan308 Yes 10.10.107.10 On On Off Off

Vlan310 Yes 10.10.109.10 On On Off Off

 Interface Active Address Unreachables Redirects Mask Reply Info Reply

Vlan312 Yes 10.10.12.10 On On Off Off

Vlan313 Yes 10.10.100.10 On On Off Off

Vlan314 Yes 10.10.20.10 On On Off Off

Vlan317 Yes 10.10.152.10 On On Off Off

Vlan728 Yes 10.50.0.1 On On Off Off

Vlan729 Yes 10.50.0.117 On On Off Off

Vlan730 Yes 10.50.0.121 On On Off Off

Vlan1800 Yes 10.50.2.221 On On Off Off

Table 74: Interfaces with ICMP IP Redirects enabled

Impact

An attacker could use ICMP redirects to modify the route that a packet takes through a network. However, it is worth noting that
on networks with functional network routing, disabling ICMP redirects will have little to no effect.

Ease

ICMP redirect messages will be accepted, but not necessarily acted upon. An attacker could download software from the Internet
in order to perform this attack.

Recommendation

Invictux recommends that, if not required, the processing of ICMP redirect messages on devices should be
disabled.

Cisco IOS Information

ICMP redirect message sending can be disabled on network interfaces with the following command:

no ip redirects

Additional Information

TID: TNA-PRO-0013
Wikipedia: https://en.wikipedia.org/wiki/Internet_Control_Message_Protocol

The following findings are related to this one:

ICMP Unreachable Messages Were Enabled (see section TNA-PRO-0020).

PAD Service Enabled INFORMATIONA

Invictux Rating

Overall: Informational
Impact: Informational
Ease: Trivial
Fix: Quick

Affected Devices

Cisco Catalyst Switch JED-DC-CORE-SW.catrion.local

Finding

The Packet Assembler / Disassembler (PAD) service enables X.25 commands and connections between PAD devices and access
servers, converting the character stream data into network packets and network packets into character stream data. The PAD
service is enabled by default on some devices but it is only required if support for X.25 links are necessary.

Invictux examined the device configuration to determine if the PAD service was disabled.

JED-DC-CORE-SW.catrion.local Findings

Invictux determined that the PAD service was disabled on JED-DC-CORE-SW.catrion.local.

Impact

In addition to the extra overhead, running unused services increases the chances of an attacker finding a security hole or
fingerprinting a device.

Ease

The PAD service was enabled.

Recommendation

Invictux recommends that, if not required, the PAD service should be

disabled.

Cisco IOS Information

 The following command can be used to disable the PAD service on Cisco IOS devices:

no service pad

Additional Information

TID: TNA-PRO-0011
Wikipedia: https://en.wikipedia.org/wiki/Packet_assembler/disassembler

Unrestricted Outbound Administrative Access INFORMATIONA

Invictux Rating

Overall: Informational
Impact: Informational
Ease: Challenging
Fix: Quick

Affected Devices

Cisco Catalyst Switch JED-DC-CORE-SW.catrion.local

Finding

Many network devices, such as switches and routers, contain network client tools that enable a network administrator to connect
to administrative services offered by other devices. Outbound access from these devices to others can be restricted to specific
host addresses in order to limit the access to only those that are required.

Invictux examined all usable administative VTY lines to determine that they had been configured with an outbound ACL.

JED-DC-CORE-SW.catrion.local Findings

The configuration of the administrative lines on JED-DC-CORE-SW.catrion.local are detailed in Table 75.

Line Access Login Level Password Telnet SSH Filter In Filter Out

VTY 0 - 4 Yes Line Password 1 CiscoAdmin No Yes 10

VTY 5 - 15 Yes Line Password 1 CiscoAdmin No Yes 10

Table 75: Administrative line settings on JED-DC-CORE-SW.catrion.local

Impact
 A malicious user, or attacker, with a basic level of access to the device could use it to attack other devices on the network. An
attacker may prefer to use this facility as a way of masking their trail or because the target device may not be contactable directly.
If an outbound ACL had been configured then the potential list of targets would be restricted to only those network addresses.

Ease

The attacker must have a level of access to the device in order to be able to use the administrative service client tools to access
another system. However, once a level of access has been gained on the device the attacker would then be able to use the
available client tools to access services offered by other devices.

Recommendation

Invictux recommends that, unless required, an outbound ACL should be configured and assigned in order to restrict
administrative access to other systems.

Cisco IOS Information

On Cisco IOS devices an outbound ACL can be created and assigned to an administrative line using the following commands:

ip access-list standard <access-list-number>

remark <description>
permit <ip-address> <wildcard> [log]
exit
line <line-type> <line-number(s)>
access-class <access-list-number> out

Additional Information

TID: TNA-ADM-0024
Classification: Administration, Filtering

No Post Logon Banner Message

Affected Devices

Cisco Catalyst Switch JED-DC-CORE-SW.catrion.local

Finding

Post logon banner messages are ones that are shown to users after they have authenticated and prior to being given access to
the device. It is one that is shown to users when they connect to a device and prior to the user logon.
 Invictux examined the device configuration to determine if the device had a post-login banner message
configured.

JED-DC-CORE-SW.catrion.local Findings
There was no post-login banner message configured on JED-DC-CORE-SW.catrion.local.

Impact

The post logon banner is useful for detailing the acceptable use policy and the change control procedures which should be
followed prior to making any changes to a device's configuration. An acceptable use message detailing the change control
procedures and waning against abuse of the policy could help to prevent ad-hoc changes being made to a device's configuration.

Ease

With no post logon banner configured, a user would not be given a reminder of the acceptable use and change control procedure
policy details.

Recommendation

Invictux recommends that a post logon banner message is configured that details both the acceptable use policy and change
control procedures. Additionally, if the device does not support a pre-logon banner message then Invictux recommends that
the post logon banner message should also include a carefully worded legal warning against unauthorized access.

Cisco IOS Information

The Exec banner message is shown after logon and before the command prompt is shown on Cisco IOS devices. The Exec
banner message can be configured on Cisco IOS devices using the following command:

banner exec <delimiter> <banner-message> <delimiter>

Additional Information

TID: TNA-BAN-0002
Classification: Administration

Potentially Unused Network Interfaces INFORMATIONA

Invictux Rating

Overall: Informational
Impact: Informational
 Ease: Challenging
Fix: Quick

Affected Devices

Cisco Catalyst Switch JED-DC-CORE-SW.catrion.local

Finding

Many devices enable the activation and deactivation of individual network interfaces. This allows for any unused network
interfaces to be disabled. It is generally considered good security practice to disable unused network interfaces to help prevent
unauthorized access to the device and network.

Invictux examined the device configuration to determine if the device had any potentially unused interfaces.

JED-DC-CORE-SW.catrion.local Findings

Invictux identified potentially unused network interfaces that were not disabled on JED-DC-CORE-SW.catrion.local.
The potentially unused interfaces are described in the following table.

Interface Class Active Unsecure Address Switchport Mode VLAN Description

Loopback0 Internal Yes Unknown No (Layer 3) N/A N/A

Table 76: Potentially unused interfaces that were not disabled

Impact

If unused interfaces are not disabled, an attacker may be able to gain access without risking detection by unplugging an existing
connection.

Ease

An attacker would require physical access to the device in order to connect to an unused network connection, unless the port has
been patched to another location that is more accessible.

Recommendation

Invictux recommends that the list of potentially unused active network connections should be reviewed and any unused
interfaces disabled.

Cisco IOS Information

 Unused interfaces can be disabled with the following command:

shutdown

Additional Information

TID: TNA-INTR-0002

Switch Ports Allow Trunking All VLAN INFORMATIONA

Invictux Rating

Overall: Informational
Impact: Informational
Ease: Trivial
Fix: Quick

Affected Devices

Cisco Catalyst Switch JED-DC-CORE-SW.catrion.local

Finding

VLAN network packets can be sent between networked devices, extending a VLAN across different physical devices. In order to
extend a VLAN to a different physical device a trunk has to be created between the devices. In order to restrict VLAN access over
different physical devices the VLAN trunk can be configured to only permit specific VLANs.

Invictux examined the device configuration to check that all network interfaces trunk only specific VLAN.

The scope was further limited to those network interfaces with switchport enabled.

JED-DC-CORE-SW.catrion.local Findings

Invictux identified the following 103 interfaces on JED-DC-CORE-SW.catrion.local that were configured to trunk all VLAN.

Interface Active Unsecure Address Switchport Mode VLAN Description

Trunk
Yes (Layer (Tagged): All --- Uplink Port - Sophos
Port-channel1 Yes Unknown Trunk
2) Native Perimeter FW1 ---
(Untagged): 1

Port-channel2 Yes Unknown Yes (Layer Trunk Trunk --- Uplink Port - Sophos
2) (Tagged): All Perimeter FW2 ---
Interface Active Unsecure Address Switchport Mode VLAN Description
Native
(Untagged): 1

Trunk
Yes (Layer (Tagged): All --- Uplink Port - Sophos B2B
Port-channel3 Yes Unknown Trunk
2) Native (XGS 2100) FW1 ---
(Untagged): 1

Trunk
Yes (Layer (Tagged): All --- Uplink Port - Sophos B2B
Port-channel4 Yes Unknown Trunk
2) Native (XGS 2100) FW2 ---
(Untagged): 1

Trunk
Yes (Layer (Tagged): All --- Uplink Port - Sophos
Port-channel5 Yes Unknown Trunk
2) Native Primary FW1 XGS 4500 ---
(Untagged): 1

Trunk
Yes (Layer (Tagged): All --- Uplink Port - Sophos
Port-channel6 Yes Unknown Trunk
2) Native Primary FW1 XGS 4500 ---
(Untagged): 1

Trunk
Yes (Layer (Tagged): All --- Uplink Port - Sophos
Port-channel7 Yes Unknown Trunk
2) Native Primary FW2 XGS 4500 ---
(Untagged): 1

Trunk
Yes (Layer (Tagged): All --- Uplink Port - Sophos
Port-channel8 Yes Unknown Trunk
2) Native Primary FW2 XGS 4500 ---
(Untagged): 1

Trunk
Yes (Layer (Tagged): All --- Uplink Port - Sophos B2B
Port-channel9 Yes Unknown Trunk
2) Native (XGS 2100) FW1 ---
(Untagged): 1

Trunk
Yes (Layer (Tagged): All --- Uplink Port - Sophos B2B
Port-channel10 Yes Unknown Trunk
2) Native (XGS 2100) FW2 ---
(Untagged): 1

Trunk
Yes (Layer (Tagged): All --- Connected to nac-jed-
Port-channel12 Yes Unknown Trunk
2) Native SPAN ---
(Untagged): 1

Trunk
Yes (Layer (Tagged): All --- Connected to Aruba-
Port-channel19 Yes Unknown Trunk
2) Native Controller-1 ---
(Untagged): 1

Trunk
Yes (Layer (Tagged): All --- Connected to Aruba-
Port-channel20 Yes Unknown Trunk
2) Native Controller-2 ---
(Untagged): 1
Interface Active Unsecure Address Switchport Mode VLAN Description

Trunk
Yes (Layer (Tagged): All --- Connected to Aruba-
Port-channel21 Yes Unknown Trunk
2) Native Controller-3 ---
(Untagged): 1

Trunk
Yes (Layer (Tagged): All --- Connected to WAN-Server
Port-channel26 Yes Unknown Trunk
2) Native ---
(Untagged): 1

Trunk
Yes (Layer (Tagged): All --- Connected to JEDGIGMON
Port-channel27 Yes Unknown Trunk
2) Native ---
(Untagged): 1

Trunk --- Core Switch Extension

Yes (Layer (Tagged): All Catalyst 9200L 24-port PoE+ x
Port-channel28 Yes Unknown Trunk
2) Native 2 for system with 1GB-TX
(Untagged): 1 interface ---

Trunk
Yes (Layer (Tagged): All --- Connected to JED-CORE-
Port-channel30 Yes Unknown Trunk
2) Native MGM-SW1 ---
(Untagged): 1

Trunk
Yes (Layer (Tagged): All --- Uplink Port - Service
Port-channel101 Yes Unknown Trunk
2) Native Switch ---
(Untagged): 1

Trunk
Yes (Layer (Tagged): All --- Uplink Port - Sophos
TwentyFiveGigE1/0/1 Yes Unknown Trunk
2) Native Perimeter FW1 ---
(Untagged): 1

Trunk
Yes (Layer (Tagged): All --- Uplink Port - Sophos
TwentyFiveGigE1/0/2 Yes Unknown Trunk
2) Native Perimeter FW2 ---
(Untagged): 1

Trunk
Yes (Layer (Tagged): All --- Uplink Port - Sophos B2B
TwentyFiveGigE1/0/3 Yes Unknown Trunk
2) Native (XGS 2100) FW1 ---
(Untagged): 1

Trunk
Yes (Layer (Tagged): All --- Uplink Port - Sophos B2B
TwentyFiveGigE1/0/4 Yes Unknown Trunk
2) Native (XGS 2100) FW2 ---
(Untagged): 1

Trunk
Yes (Layer (Tagged): All --- Uplink Port - Sophos
TwentyFiveGigE1/0/5 Yes Unknown Trunk
2) Native Primary FW1 XGS 4500 ---
(Untagged): 1
Interface Active Unsecure Address Switchport Mode VLAN Description

Trunk
Yes (Layer (Tagged): All --- Uplink Port - Sophos
TwentyFiveGigE1/0/6 Yes Unknown Trunk
2) Native Primary FW1 XGS 4500 ---
(Untagged): 1

Trunk
Yes (Layer (Tagged): All --- Uplink Port - Sophos
TwentyFiveGigE1/0/7 Yes Unknown Trunk
2) Native Primary FW2 XGS 4500 ---
(Untagged): 1

Trunk
Yes (Layer (Tagged): All --- Uplink Port - Sophos
TwentyFiveGigE1/0/8 Yes Unknown Trunk
2) Native Primary FW2 XGS 4500 ---
(Untagged): 1

Access
(Untagged): 1
Yes (Layer Trunk
TwentyFiveGigE1/0/9 Yes Unknown Auto
2) (Tagged): All
Native
(Untagged): 1

Access
(Untagged): 1
Yes (Layer Trunk
TwentyFiveGigE1/0/10 Yes Unknown Auto
2) (Tagged): All
Native
(Untagged): 1

Access
(Untagged): 1
Yes (Layer Trunk
TwentyFiveGigE1/0/12 Yes Unknown Auto
2) (Tagged): All
Native
(Untagged): 1

Access
(Untagged): 1
Yes (Layer Trunk
TwentyFiveGigE1/0/13 Yes Unknown Auto
2) (Tagged): All
Native
(Untagged): 1

Access
(Untagged): 1
Yes (Layer Trunk
TwentyFiveGigE1/0/14 Yes Unknown Auto
2) (Tagged): All
Native
(Untagged): 1

TwentyFiveGigE1/0/16 Yes Unknown Yes (Layer Auto Access

2) (Untagged): 1
Trunk
(Tagged): All
Interface Active Unsecure Address Switchport Mode VLAN Description
Native
(Untagged): 1

Access
(Untagged): 1
Yes (Layer Trunk
TwentyFiveGigE1/0/17 Yes Unknown Auto
2) (Tagged): All
Native
(Untagged): 1

Access
(Untagged): 1
Yes (Layer Trunk
TwentyFiveGigE1/0/18 Yes Unknown Auto
2) (Tagged): All
Native
(Untagged): 1

Trunk
(Tagged): All
Yes (Layer --- Connected to Aruba-
TwentyFiveGigE1/0/19 Yes Unknown Trunk Native
2) Controller-1 ---
(Untagged):
276

Trunk
(Tagged): All
Yes (Layer --- Connected to Aruba-
TwentyFiveGigE1/0/20 Yes Unknown Trunk Native
2) Controller-2 ---
(Untagged):
276

Trunk
Yes (Layer (Tagged): All --- Connected to WAN-Server
TwentyFiveGigE1/0/26 Yes Unknown Trunk
2) Native ---
(Untagged): 1

Trunk
Yes (Layer (Tagged): All --- Connected to JEDGIGMON
TwentyFiveGigE1/0/27 Yes Unknown Trunk
2) Native ---
(Untagged): 1

Trunk --- Core Switch Extension

Yes (Layer (Tagged): All Catalyst 9200L 24-port PoE+ x
TwentyFiveGigE1/0/28 Yes Unknown Trunk
2) Native 2 for system with 1GB-TX
(Untagged): 1 interface ---

Access
(Untagged): 1
Yes (Layer Trunk
TwentyFiveGigE1/0/29 Yes Unknown Auto
2) (Tagged): All
Native
(Untagged): 1

Trunk
Yes (Layer (Tagged): All --- Connected to JED-CORE-
TwentyFiveGigE1/0/30 Yes Unknown Trunk
2) Native MGM-SW1 ---
(Untagged): 1
Interface Active Unsecure Address Switchport Mode VLAN Description

Access
(Untagged): 1
Yes (Layer Trunk
TwentyFiveGigE1/0/32 Yes Unknown Auto
2) (Tagged): All
Native
(Untagged): 1

Access
(Untagged): 1
Yes (Layer Trunk
TwentyFiveGigE1/0/33 Yes Unknown Auto
2) (Tagged): All
Native
(Untagged): 1

Access
(Untagged): 1
Yes (Layer Trunk
TwentyFiveGigE1/0/36 Yes Unknown Auto
2) (Tagged): All
Native
(Untagged): 1

Access
(Untagged): 1
Yes (Layer Trunk
TwentyFiveGigE1/0/37 Yes Unknown Auto
2) (Tagged): All
Native
(Untagged): 1

Trunk
Yes (Layer (Tagged): All --- Uplink Port - Service
TwentyFiveGigE1/0/38 Yes Unknown Trunk
2) Native Switch ---
(Untagged): 1

Trunk
Yes (Layer (Tagged): All --- Uplink Port - Service
TwentyFiveGigE1/0/39 Yes Unknown Trunk
2) Native Switch ---
(Untagged): 1

Access
(Untagged): 1
Yes (Layer Trunk
TwentyFiveGigE1/0/40 Yes Unknown Auto
2) (Tagged): All
Native
(Untagged): 1

Trunk
(Tagged): All
Yes (Layer --- MICROWAVE-AMAZNET-
TwentyFiveGigE1/0/41 Yes Unknown Trunk Native
2) ISP-SW ---
(Untagged):
99

TwentyFiveGigE1/0/42 Yes Unknown Yes (Layer Auto Access

2) (Untagged): 1
Trunk
(Tagged): All
Interface Active Unsecure Address Switchport Mode VLAN Description
Native
(Untagged): 1

Access
(Untagged): 1
Yes (Layer Trunk
TwentyFiveGigE1/0/43 Yes Unknown Auto
2) (Tagged): All
Native
(Untagged): 1

Access
(Untagged): 1
Yes (Layer Trunk
TwentyFiveGigE1/0/44 Yes Unknown Auto
2) (Tagged): All
Native
(Untagged): 1

Access
(Untagged): 1
Yes (Layer Trunk
TwentyFiveGigE1/0/45 Yes Unknown Auto
2) (Tagged): All
Native
(Untagged): 1

Access
(Untagged): 1
Yes (Layer Trunk
TwentyFiveGigE1/0/46 Yes Unknown Auto
2) (Tagged): All
Native
(Untagged): 1

Access
(Untagged): 1
Yes (Layer Trunk
TwentyFiveGigE1/0/47 Yes Unknown Auto
2) (Tagged): All
Native
(Untagged): 1

Access
(Untagged): 1
Yes (Layer Trunk
TwentyFiveGigE1/0/48 Yes Unknown Auto
2) (Tagged): All
Native
(Untagged): 1

Trunk
Yes (Layer (Tagged): All --- Uplink Port - Sophos
TwentyFiveGigE2/0/1 Yes Unknown Trunk
2) Native Perimeter FW1 ---
(Untagged): 1

Trunk
Yes (Layer (Tagged): All --- Uplink Port - Sophos
TwentyFiveGigE2/0/2 Yes Unknown Trunk
2) Native Perimeter FW2 ---
(Untagged): 1
Interface Active Unsecure Address Switchport Mode VLAN Description

Trunk
Yes (Layer (Tagged): All --- Uplink Port - Sophos B2B
TwentyFiveGigE2/0/3 Yes Unknown Trunk
2) Native (XGS 2100) FW1 ---
(Untagged): 1

Trunk
Yes (Layer (Tagged): All --- Uplink Port - Sophos B2B
TwentyFiveGigE2/0/4 Yes Unknown Trunk
2) Native (XGS 2100) FW2 ---
(Untagged): 1

Trunk
Yes (Layer (Tagged): All --- Uplink Port - Sophos
TwentyFiveGigE2/0/5 Yes Unknown Trunk
2) Native Primary FW1 XGS 4500 ---
(Untagged): 1

Trunk
Yes (Layer (Tagged): All --- Uplink Port - Sophos
TwentyFiveGigE2/0/6 Yes Unknown Trunk
2) Native Primary FW1 XGS 4500 ---
(Untagged): 1

Trunk
Yes (Layer (Tagged): All --- Uplink Port - Sophos
TwentyFiveGigE2/0/7 Yes Unknown Trunk
2) Native Primary FW2 XGS 4500 ---
(Untagged): 1

Trunk
Yes (Layer (Tagged): All --- Uplink Port - Sophos
TwentyFiveGigE2/0/8 Yes Unknown Trunk
2) Native Primary FW2 XGS 4500 ---
(Untagged): 1

Access
(Untagged): 1
Yes (Layer Trunk
TwentyFiveGigE2/0/9 Yes Unknown Auto
2) (Tagged): All
Native
(Untagged): 1

Access
(Untagged): 1
Yes (Layer Trunk
TwentyFiveGigE2/0/10 Yes Unknown Auto
2) (Tagged): All
Native
(Untagged): 1

Access
(Untagged): 1
Yes (Layer Trunk
TwentyFiveGigE2/0/12 Yes Unknown Auto
2) (Tagged): All
Native
(Untagged): 1

TwentyFiveGigE2/0/13 Yes Unknown Yes (Layer Auto Access

2) (Untagged): 1
Trunk
(Tagged): All
Interface Active Unsecure Address Switchport Mode VLAN Description
Native
(Untagged): 1

Access
(Untagged): 1
Yes (Layer Trunk
TwentyFiveGigE2/0/14 Yes Unknown Auto
2) (Tagged): All
Native
(Untagged): 1

Access
(Untagged): 1
Yes (Layer Trunk
TwentyFiveGigE2/0/16 Yes Unknown Auto
2) (Tagged): All
Native
(Untagged): 1

Access
(Untagged): 1
Yes (Layer Trunk
TwentyFiveGigE2/0/17 Yes Unknown Auto
2) (Tagged): All
Native
(Untagged): 1

Access
(Untagged): 1
Yes (Layer Trunk
TwentyFiveGigE2/0/18 Yes Unknown Auto
2) (Tagged): All
Native
(Untagged): 1

Trunk
(Tagged): All
Yes (Layer --- Connected to Aruba-
TwentyFiveGigE2/0/19 Yes Unknown Trunk Native
2) Controller-1 ---
(Untagged):
276

Trunk
(Tagged): All
Yes (Layer --- Connected to Aruba-
TwentyFiveGigE2/0/20 Yes Unknown Trunk Native
2) Controller-2 ---
(Untagged):
276

Trunk
Yes (Layer (Tagged): All --- Connected to WAN-Server
TwentyFiveGigE2/0/26 Yes Unknown Trunk
2) Native ---
(Untagged): 1

Trunk
Yes (Layer (Tagged): All --- Connected to JEDGIGMON
TwentyFiveGigE2/0/27 Yes Unknown Trunk
2) Native ---
(Untagged): 1

TwentyFiveGigE2/0/28 Yes Unknown Yes (Layer Trunk Trunk --- Core Switch Extension
2) (Tagged): All Catalyst 9200L 24-port PoE+ x
Interface Active Unsecure Address Switchport Mode VLAN Description
Native 2 for system with 1GB-TX
(Untagged): 1 interface ---

Access
(Untagged): 1
Yes (Layer Trunk
TwentyFiveGigE2/0/29 Yes Unknown Auto
2) (Tagged): All
Native
(Untagged): 1

Trunk
Yes (Layer (Tagged): All --- Connected to JED-CORE-
TwentyFiveGigE2/0/30 Yes Unknown Trunk
2) Native MGM-SW1 ---
(Untagged): 1

Access
(Untagged): 1
Yes (Layer Trunk
TwentyFiveGigE2/0/32 Yes Unknown Auto
2) (Tagged): All
Native
(Untagged): 1

Access
(Untagged): 1
Yes (Layer Trunk
TwentyFiveGigE2/0/33 Yes Unknown Auto
2) (Tagged): All
Native
(Untagged): 1

Access
(Untagged): 1
Yes (Layer Trunk
TwentyFiveGigE2/0/36 Yes Unknown Auto
2) (Tagged): All
Native
(Untagged): 1

Access
(Untagged): 1
Yes (Layer Trunk
TwentyFiveGigE2/0/37 Yes Unknown Auto
2) (Tagged): All
Native
(Untagged): 1

Trunk
Yes (Layer (Tagged): All --- Uplink Port - Service
TwentyFiveGigE2/0/38 Yes Unknown Trunk
2) Native Switch ---
(Untagged): 1

Trunk
Yes (Layer (Tagged): All --- Uplink Port - Service
TwentyFiveGigE2/0/39 Yes Unknown Trunk
2) Native Switch ---
(Untagged): 1

TwentyFiveGigE2/0/40 Yes Unknown Yes (Layer Auto Access

2) (Untagged): 1
Trunk
Interface Active Unsecure Address Switchport Mode VLAN Description
(Tagged): All
Native
(Untagged): 1

Trunk
(Tagged): All
Yes (Layer
TwentyFiveGigE2/0/41 Yes Unknown Trunk Native
2)
(Untagged):
99

Access
(Untagged): 1
Yes (Layer Trunk
TwentyFiveGigE2/0/42 Yes Unknown Auto
2) (Tagged): All
Native
(Untagged): 1

Access
(Untagged): 1
Yes (Layer Trunk
TwentyFiveGigE2/0/43 Yes Unknown Auto
2) (Tagged): All
Native
(Untagged): 1

Access
(Untagged): 1
Yes (Layer Trunk
TwentyFiveGigE2/0/44 Yes Unknown Auto
2) (Tagged): All
Native
(Untagged): 1

Access
(Untagged): 1
Yes (Layer Trunk
TwentyFiveGigE2/0/45 Yes Unknown Auto
2) (Tagged): All
Native
(Untagged): 1

Access
(Untagged): 1
Yes (Layer Trunk
TwentyFiveGigE2/0/46 Yes Unknown Auto
2) (Tagged): All
Native
(Untagged): 1

Access
(Untagged): 1
Yes (Layer Trunk
TwentyFiveGigE2/0/47 Yes Unknown Auto
2) (Tagged): All
Native
(Untagged): 1

TwentyFiveGigE2/0/48 Yes Unknown Yes (Layer Auto Access

2) (Untagged): 1
Trunk
Interface Active Unsecure Address Switchport Mode VLAN Description
(Tagged): All
Native
(Untagged): 1

Access
(Untagged): 1
Yes (Layer Trunk
HundredGigE1/0/49 Yes Unknown Auto
2) (Tagged): All
Native
(Untagged): 1

Access
(Untagged): 1
Yes (Layer Trunk
HundredGigE1/0/50 Yes Unknown Auto
2) (Tagged): All
Native
(Untagged): 1

Access
(Untagged): 1
Yes (Layer Trunk
HundredGigE1/0/51 Yes Unknown Auto
2) (Tagged): All
Native
(Untagged): 1

Access
(Untagged): 1
Yes (Layer Trunk
HundredGigE1/0/52 Yes Unknown Auto
2) (Tagged): All
Native
(Untagged): 1

Access
(Untagged): 1
Yes (Layer Trunk
HundredGigE2/0/49 Yes Unknown Auto
2) (Tagged): All
Native
(Untagged): 1

Access
(Untagged): 1
Yes (Layer Trunk
HundredGigE2/0/50 Yes Unknown Auto
2) (Tagged): All
Native
(Untagged): 1

Access
(Untagged): 1
Yes (Layer Trunk
HundredGigE2/0/51 Yes Unknown Auto
2) (Tagged): All
Native
(Untagged): 1

HundredGigE2/0/52 Yes Unknown Yes (Layer Auto Access

2) (Untagged): 1
 Interface Active Unsecure Address Switchport Mode VLAN Description
Trunk
(Tagged): All
Native
(Untagged): 1

Table 77: Network interfaces that trunk all VLAN on JED-DC-CORE-SW.catrion.local

Impact

An attacker who is able to create a trunk would gain direct access to all the VLANs extended over the trunk. This would allow an
attacker to bypass any network filtering between the VLANs and capture potentially sensitive information. If a clear-text protocols
network traffic is transferred over the trunk an attacker would gain immediate access to any authentication credentials transferred.

It is worth noting that some network devices default to allowing trunks to be negotiated on the network ports and by default will
allow access to all VLANs.

Ease

Tools can be downloaded from the Internet that are capable of creating trunks, or the attacker could use a network switch. The
attacker would require a little knowledge of network trunking.

Recommendation

Invictux recommends that, if not required, VLAN trunking should be disabled. If trunking is required on a specific switch
port, Invictux recommends that the switch port should be configured to trunk only the required VLANs.

Cisco IOS Information

Switch ports can be configured to provide no trunking or only trunk specific VLANs on each interface using the following
interface commands:

switchport mode access

switchport trunk allowed vlan <vlan-list>

Additional Information

TID: TNA-INTR-0004
IEEE: IEEE 802.1Q, IEEE 802.1ad, IEEE 802.1ah
Wikipedia: https://en.wikipedia.org/wiki/VLAN

Classless Routing Enabled INFORMATIONA

 Invictux Rating

Overall: Informational
Impact: Informational
Ease: Trivial
Fix: Quick

Affected Devices

Cisco Catalyst Switch JED-DC-CORE-SW.catrion.local

Finding

Classless routing enables the device to forward a network packet that is destined for a network subnet for which there is no route
configured. Instead of failing to route the traffic, the device will forward the traffic to a configured supernet network route that
best matches the intended destination.

Invictux examined the device configuration to determine that the classless routing feature had been disabled.

JED-DC-CORE-SW.catrion.local Findings

Invictux determined that classless routing was enabled on JED-DC-CORE-SW.catrion.local.

Impact

An attacker may attempt to abuse this functionality in order to route network packets which should otherwise fail.

Ease

With classless routing enabled, network packets received for an unknown subnet will be forwarded to the best matching supernet.

Recommendation

Invictux suggests that, where possible, classless routing should be

disabled.

Cisco IOS Information

Classless routing can be disabled on Cisco IOS devices with the following command:

no ip classless
 Additional Information

TID: TNA-ROUT-0006
Classification: Routing
Wikipedia: https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing

Conclusions
Invictux performed a best practice security audit on Wednesday, December 11, 2024 of the device detailed in Table 78.
Invictux identified 36 security-related findings. The most significant finding was rated as high.

Device Name Issues Highest Rating

Cisco Catalyst Switch JED-DC-CORE-SW.catrion.local 36 High

Table 78: Security audit device conclusions

Invictux identified five high rated security findings. Invictux determined that:

the unicast RPF verification feature was disabled (one device, see section TNA-IPS-0026);
STP was not enabled on all interfaces (one device, see section TNA-PRO-0016);
BPDU Guard was not enabled (one device, see section TNA-PRO-0015);
STP Root Guard was not enabled (one device, see section TNA-PRO-0019);
OSPF routing updates were not authenticated (one device, see section TNA-ROUT-0029).

Invictux identified five medium rated security findings. Invictux determined that:

user accounts were configured with a weak password (one device, see section TNA-ATH-0031);
DTP was enabled (one device, see section TNA-PRO-0003);
passwords stored using the Cisco Type 7 encoding algorithm were identified (one device, see section TNA-ATH-0003);
STP Loop Guard was not enabled (one device, see section TNA-PRO-0017);
low OSPF priorities were configured (one device, see section TNA-ROUT-0030).

Invictux identified 17 low rated security findings. Invictux determined that:

a weak user account lockout policy setting was configured (one device, see section TNA-ATH-0010);
no OSPF LSA message thresholds were configured (one device, see section TNA-ROUT-0031);
a SNMP TFTP server access list was not configured (one device, see section TNA-SNMP-0011);
NTP authentication was disabled (one device, see section TNA-TME-0002);
the BOOTP service was not disabled (one device, see section TNA-ADM-0002);
a weak password age policy setting was configured (one device, see section TNA-ATH-0018);
a password length policy setting of at least tencharacters was not configured (one device, see section TNA-ATH-0020);
the password policy was not configured to require the inclusion of lowercase characters in a password (one device, see section
TNA-ATH-0027);
the password policy was not configured to require the inclusion of uppercase characters in a password (one device, see section
TNA-ATH-0030);
the password policy was not configured to require the inclusion of numerical characters in a password (one device, see section
TNA-ATH-0028);
the password policy was not configured to require the inclusion of special characters in a password (one device, see section
TNA-ATH-0029);
port security was not enabled on all switch ports (one device, see section TNA-INTR-0003);
ICMP unreachable messages were enabled (one device, see section TNA-PRO-0020);
CDP was enabled (one device, see section TNA-PRO-0001);
 LLDP was enabled (one device, see section TNA-PRO-0008);
proxy ARP was enabled (one device, see section TNA-PRO-0012);
IP source routing was enabled (one device, see section TNA-ROUT-0020).

Invictux identified nine informational rated security findings. Invictux determined

that:
DNS lookups were enabled (one device, see section TNA-DNS-0001);
no network filtering rules were configured (one device, see section TNA-FLT-0011);
network interfaces were configured without filtering (one device, see section TNA-INTR-0001);
ICMP redirect message sending was enabled (one device, see section TNA-PRO-0013);
the PAD service was enabled (one device, see section TNA-PRO-0011);
no outbound administrative ACL has been configured (one device, see section TNA-ADM-0024);
potentially unused interfaces were active (one device, see section TNA-INTR-0002);
trunking was enabled for all VLANs (one device, see section TNA-INTR-0004);
classless routing was enabled (one device, see section TNA-ROUT-0006).

Invictux can draw the following statistics from the results of this security assessment (percentages have been rounded). 5
findings (14%) were rated as high, 5 findings (14%) were rated as medium, 17 findings (47%) were rated as low and 9 findings
(25%) were rated as informational.

Severity Classification Issue Classification

Recommendations
This section collates the issue recommendations into a single location in order to provide a guide to planning and mitigating the
identified issues. The recommendations are listed in Table 79 together with the issue rating and a list of affected devices.

Issue Rating Recommendation Affected Devices Section

Unicast RPF Verification Was JED-DC-CORE- TNA-IPS-

High Enable the unicast RPF verification feature
Disabled SW.catrion.local 0026

STP Not Enabled On All JED-DC-CORE- TNA-PRO-

High Configure STP on all interfaces
Interfaces SW.catrion.local 0016

STP BPDU Guard Was Not Enable BPDU Guard device-wide and on all JED-DC-CORE- TNA-PRO-
High
Enabled non-bridging interfaces SW.catrion.local 0015

Enable Enable STP Root Guard on all JED-DC-CORE- TNA-PRO-

STP Root Guard Not Enabled High
bridging interfaces SW.catrion.local 0019

TNA-
OSPF Routing Updates With Configure strong authentication keys for all JED-DC-CORE-
High ROUT-
No Authentication OSPF routing updates SW.catrion.local
0029
Issue Rating Recommendation Affected Devices Section

Users With A Weak Configure strong passwords for all user JED-DC-CORE- TNA-ATH-
Medium
Authentication Password authentication credentials. SW.catrion.local 0031

JED-DC-CORE- TNA-PRO-
DTP Was Enabled Medium Disable DTP
SW.catrion.local 0003

Users Configured With Cisco Configure all users to store passwords using
JED-DC-CORE- TNA-ATH-
Type 7 Password Hashing Medium an up-to-date hashing algorithm (e.g. Cisco
SW.catrion.local 0003
Algorithm Type-8 or Type-9).

Enable Enable STP Loop Guard on all JED-DC-CORE- TNA-PRO-

STP Loop Guard Not Enabled Medium
bridging interfaces SW.catrion.local 0017

TNA-
JED-DC-CORE-
Low OSPF Priorities Medium Configure only high OSPF priorities ROUT-
SW.catrion.local
0030

Configure the user account lockout policy to

Weak User Account Lockout JED-DC-CORE- TNA-ATH-
Low disable access after 3 failed logon attempts
Policy Setting SW.catrion.local 0010
for all users.

TNA-
Configure OSPF LSA message thresholds for JED-DC-CORE-
No OSPF LSA Thresholds Low ROUT-
all OSPF routing processes SW.catrion.local
0031

TNA-
No SNMP TFTP Server Access JED-DC-CORE-
Low Configure a SNMP TFTP server access list. SNMP-
List Configured SW.catrion.local
0011

NTP Authentication Was JED-DC-CORE- TNA-TME-

Low Enable NTP authentication.
Disabled SW.catrion.local 0002

TNA-
The BOOTP Service Was Not JED-DC-CORE-
Low Disable the BOOTP service. ADM-
Disabled SW.catrion.local
0002

Weak Password Age Policy Configure a maximum password age policy JED-DC-CORE- TNA-ATH-
Low
Setting setting of 60 days. SW.catrion.local 0018

Weak Minimum Password Configure a password length policy setting JED-DC-CORE- TNA-ATH-
Low
Length Policy Setting of at least ten characters. SW.catrion.local 0020

Configure the password policy to require the

Weak Lowercase Password JED-DC-CORE- TNA-ATH-
Low inclusion of lowercase characters in a
Character Policy Setting SW.catrion.local 0027
password.

Configure the password policy to require the

Weak Uppercase Password JED-DC-CORE- TNA-ATH-
Low inclusion of uppercase characters in a
Character Policy Setting SW.catrion.local 0030
password.

Configure the password policy to require the

Weak Numbers Password JED-DC-CORE- TNA-ATH-
Low inclusion of numerical characters in a
Character Policy Setting SW.catrion.local 0028
password.

Weak Specials Password Configure the password policy to require the JED-DC-CORE- TNA-ATH-
Low
Character Policy Setting inclusion of special characters in a password. SW.catrion.local 0029

JED-DC-CORE- TNA-
Switch Port Security Disabled Low Enable port security on all switch ports
SW.catrion.local INTR-0003
 Issue Rating Recommendation Affected Devices Section

ICMP Unreachable Messages Disable the sending of ICMP unreachable JED-DC-CORE- TNA-PRO-
Low
Were Enabled messages SW.catrion.local 0020

JED-DC-CORE- TNA-PRO-
CDP Was Enabled Low Disable CDP
SW.catrion.local 0001

JED-DC-CORE- TNA-PRO-
LLDP Was Enabled Low Disable LLDP
SW.catrion.local 0008

JED-DC-CORE- TNA-PRO-
Proxy ARP Was Enabled Low Disable proxy ARP on all interfaces
SW.catrion.local 0012

TNA-
IP Source Routing Was JED-DC-CORE-
Low Disable IP source routing ROUT-
Enabled SW.catrion.local
0020

JED-DC-CORE- TNA-DNS-
DNS Lookups Were Enabled Informational Disable DNS lookups.
SW.catrion.local 0001

No Network Filtering Rules Configure network filtering to restrict access JED-DC-CORE- TNA-FLT-
Informational
Were Configured to network services SW.catrion.local 0011

Interfaces Were Configured Assign network filtering rules to all network JED-DC-CORE- TNA-
Informational
With No Filtering interfaces SW.catrion.local INTR-0001

ICMP Redirect Messages Disable the sending of ICMP redirect JED-DC-CORE- TNA-PRO-
Informational
Were Enabled messages SW.catrion.local 0013

JED-DC-CORE- TNA-PRO-
PAD Service Enabled Informational Disable the PAD service
SW.catrion.local 0011

TNA-
Unrestricted Outbound Configure an ACL to restrict outbound JED-DC-CORE-
Informational ADM-
Administrative Access administrative service access. SW.catrion.local
0024

Potentially Unused Network JED-DC-CORE- TNA-

Informational Disable all unused interfaces
Interfaces SW.catrion.local INTR-0002

Disable VLAN trunking

Switch Ports Allow Trunking JED-DC-CORE- TNA-
Informational Configure trunking for only the required
All VLAN SW.catrion.local INTR-0004
VLANs

TNA-
JED-DC-CORE-
Classless Routing Enabled Informational Disable classless routing ROUT-
SW.catrion.local
0006

Table 79: Security audit recommendations list

Mitigation Classification
This section aims to provide a guide to the perceived complexity of resolving a particular finding by implementing the
recommendation. An outline of how each mitigation classification has been determined is described in Table 80.

Classification Description

The finding is quick to resolve. Typically this would just involve changing a small number of settings and would
Quick
have little-to-no effect on network services.
 Classification Description

The finding resolution involves planning, testing and could cause some disruption to services. This finding
Planned
could involve changes to routing protocols and changes to network filtering.

The resolution of the finding will require significant resources to resolve and is likely to include disruption to
Involved network services, and possibly the modification of other network device configurations. The finding could
involve upgrading a device's OS and possible modifications to the hardware.

Table 80: The mitigation classification

Invictux identified 29 security findings with mitigation recommendations that were classified as Quick. Those findings

High : Unicast RPF Verification Was Disabled (one device,

were:see section TNA-IPS-0026);
High : STP Not Enabled On All Interfaces (one device, see section TNA-PRO-0016);
High : STP BPDU Guard Was Not Enabled (one device, see section TNA-PRO-0015);
High : STP Root Guard Not Enabled (one device, see section TNA-PRO-0019);
Medium : Users With A Weak Authentication Password (one device, see section TNA-ATH-0031);
Medium : Users Configured With Cisco Type 7 Password Hashing Algorithm (one device, see section TNA-ATH-0003);
Medium : STP Loop Guard Not Enabled (one device, see section TNA-PRO-0017);
Low : Weak User Account Lockout Policy Setting (one device, see section TNA-ATH-0010);
Low : No SNMP TFTP Server Access List Configured (one device, see section TNA-SNMP-0011);
Low : The BOOTP Service Was Not Disabled (one device, see section TNA-ADM-0002);
Low : Weak Password Age Policy Setting (one device, see section TNA-ATH-0018);
Low : Weak Minimum Password Length Policy Setting (one device, see section TNA-ATH-0020);
Low : Weak Lowercase Password Character Policy Setting (one device, see section TNA-ATH-0027);
Low : Weak Uppercase Password Character Policy Setting (one device, see section TNA-ATH-0030);
Low : Weak Numbers Password Character Policy Setting (one device, see section TNA-ATH-0028);
Low : Weak Specials Password Character Policy Setting (one device, see section TNA-ATH-0029);
Low : ICMP Unreachable Messages Were Enabled (one device, see section TNA-PRO-0020);
Low : CDP Was Enabled (one device, see section TNA-PRO-0001);
Low : LLDP Was Enabled (one device, see section TNA-PRO-0008);
Low : Proxy ARP Was Enabled (one device, see section TNA-PRO-0012);
Low : IP Source Routing Was Enabled (one device, see section TNA-ROUT-0020);
Informational : DNS Lookups Were Enabled (one device, see section TNA-DNS-0001);
Informational : Interfaces Were Configured With No Filtering (one device, see section TNA-INTR-0001);
Informational : ICMP Redirect Messages Were Enabled (one device, see section TNA-PRO-0013);
Informational : PAD Service Enabled (one device, see section TNA-PRO-0011);
Informational : Unrestricted Outbound Administrative Access (one device, see section TNA-ADM-0024);
Informational : Potentially Unused Network Interfaces (one device, see section TNA-INTR-0002);
Informational : Switch Ports Allow Trunking All VLAN (one device, see section TNA-INTR-0004);
Informational : Classless Routing Enabled (one device, see section TNA-ROUT-0006).

Invictux identified 6 security findings with mitigation recommendations that were classified as Planned. Those findings were:

Medium : DTP Was Enabled (one device, see section TNA-PRO-0003);

Medium : Low OSPF Priorities (one device, see section TNA-ROUT-0030);
Low : No OSPF LSA Thresholds (one device, see section TNA-ROUT-0031);
Low : NTP Authentication Was Disabled (one device, see section TNA-TME-0002);
Low : Switch Port Security Disabled (one device, see section TNA-INTR-0003);
Informational : No Network Filtering Rules Were Configured (one device, see section TNA-FLT-0011).

Invictux identified one security finding with a mitigation recommendation that was classified as Involved. This finding

was: High : OSPF Routing Updates With No Authentication (one device, see section TNA-ROUT-0029).
Invictux can draw the following additional conclusion from the best practice security audit based on the classification of the
recommended finding mitigations. Most of the security finding recommendations are perceived to be quick to implement, enabling
the majority of the findings to be quickly resolved without requiring a significant allocation of resources or system disruption. Of the
36 security findings identified, 29 (80%) recommendations were classified as having a quick mitigation, six (16%) recommendations
were classified as having a planned mitigation and one (2%) recommendation was classified as having a involved mitigation.

Issue Mitigation Classification

NIST NVD

Introduction
Invictux performed a software vulnerability audit on Wednesday, December 11, 2024 of the device detailed in Table
81.
Name Device Version

JED-DC-CORE-SW.catrion.local Cisco Catalyst Switch 17.9

Table 81: Vulnerability audit scope

The NVD published by NIST was used to compare the device type, model and version against the database of known vulnerabilities.
Each vulnerability finding is described with a CVSS severity rating, identifiers, links to references that describe the finding in more
detail and classification information.

CVE-2007-5552 CRITICAL

CVSS v2 Rating

Score: 9.3 (Critical)

Base: AV:N/AC:M/Au:N/C:C/I:C/A:C (9.3)
Temporal: E:ND/RL:ND/RC:ND (9.3)
Environmental: CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND (9.3)

Affected Devices
Cisco Catalyst Switch JED-DC-CORE-SW.catrion.local

Description

Integer overflow in Cisco IOS allows remote attackers to execute arbitrary code via unspecified vectors. NOTE: as of 20071016, the
only disclosure is a vague pre-advisory with no actionable information. However, since it is from a well-known researcher, it is
being assigned a CVE identifier for tracking purposes.

References

MISC - http://www.irmplc.com/index.php/111-Vendor-Alerts http://www.irmplc.com/index.php/111-Vendor-Alerts

CVE-2020-3426 CRITICAL

CVSS v3.1 Rating

Score: 9.1 (Critical)

Base: 9.1
Temporal: 9.1
Environmental: 9.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

Affected Devices

Cisco Catalyst Switch JED-DC-CORE-SW.catrion.local

Description

A vulnerability in the implementation of the Low Power, Wide Area (LPWA) subsystem of Cisco IOS Software for Cisco 800 Series
Industrial Integrated Services Routers (Industrial ISRs) and Cisco 1000 Series Connected Grid Routers (CGR1000) could allow an
unauthenticated, remote attacker to gain unauthorized read access to sensitive data or cause a denial of service (DoS) condition.
The vulnerability is due to a lack of input and validation checking mechanisms for virtual-LPWA (VLPWA) protocol modem
messages. An attacker could exploit this vulnerability by supplying crafted packets to an affected device. A successful exploit
could allow the attacker to gain unauthorized read access to sensitive data or cause the VLPWA interface of the affected device to
shut down, resulting in DoS condition.

References

CISCO - 20200924 Cisco IOS Software for Cisco Industrial Routers Virtual-LPWA Unauthorized Access Vulnerability
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ios-lpwa-access-cXsD7PRA (Vendor
Advisory)
Common Weakness Information

Invictux performed a lookup of the Common Weakness Enumeration (CWE) details as part of the vulnerability audit. This
section details that information for this finding.

Improper Input Validation

Information

CWE ID : 20
Likelihood : High
Related : Child of CWE ID 707, A peer of CWE ID 345, Can precede CWE ID 22, Can precede CWE ID 41, Can precede
CWE ID 74, Can precede CWE ID 119, Can precede CWE ID 770

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are
required to process the data safely and correctly.

Detail

Input validation is a frequently-used technique for checking potentially dangerous inputs in order to ensure that the inputs
are safe for processing within the code, or when communicating with other components. When software does not validate
input properly, an attacker is able to craft the input in a form that is not expected by the rest of the application. This will
lead to parts of the system receiving unintended input, which may result in altered control flow, arbitrary control of a
resource, or arbitrary code execution.Input validation is not the only technique for processing input, however. Other
techniques attempt to transform potentially-dangerous input into something safe, such as filtering (CWE-790) - which
attempts to remove dangerous inputs - or encoding/escaping (CWE-116), which attempts to ensure that the input is not
misinterpreted when it is included in output to another component. Other techniques exist as well (see CWE-138 for more
examples.)Input validation can be applied to:raw data - strings, numbers, parameters, file contents, etc.metadata -
information about the raw data, such as headers or sizeData can be simple or structured. Structured data can be composed
of many nested layers, composed of combinations of metadata and raw data, with other simple or structured data.Many
properties of raw data or metadata may need to be validated upon entry into the code, such as:specified quantities such as
size, length, frequency, price, rate, number of operations, time, etc.implied or derived quantities, such as the actual size of a
file instead of a specified sizeindexes, offsets, or positions into more complex data structuressymbolic keys or other
elements into hash tables, associative arrays, etc.well-formedness, i.e. syntactic correctness - compliance with expected
syntax lexical token correctness - compliance with rules for what is treated as a tokenspecified or derived type - the actual
type of the input (or what the input appears to be)consistency - between individual data elements, between raw data and
metadata, between references, etc.conformance to domain-specific rules, e.g. business logic equivalence - ensuring that
equivalent inputs are treated the sameauthenticity, ownership, or other attestations about the input, e.g. a cryptographic
signature to prove the source of the dataImplied or derived properties of data must often be calculated or inferred by the
code itself. Errors in deriving properties may be considered a contributing factor to improper input validation. Note that
"input validation" has very different meanings to different people, or within different classification schemes. Caution must
be used when referencing this CWE entry or mapping to it. For example, some weaknesses might involve inadvertently
giving control to an attacker over an input when they should not be able to provide an input at all, but sometimes this is
referred to as input validation.Finally, it is important to emphasize that the distinctions between input validation and output
escaping are often blurred, and developers must be careful to understand the difference, including how input validation is
not always sufficient to prevent vulnerabilities, especially when less stringent data types must be supported, such as free-
 form text. Consider a SQL injection scenario in which a person's last name is inserted into a query. The name "O'Reilly"
would likely pass the validation step since it is a common last name in the English language. However, this valid name
cannot be directly inserted into the database because it contains the "'" apostrophe character, which would need to be
escaped or otherwise transformed. In this case, removing the apostrophe might reduce the risk of SQL injection, but it
would produce incorrect behavior because the wrong name would be recorded.

Consequences

Scope Impact Notes

DoS: Crash, Exit, or Restart

DoS: Resource
An attacker could provide unexpected values and cause a program crash
Availability Consumption (CPU)
or excessive consumption of resources, such as memory and CPU.
DoS: Resource
Consumption (Memory)

Read Memory An attacker could read confidential data if they are able to control
Confidentiality
Read Files or Directories resource references.

Modify Memory
An attacker could use malicious input to modify data or possibly alter
Integrity Execute Unauthorized
control flow in unexpected ways, including arbitrary command execution.
Code or Commands

Table 82: CWE ID 20 consequences

Mitigation

Architecture and Design:

Consider using language-theoretic security (LangSec) techniques that characterize inputs using a formal language and
build "recognizers" for that language. This effectively requires parsing to be a distinct layer that effectively enforces a
boundary between raw input and internal data representations, instead of allowing parser code to be scattered
throughout the program, where it could be subject to errors or inconsistencies that create weaknesses. [REF-1109]
[REF-1110] [REF-1111];
Architecture and Design:
Use an input validation framework such as Struts or the OWASP ESAPI Validation API. Note that using a framework
does not automatically address all input validation problems; be mindful of weaknesses that could arise from
misusing the framework itself (CWE-1173);
Architecture and Design:
Understand all the potential areas where untrusted inputs can enter your software: parameters or arguments, cookies,
anything read from the network, environment variables, reverse DNS lookups, query results, request headers, URL
components, e-mail, files, filenames, databases, and any external systems that provide data to the application.
Remember that such inputs may be obtained indirectly through API calls;
Implementation:
Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable
inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or
transform it into something that does.When performing input validation, consider all potentially relevant properties,
including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across
related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically
valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors
such as "red" or "blue."Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at
least one undesirable input, especially if the code's environment changes. This can give attackers enough room to
 bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which
inputs are so malformed that they should be rejected outright;
Architecture and Design:
For any security checks that are performed on the client side, ensure that these checks are duplicated on the server
side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks
have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values
would be submitted to the server.Even though client-side checks provide minimal benefits with respect to server-side
security, they are still useful. First, they can support intrusion detection. If the server receives input that should have
been rejected by the client, then it may be an indication of an attack. Second, client-side error-checking can provide
helpful feedback to the user about the expectations for valid input. Third, there may be a reduction in server-side
processing time for accidental input errors, although this is typically a small savings;
Implementation:
When your application combines data from multiple sources, perform the validation after the sources have been
combined. The individual data elements may pass the validation step but violate the intended restrictions after they
have been combined;
Implementation:
Be especially careful to validate all input when invoking code that crosses language boundaries, such as from an
interpreted language to native code. This could create an unexpected interaction between the language boundaries.
Ensure that you are not violating any of the expectations of the language with which you are interfacing. For example,
even though Java may not be susceptible to buffer overflows, providing a large argument in a call to native code
might trigger an overflow;
Implementation:
Directly convert your input type into the expected data type, such as using a conversion function that translates a
string into a number. After converting to the expected data type, ensure that the input's values fall within the
expected range of allowable values and that multi-field consistencies are maintained;
Implementation:
Inputs should be decoded and canonicalized to the application's current internal representation before being
validated (CWE-180, CWE-181). Make sure that your application does not inadvertently decode the same input twice
(CWE-174). Such errors could be used to bypass allowlist schemes by introducing dangerous inputs after they have
been checked. Use libraries such as the OWASP ESAPI Canonicalization control.Consider performing repeated
canonicalization until your input does not change any more. This will avoid double-decoding and similar scenarios,
but it might inadvertently modify inputs that are allowed to contain properly-encoded dangerous content;
Implementation:
When exchanging data between components, ensure that both components are using the same character encoding.
Ensure that the proper encoding is applied at each interface. Explicitly set the encoding you are using whenever the
protocol allows you to do so.

CVE-2018-0172 HIGH

CVSS v3.1 Rating

Score: 8.6 (High)

Base: 8.6
Temporal: 8.6
Environmental: 8.6
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

Affected Devices
Cisco Catalyst Switch JED-DC-CORE-SW.catrion.local

Description

A vulnerability in the DHCP option 82 encapsulation functionality of Cisco IOS Software and Cisco IOS XE Software could allow an
unauthenticated, remote attacker to cause an affected device to reload, resulting in a denial of service (DoS) condition. The
vulnerability exists because the affected software performs incomplete input validation of option 82 information that it receives in
DHCP Version 4 (DHCPv4) packets from DHCP relay agents. An attacker could exploit this vulnerability by sending a crafted
DHCPv4 packet to an affected device. A successful exploit could allow the attacker to cause a heap overflow condition on the
affected device, which will cause the device to reload and result in a DoS condition. Cisco Bug IDs: CSCvg62730.

References

CONFIRM - https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-dhcpr1
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-dhcpr1 (Vendor Advisory)
MISC - https://www.tenable.com/security/research/tra-2018-06 https://www.tenable.com/security/research/tra-2018-06
(Third Party Advisory)
SECTRACK - 1040591 http://www.securitytracker.com/id/1040591 (Third Party Advisory, VDB Entry)
BID - 103552 http://www.securityfocus.com/bid/103552 (Third Party Advisory, VDB Entry)
MISC - https://ics-cert.us-cert.gov/advisories/ICSA-18-107-05 https://ics-cert.us-cert.gov/advisories/ICSA-18-107-05 (Third
Party Advisory, US Government Resource)
MISC - https://ics-cert.us-cert.gov/advisories/ICSA-18-107-04 https://ics-cert.us-cert.gov/advisories/ICSA-18-107-04 (Third
Party Advisory, US Government Resource)

Common Weakness Information

Invictux performed a lookup of the CWE details as part of the vulnerability audit. This section details that information for
this finding.

Out-of-bounds Write

Information

CWE ID : 787
Likelihood : High
Related : Child of CWE ID 119, Child of CWE ID 119, Child of CWE ID 119, Child of CWE ID 119

The software writes data past the end, or before the beginning, of the intended buffer.

Detail

Typically, this can result in corruption of data, a crash, or code execution. The software may modify an index or perform
pointer arithmetic that references a memory location that is outside of the boundaries of the buffer. A subsequent write
 operation then produces undefined or unexpected results.

Consequences

Scope Impact Notes

Modify Memory
Integrity DoS: Crash, Exit, or Restart
Execute Unauthorized Code or Commands

Table 83: CWE ID 787 consequences

Mitigation

Requirements:
Use a language that does not allow this weakness to occur or provides constructs that make this weakness easier to
avoid.For example, many languages that perform their own memory management, such as Java and Perl, are not
subject to buffer overflows. Other languages, such as Ada and C#, typically provide overflow protection, but the
protection can be disabled by the programmer.Be wary that a language's interface to native code may still be subject
to overflows, even if the language itself is theoretically safe;
Architecture and Design:
Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this
weakness easier to avoid.Examples include the Safe C String Library (SafeStr) by Messier and Viega [REF-57], and the
Strsafe.h library from Microsoft [REF-56]. These libraries provide safer versions of overflow-prone string-handling
functions;
Build and Compilation:
Run or compile the software using features or extensions that automatically provide a protection mechanism that
mitigates or eliminates buffer overflows.For example, certain compilers and extensions provide automatic buffer
overflow detection mechanisms that are built into the compiled code. Examples include the Microsoft Visual Studio
/GS flag, Fedora/Red Hat FORTIFY_SOURCE GCC flag, StackGuard, and ProPolice;
Implementation:
Consider adhering to the following rules when allocating and managing an application's memory:Double check that
the buffer is as large as specified.When using functions that accept a number of bytes to copy, such as strncpy(), be
aware that if the destination buffer size is equal to the source buffer size, it may not NULL-terminate the string.Check
buffer boundaries if accessing the buffer in a loop and make sure there is no danger of writing past the allocated
space.If necessary, truncate all input strings to a reasonable length before passing them to the copy and
concatenation functions;
Operation:
Run or compile the software using features or extensions that randomly arrange the positions of a program's
executable and libraries in memory. Because this makes the addresses unpredictable, it can prevent an attacker from
reliably jumping to exploitable code.Examples include Address Space Layout Randomization (ASLR) [REF-58] [REF-60]
and Position-Independent Executables (PIE) [REF-64];
Operation:
Use a CPU and operating system that offers Data Execution Protection (NX) or its equivalent [REF-60] [REF-61];
Implementation:
Replace unbounded copy functions with analogous functions that support length arguments, such as strcpy with
strncpy. Create these if they are not available.

CVE-2020-3475 HIGH
 CVSS v3.1 Rating

Score: 8.1 (High)

Base: 8.1
Temporal: 8.1
Environmental: 8.1
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

Affected Devices

Cisco Catalyst Switch JED-DC-CORE-SW.catrion.local

Description

Multiple vulnerabilities in the web management framework of Cisco IOS XE Software could allow an authenticated, remote
attacker with read-only privileges to gain unauthorized read access to sensitive data or cause the web management software to
hang or crash, resulting in a denial of service (DoS) condition. For more information about these vulnerabilities, see the Details
section of this advisory.

References

CISCO - 20200924 Cisco IOS XE Software Web Management Framework Vulnerabilities

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ios-xe-webui-multi-vfTkk7yr (Vendor
Advisory)

Common Weakness Information

Invictux performed a lookup of the CWE details as part of the vulnerability audit. This section details that information for
this finding.

Improper Input Validation

Information

CWE ID : 20
Likelihood : High
Related : Child of CWE ID 707, A peer of CWE ID 345, Can precede CWE ID 22, Can precede CWE ID 41, Can precede
CWE ID 74, Can precede CWE ID 119, Can precede CWE ID 770

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are
required to process the data safely and correctly.
Detail

Input validation is a frequently-used technique for checking potentially dangerous inputs in order to ensure that the inputs
are safe for processing within the code, or when communicating with other components. When software does not validate
input properly, an attacker is able to craft the input in a form that is not expected by the rest of the application. This will
lead to parts of the system receiving unintended input, which may result in altered control flow, arbitrary control of a
resource, or arbitrary code execution.Input validation is not the only technique for processing input, however. Other
techniques attempt to transform potentially-dangerous input into something safe, such as filtering (CWE-790) - which
attempts to remove dangerous inputs - or encoding/escaping (CWE-116), which attempts to ensure that the input is not
misinterpreted when it is included in output to another component. Other techniques exist as well (see CWE-138 for more
examples.)Input validation can be applied to:raw data - strings, numbers, parameters, file contents, etc.metadata -
information about the raw data, such as headers or sizeData can be simple or structured. Structured data can be composed
of many nested layers, composed of combinations of metadata and raw data, with other simple or structured data.Many
properties of raw data or metadata may need to be validated upon entry into the code, such as:specified quantities such as
size, length, frequency, price, rate, number of operations, time, etc.implied or derived quantities, such as the actual size of a
file instead of a specified sizeindexes, offsets, or positions into more complex data structuressymbolic keys or other
elements into hash tables, associative arrays, etc.well-formedness, i.e. syntactic correctness - compliance with expected
syntax lexical token correctness - compliance with rules for what is treated as a tokenspecified or derived type - the actual
type of the input (or what the input appears to be)consistency - between individual data elements, between raw data and
metadata, between references, etc.conformance to domain-specific rules, e.g. business logic equivalence - ensuring that
equivalent inputs are treated the sameauthenticity, ownership, or other attestations about the input, e.g. a cryptographic
signature to prove the source of the dataImplied or derived properties of data must often be calculated or inferred by the
code itself. Errors in deriving properties may be considered a contributing factor to improper input validation. Note that
"input validation" has very different meanings to different people, or within different classification schemes. Caution must
be used when referencing this CWE entry or mapping to it. For example, some weaknesses might involve inadvertently
giving control to an attacker over an input when they should not be able to provide an input at all, but sometimes this is
referred to as input validation.Finally, it is important to emphasize that the distinctions between input validation and output
escaping are often blurred, and developers must be careful to understand the difference, including how input validation is
not always sufficient to prevent vulnerabilities, especially when less stringent data types must be supported, such as free-
form text. Consider a SQL injection scenario in which a person's last name is inserted into a query. The name "O'Reilly"
would likely pass the validation step since it is a common last name in the English language. However, this valid name
cannot be directly inserted into the database because it contains the "'" apostrophe character, which would need to be
escaped or otherwise transformed. In this case, removing the apostrophe might reduce the risk of SQL injection, but it
would produce incorrect behavior because the wrong name would be recorded.

Consequences

Scope Impact Notes

DoS: Crash, Exit, or Restart

DoS: Resource
An attacker could provide unexpected values and cause a program crash
Availability Consumption (CPU)
or excessive consumption of resources, such as memory and CPU.
DoS: Resource
Consumption (Memory)

Read Memory An attacker could read confidential data if they are able to control
Confidentiality
Read Files or Directories resource references.

Modify Memory
An attacker could use malicious input to modify data or possibly alter
Integrity Execute Unauthorized
control flow in unexpected ways, including arbitrary command execution.
Code or Commands
 Table 84: CWE ID 20 consequences

Mitigation

Architecture and Design:

Consider using language-theoretic security (LangSec) techniques that characterize inputs using a formal language and
build "recognizers" for that language. This effectively requires parsing to be a distinct layer that effectively enforces a
boundary between raw input and internal data representations, instead of allowing parser code to be scattered
throughout the program, where it could be subject to errors or inconsistencies that create weaknesses. [REF-1109]
[REF-1110] [REF-1111];
Architecture and Design:
Use an input validation framework such as Struts or the OWASP ESAPI Validation API. Note that using a framework
does not automatically address all input validation problems; be mindful of weaknesses that could arise from
misusing the framework itself (CWE-1173);
Architecture and Design:
Understand all the potential areas where untrusted inputs can enter your software: parameters or arguments, cookies,
anything read from the network, environment variables, reverse DNS lookups, query results, request headers, URL
components, e-mail, files, filenames, databases, and any external systems that provide data to the application.
Remember that such inputs may be obtained indirectly through API calls;
Implementation:
Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable
inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or
transform it into something that does.When performing input validation, consider all potentially relevant properties,
including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across
related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically
valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors
such as "red" or "blue."Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at
least one undesirable input, especially if the code's environment changes. This can give attackers enough room to
bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which
inputs are so malformed that they should be rejected outright;
Architecture and Design:
For any security checks that are performed on the client side, ensure that these checks are duplicated on the server
side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks
have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values
would be submitted to the server.Even though client-side checks provide minimal benefits with respect to server-side
security, they are still useful. First, they can support intrusion detection. If the server receives input that should have
been rejected by the client, then it may be an indication of an attack. Second, client-side error-checking can provide
helpful feedback to the user about the expectations for valid input. Third, there may be a reduction in server-side
processing time for accidental input errors, although this is typically a small savings;
Implementation:
When your application combines data from multiple sources, perform the validation after the sources have been
combined. The individual data elements may pass the validation step but violate the intended restrictions after they
have been combined;
Implementation:
Be especially careful to validate all input when invoking code that crosses language boundaries, such as from an
interpreted language to native code. This could create an unexpected interaction between the language boundaries.
Ensure that you are not violating any of the expectations of the language with which you are interfacing. For example,
even though Java may not be susceptible to buffer overflows, providing a large argument in a call to native code
might trigger an overflow;
Implementation:
Directly convert your input type into the expected data type, such as using a conversion function that translates a
 string into a number. After converting to the expected data type, ensure that the input's values fall within the
expected range of allowable values and that multi-field consistencies are maintained;
Implementation:
Inputs should be decoded and canonicalized to the application's current internal representation before being
validated (CWE-180, CWE-181). Make sure that your application does not inadvertently decode the same input twice
(CWE-174). Such errors could be used to bypass allowlist schemes by introducing dangerous inputs after they have
been checked. Use libraries such as the OWASP ESAPI Canonicalization control.Consider performing repeated
canonicalization until your input does not change any more. This will avoid double-decoding and similar scenarios,
but it might inadvertently modify inputs that are allowed to contain properly-encoded dangerous content;
Implementation:
When exchanging data between components, ensure that both components are using the same character encoding.
Ensure that the proper encoding is applied at each interface. Explicitly set the encoding you are using whenever the
protocol allows you to do so.

CVE-1999-0293 HIGH

CVSS v2 Rating

Score: 7.5 (High)

Base: AV:N/AC:L/Au:N/C:P/I:P/A:P (7.5)
Temporal: E:ND/RL:ND/RC:ND (7.5)
Environmental: CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND (7.5)

Affected Devices

Cisco Catalyst Switch JED-DC-CORE-SW.catrion.local

Description

AAA authentication on Cisco systems allows attackers to execute commands without authorization.

References

MISC - https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0293
https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0293 (VDB Entry)

CVE-2018-0154 HIGH

CVSS v3.1 Rating

Score: 7.5 (High)

Base: 7.5
Temporal: 7.5
 Environmental: 7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected Devices

Cisco Catalyst Switch JED-DC-CORE-SW.catrion.local

Description

A vulnerability in the crypto engine of the Cisco Integrated Services Module for VPN (ISM-VPN) running Cisco IOS Software could
allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. The vulnerability is
due to insufficient handling of VPN traffic by the affected device. An attacker could exploit this vulnerability by sending crafted
VPN traffic to an affected device. A successful exploit could allow the attacker to cause the affected device to hang or crash,
resulting in a DoS condition. Cisco Bug IDs: CSCvd39267.

References

CONFIRM - https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-dos
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-dos (Vendor Advisory)
SECTRACK - 1040585 http://www.securitytracker.com/id/1040585 (Broken Link, Third Party Advisory, VDB Entry)
BID - 103559 http://www.securityfocus.com/bid/103559 (Broken Link, Third Party Advisory, VDB Entry)

CVE-2020-3479 HIGH

CVSS v3.1 Rating

Score: 7.5 (High)

Base: 7.5
Temporal: 7.5
Environmental: 7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected Devices

Cisco Catalyst Switch JED-DC-CORE-SW.catrion.local

Description

A vulnerability in the implementation of Multiprotocol Border Gateway Protocol (MP-BGP) for the Layer 2 VPN (L2VPN) Ethernet
VPN (EVPN) address family in Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to
cause a denial of service (DoS) condition. The vulnerability is due to incorrect processing of Border Gateway Protocol (BGP)
update messages that contain crafted EVPN attributes. An attacker could exploit this vulnerability by sending BGP update
messages with specific, malformed attributes to an affected device. A successful exploit could allow the attacker to cause an
affected device to crash, resulting in a DoS condition.

References

CISCO - 20200924 Cisco IOS and IOS XE Software MP-BGP EVPN Denial of Service Vulnerability
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ios-bgp-evpn-dos-LNfYJxfF (Vendor
Advisory)

Common Weakness Information

Invictux performed a lookup of the CWE details as part of the vulnerability audit. This section details that information for
this finding.

Uncontrolled Resource Consumption

Information

CWE ID : 400
Likelihood : High
Related : Child of CWE ID 664

The software does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to
influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

Detail

Limited resources include memory, file system storage, database connection pool entries, and CPU. If an attacker can trigger
the allocation of these limited resources, but the number or size of the resources is not controlled, then the attacker could
cause a denial of service that consumes all available resources. This would prevent valid users from accessing the software,
and it could potentially have an impact on the surrounding environment. For example, a memory exhaustion attack against
an application could slow down the application as well as its host operating system.There are at least three distinct
scenarios which can commonly lead to resource exhaustion:Lack of throttling for the number of allocated resourcesLosing
all references to a resource before reaching the shutdown stageNot closing/returning a resource after processingResource
exhaustion problems are often result due to an incorrect implementation of the following situations:Error conditions and
other exceptional circumstances.Confusion over which part of the program is responsible for releasing the resource.

Consequences

Scope Impact Notes

Availability DoS: Crash, Exit, or The most common result of resource exhaustion is denial of service. The
Restart software may slow down, crash due to unhandled errors, or lock out legitimate
 Scope Impact Notes
DoS: Resource users.
Consumption (CPU)
DoS: Resource
Consumption
(Memory)
DoS: Resource
Consumption (Other)

Bypass Protection In some cases it may be possible to force the software to "fail open" in the event
Access
Mechanism of resource exhaustion. The state of the software -- and possibly the security
Control
Other functionality - may then be compromised.

Table 85: CWE ID 400 consequences

Mitigation

Architecture and Design:

Design throttling mechanisms into the system architecture. The best protection is to limit the amount of resources
that an unauthorized user can cause to be expended. A strong authentication and access control model will help
prevent such attacks from occurring in the first place. The login application should be protected against DoS attacks
as much as possible. Limiting the database access, perhaps by caching result sets, can help minimize the resources
expended. To further limit the potential for a DoS attack, consider tracking the rate of requests received from users
and blocking requests that exceed a defined rate threshold;
Architecture and Design:
Mitigation of resource exhaustion attacks requires that the target system either:recognizes the attack and denies that
user further access for a given amount of time, oruniformly throttles all requests in order to make it more difficult to
consume resources more quickly than they can again be freed.The first of these solutions is an issue in itself though,
since it may allow attackers to prevent the use of the system by a particular valid user. If the attacker impersonates
the valid user, they may be able to prevent the user from accessing the server in question.The second solution is
simply difficult to effectively institute -- and even when properly done, it does not provide a full solution. It simply
makes the attack require more resources on the part of the attacker;
Architecture and Design:
Ensure that protocols have specific limits of scale placed on them;
Implementation:
Ensure that all failures in resource allocation place the system into a safe posture.

CVE-2022-20726 HIGH

CVSS v3.1 Rating

Score: 7.5 (High)

Base: 7.5
Temporal: 7.5
Environmental: 7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
 Affected Devices

Cisco Catalyst Switch JED-DC-CORE-SW.catrion.local

Description

Multiple vulnerabilities in the Cisco IOx application hosting environment on multiple Cisco platforms could allow an attacker to
inject arbitrary commands into the underlying host operating system, execute arbitrary code on the underlying host operating
system, install applications without being authenticated, or conduct a cross-site scripting (XSS) attack against a user of the
affected software. For more information about these vulnerabilities, see the Details section of this advisory.

References

CISCO - 20220413 Cisco IOx Application Hosting Environment Vulnerabilities

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iox-yuXQ6hFj (Vendor Advisory)

Common Weakness Information

Invictux performed a lookup of the CWE details as part of the vulnerability audit. This section details that information for
this finding.

Improper Handling of Exceptional Conditions

Information

CWE ID : 755
Likelihood : Medium
Related : Child of CWE ID 703

The software does not handle or incorrectly handles an exceptional condition.

Consequences

Scope Impact Notes

Other Other

Table 86: CWE ID 755 consequences

CVE-2007-5551 HIGH
 CVSS v2 Rating

Score: 7.1 (High)

Base: AV:N/AC:M/Au:N/C:N/I:N/A:C (7.1)
Temporal: E:ND/RL:ND/RC:ND (7.1)
Environmental: CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND (7.1)

Affected Devices

Cisco Catalyst Switch JED-DC-CORE-SW.catrion.local

Description

Off-by-one error in Cisco IOS allows remote attackers to execute arbitrary code via unspecified vectors that trigger a heap-based
buffer overflow. NOTE: as of 20071016, the only disclosure is a vague pre-advisory with no actionable information. However, since
it is from a well-known researcher, it is being assigned a CVE identifier for tracking purposes.

References

MISC - http://www.irmplc.com/index.php/111-Vendor-Alerts http://www.irmplc.com/index.php/111-Vendor-Alerts

CVE-2008-4609 HIGH

CVSS v2 Rating

Score: 7.1 (High)

Base: AV:N/AC:M/Au:N/C:N/I:N/A:C (7.1)
Temporal: E:ND/RL:ND/RC:ND (7.1)
Environmental: CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND (7.1)

Affected Devices

Cisco Catalyst Switch JED-DC-CORE-SW.catrion.local

Description

The TCP implementation in (1) Linux, (2) platforms based on BSD Unix, (3) Microsoft Windows, (4) Cisco products, and probably
other operating systems allows remote attackers to cause a denial of service (connection queue exhaustion) via multiple vectors
that manipulate information in the TCP state table, as demonstrated by sockstress.
 References

MLIST - [dailydave] 20081002 TCP Resource Exhaustion DoS Attack Speculation

http://lists.immunitysec.com/pipermail/dailydave/2008-October/005360.html (Broken Link)
MISC - http://www.outpost24.com/news/news-2008-10-02.html http://www.outpost24.com/news/news-2008-10-02.html
(Broken Link)
CISCO - 20081017 Cisco Response to Outpost24 TCP State Table Manipulation Denial of Service Vulnerabilities
http://www.cisco.com/en/US/products/products_security_response09186a0080a15120.html (Broken Link)
MISC - http://blog.robertlee.name/2008/10/conjecture-speculation.html http://blog.robertlee.name/2008/10/conjecture-
speculation.html (Broken Link)
MISC - https://www.cert.fi/haavoittuvuudet/2008/tcp-vulnerabilities.html https://www.cert.fi/haavoittuvuudet/2008/tcp-
vulnerabilities.html (Broken Link)
MISC - http://insecure.org/stf/tcp-dos-attack-explained.html http://insecure.org/stf/tcp-dos-attack-explained.html (Broken
Link)
MISC - http://searchsecurity.techtarget.com.au/articles/27154-TCP-is-fundamentally-borked
http://searchsecurity.techtarget.com.au/articles/27154-TCP-is-fundamentally-borked (Broken Link)
CISCO - 20090908 TCP State Manipulation Denial of Service Vulnerabilities in Multiple Cisco Products
http://www.cisco.com/en/US/products/products_security_advisory09186a0080af511d.shtml (Broken Link)
MISC - http://www.cpni.gov.uk/Docs/tn-03-09-security-assessment-TCP.pdf http://www.cpni.gov.uk/Docs/tn-03-09-
security-assessment-TCP.pdf (Broken Link)
CERT - TA09-251A http://www.us-cert.gov/cas/techalerts/TA09-251A.html (Third Party Advisory, US Government Resource)
HP - HPSBMI02473 http://marc.info/?l=bugtraq&m=125856010926699&w=2 (Third Party Advisory)
CONFIRM - http://www.oracle.com/technetwork/topics/security/cpujul2012-392727.html
http://www.oracle.com/technetwork/topics/security/cpujul2012-392727.html (Third Party Advisory)
MANDRIVA - MDVSA-2013:150 http://www.mandriva.com/security/advisories?name=MDVSA-2013:150 (Broken Link)
OVAL - oval:org.mitre.oval:def:6340
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6340 (Broken Link)
MS - MS09-048 https://docs.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-048 (Patch, Third Party
Advisory)

CVE-2008-4963 HIGH

CVSS v2 Rating

Score: 7.1 (High)

Base: AV:N/AC:M/Au:N/C:N/I:N/A:C (7.1)
Temporal: E:ND/RL:ND/RC:ND (7.1)
Environmental: CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND (7.1)

Affected Devices

Cisco Catalyst Switch JED-DC-CORE-SW.catrion.local

Description
 Unspecified vulnerability in the VLAN Trunking Protocol (VTP) implementation on Cisco IOS and CatOS, when the VTP operating
mode is not transparent, allows remote attackers to cause a denial of service (device reload or hang) via a crafted VTP packet sent
to a switch interface configured as a trunk port.

References

CISCO - 20081105 Cisco VLAN Trunking Protocol Vulnerability

http://www.cisco.com/en/US/products/products_security_response09186a0080a231cf.html (Vendor Advisory)
BID - 32120 http://www.securityfocus.com/bid/32120
SECTRACK - 1021143 http://securitytracker.com/id?1021143
OSVDB - 49601 http://osvdb.org/49601
SECTRACK - 1021144 http://www.securitytracker.com/id?1021144
SECUNIA - 32573 http://secunia.com/advisories/32573 (Vendor Advisory)
XF - cisco-ios-catos-vtp-dos(46346) https://exchange.xforce.ibmcloud.com/vulnerabilities/46346

CVE-2013-5469 HIGH

CVSS v2 Rating

Score: 7.1 (High)

Base: AV:N/AC:M/Au:N/C:N/I:N/A:C (7.1)
Temporal: E:ND/RL:ND/RC:ND (7.1)
Environmental: CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND (7.1)

Affected Devices

Cisco Catalyst Switch JED-DC-CORE-SW.catrion.local

Description

The TCP implementation in Cisco IOS does not properly implement the transitions from the ESTABLISHED state to the CLOSED
state, which allows remote attackers to cause a denial of service (flood of ACK packets) via a crafted series of ACK and FIN packets,
aka Bug ID CSCtz14399.

References

CISCO - 20130830 Cisco IOS Software TCP ACK Storm Vulnerability

http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013-5469 (Vendor Advisory)
BID - 62083 http://www.securityfocus.com/bid/62083
SECTRACK - 1028969 http://www.securitytracker.com/id/1028969
OSVDB - 96764 http://osvdb.org/96764
XF - cisco-ios-cve20135469-dos(86794) https://exchange.xforce.ibmcloud.com/vulnerabilities/86794
Common Weakness Information

Invictux performed a lookup of the CWE details as part of the vulnerability audit. This section details that information for this
finding.

Improper Restriction of Operations within the Bounds of a Memory Buffer

Information

CWE ID : 119
Likelihood : High
Related : Child of CWE ID 118, Child of CWE ID 20

The software performs operations on a memory buffer, but it can read from or write to a memory location that is outside of
the intended boundary of the buffer.

Detail

Certain languages allow direct addressing of memory locations and do not automatically ensure that these locations are
valid for the memory buffer that is being referenced. This can cause read or write operations to be performed on memory
locations that may be associated with other variables, data structures, or internal program data.As a result, an attacker may
be able to execute arbitrary code, alter the intended control flow, read sensitive information, or cause the system to crash.

Consequences

Scope Impact Notes

If the memory accessible by the attacker can be effectively controlled, it may be

possible to execute arbitrary code, as with a standard buffer overflow. If the attacker
Execute
can overwrite a pointer's worth of memory (usually 32 or 64 bits), they can redirect
Unauthorized
a function pointer to their own malicious code. Even when the attacker can only
Integrity Code or
modify a single byte arbitrary code execution can be possible. Sometimes this is
Commands
because the same problem can be exploited repeatedly to the same effect. Other
Modify Memory
times it is because the attacker can overwrite security-critical application-specific
data -- such as a flag indicating whether the user is an administrator.

Read Memory
DoS: Crash, Exit,
or Restart
Out of bounds memory access will very likely result in the corruption of relevant
DoS: Resource
memory, and perhaps instructions, possibly leading to a crash. Other attacks
Availability Consumption
leading to lack of availability are possible, including putting the program into an
(CPU)
infinite loop.
DoS: Resource
Consumption
(Memory)
 Scope Impact Notes

In the case of an out-of-bounds read, the attacker may have access to sensitive
information. If the sensitive information contains system details, such as the current
Confidentiality Read Memory
buffers position in memory, this knowledge can be used to craft further attacks,
possibly with more severe consequences.

Table 87: CWE ID 119 consequences

Mitigation

Requirements:
Use a language that does not allow this weakness to occur or provides constructs that make this weakness easier to
avoid.For example, many languages that perform their own memory management, such as Java and Perl, are not
subject to buffer overflows. Other languages, such as Ada and C#, typically provide overflow protection, but the
protection can be disabled by the programmer.Be wary that a language's interface to native code may still be subject
to overflows, even if the language itself is theoretically safe;
Architecture and Design:
Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this
weakness easier to avoid.Examples include the Safe C String Library (SafeStr) by Messier and Viega [REF-57], and the
Strsafe.h library from Microsoft [REF-56]. These libraries provide safer versions of overflow-prone string-handling
functions;
Build and Compilation:
Run or compile the software using features or extensions that automatically provide a protection mechanism that
mitigates or eliminates buffer overflows.For example, certain compilers and extensions provide automatic buffer
overflow detection mechanisms that are built into the compiled code. Examples include the Microsoft Visual Studio
/GS flag, Fedora/Red Hat FORTIFY_SOURCE GCC flag, StackGuard, and ProPolice;
Implementation:
Consider adhering to the following rules when allocating and managing an application's memory:Double check that
the buffer is as large as specified.When using functions that accept a number of bytes to copy, such as strncpy(), be
aware that if the destination buffer size is equal to the source buffer size, it may not NULL-terminate the string.Check
buffer boundaries if accessing the buffer in a loop and make sure there is no danger of writing past the allocated
space.If necessary, truncate all input strings to a reasonable length before passing them to the copy and
concatenation functions;
Operation:
Run or compile the software using features or extensions that randomly arrange the positions of a program's
executable and libraries in memory. Because this makes the addresses unpredictable, it can prevent an attacker from
reliably jumping to exploitable code.Examples include Address Space Layout Randomization (ASLR) [REF-58] [REF-60]
and Position-Independent Executables (PIE) [REF-64];
Operation:
Use a CPU and operating system that offers Data Execution Protection (NX) or its equivalent [REF-60] [REF-61];
Implementation:
Replace unbounded copy functions with analogous functions that support length arguments, such as strcpy with
strncpy. Create these if they are not available.

CVE-2014-7998 HIGH

CVSS v2 Rating

Score: 7.1 (High)

 Base: AV:N/AC:M/Au:N/C:N/I:N/A:C (7.1)
Temporal: E:ND/RL:ND/RC:ND (7.1)
Environmental: CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND (7.1)

Affected Devices

Cisco Catalyst Switch JED-DC-CORE-SW.catrion.local

Description

Cisco IOS on Aironet access points, when "dot11 aaa authenticator" debugging is enabled, allows remote attackers to cause a
denial of service via a malformed EAP packet, aka Bug ID CSCul15509.

References

CISCO - 20141114 Cisco Aironet EAP Debugging Denial of Service Vulnerability

http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014-7998 (Vendor Advisory)
SECTRACK - 1031219 http://www.securitytracker.com/id/1031219
XF - ciscoios-eap-cve20147998-dos(98692) https://exchange.xforce.ibmcloud.com/vulnerabilities/98692

CVE-2007-5548 MEDIUM

CVSS v2 Rating

Score: 6.9 (Medium)

Base: AV:L/AC:M/Au:N/C:C/I:C/A:C (6.9)
Temporal: E:ND/RL:ND/RC:ND (6.9)
Environmental: CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND (6.9)

Affected Devices

Cisco Catalyst Switch JED-DC-CORE-SW.catrion.local

Description

Multiple stack-based buffer overflows in Command EXEC in Cisco IOS allow local users to gain privileges via unspecified vectors,
aka (1) PSIRT-0474975756 and (2) PSIRT-0388256465. NOTE: as of 20071016, the only disclosure is a vague pre-advisory with no
actionable information. However, since it is from a well-known researcher, it is being assigned a CVE identifier for tracking
purposes.
References

MISC - http://www.irmplc.com/index.php/111-Vendor-Alerts http://www.irmplc.com/index.php/111-Vendor-Alerts

OSVDB - 45361 http://osvdb.org/45361
OSVDB - 45360 http://osvdb.org/45360

Common Weakness Information

Invictux performed a lookup of the CWE details as part of the vulnerability audit. This section details that information for this
finding.

Improper Restriction of Operations within the Bounds of a Memory Buffer

Information

CWE ID : 119
Likelihood : High
Related : Child of CWE ID 118, Child of CWE ID 20

The software performs operations on a memory buffer, but it can read from or write to a memory location that is outside of
the intended boundary of the buffer.

Detail

Certain languages allow direct addressing of memory locations and do not automatically ensure that these locations are
valid for the memory buffer that is being referenced. This can cause read or write operations to be performed on memory
locations that may be associated with other variables, data structures, or internal program data.As a result, an attacker may
be able to execute arbitrary code, alter the intended control flow, read sensitive information, or cause the system to crash.

Consequences

Scope Impact Notes

If the memory accessible by the attacker can be effectively controlled, it may be

possible to execute arbitrary code, as with a standard buffer overflow. If the attacker
Execute
can overwrite a pointer's worth of memory (usually 32 or 64 bits), they can redirect
Unauthorized
a function pointer to their own malicious code. Even when the attacker can only
Integrity Code or
modify a single byte arbitrary code execution can be possible. Sometimes this is
Commands
because the same problem can be exploited repeatedly to the same effect. Other
Modify Memory
times it is because the attacker can overwrite security-critical application-specific
data -- such as a flag indicating whether the user is an administrator.

Availability Read Memory Out of bounds memory access will very likely result in the corruption of relevant
DoS: Crash, Exit, memory, and perhaps instructions, possibly leading to a crash. Other attacks
 Scope Impact Notes
or Restart leading to lack of availability are possible, including putting the program into an
DoS: Resource infinite loop.
Consumption
(CPU)
DoS: Resource
Consumption
(Memory)

In the case of an out-of-bounds read, the attacker may have access to sensitive
information. If the sensitive information contains system details, such as the current
Confidentiality Read Memory
buffers position in memory, this knowledge can be used to craft further attacks,
possibly with more severe consequences.

Table 88: CWE ID 119 consequences

Mitigation

Requirements:
Use a language that does not allow this weakness to occur or provides constructs that make this weakness easier to
avoid.For example, many languages that perform their own memory management, such as Java and Perl, are not
subject to buffer overflows. Other languages, such as Ada and C#, typically provide overflow protection, but the
protection can be disabled by the programmer.Be wary that a language's interface to native code may still be subject
to overflows, even if the language itself is theoretically safe;
Architecture and Design:
Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this
weakness easier to avoid.Examples include the Safe C String Library (SafeStr) by Messier and Viega [REF-57], and the
Strsafe.h library from Microsoft [REF-56]. These libraries provide safer versions of overflow-prone string-handling
functions;
Build and Compilation:
Run or compile the software using features or extensions that automatically provide a protection mechanism that
mitigates or eliminates buffer overflows.For example, certain compilers and extensions provide automatic buffer
overflow detection mechanisms that are built into the compiled code. Examples include the Microsoft Visual Studio
/GS flag, Fedora/Red Hat FORTIFY_SOURCE GCC flag, StackGuard, and ProPolice;
Implementation:
Consider adhering to the following rules when allocating and managing an application's memory:Double check that
the buffer is as large as specified.When using functions that accept a number of bytes to copy, such as strncpy(), be
aware that if the destination buffer size is equal to the source buffer size, it may not NULL-terminate the string.Check
buffer boundaries if accessing the buffer in a loop and make sure there is no danger of writing past the allocated
space.If necessary, truncate all input strings to a reasonable length before passing them to the copy and
concatenation functions;
Operation:
Run or compile the software using features or extensions that randomly arrange the positions of a program's
executable and libraries in memory. Because this makes the addresses unpredictable, it can prevent an attacker from
reliably jumping to exploitable code.Examples include Address Space Layout Randomization (ASLR) [REF-58] [REF-60]
and Position-Independent Executables (PIE) [REF-64];
Operation:
Use a CPU and operating system that offers Data Execution Protection (NX) or its equivalent [REF-60] [REF-61];
Implementation:
Replace unbounded copy functions with analogous functions that support length arguments, such as strcpy with
strncpy. Create these if they are not available.
CVE-2008-5230 MEDIUM

CVSS v2 Rating

Score: 6.8 (Medium)

Base: AV:N/AC:M/Au:N/C:P/I:P/A:P (6.8)
Temporal: E:ND/RL:ND/RC:ND (6.8)
Environmental: CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND (6.8)

Affected Devices

Cisco Catalyst Switch JED-DC-CORE-SW.catrion.local

Description

The Temporal Key Integrity Protocol (TKIP) implementation in unspecified Cisco products and other vendors' products, as used in
WPA and WPA2 on Wi-Fi networks, has insufficient countermeasures against certain crafted and replayed packets, which makes it
easier for remote attackers to decrypt packets from an access point (AP) to a client and spoof packets from an AP to a client, and
conduct ARP poisoning attacks or other attacks, as demonstrated by tkiptun-ng.

References

MISC - http://dl.aircrack-ng.org/breakingwepandwpa.pdf http://dl.aircrack-ng.org/breakingwepandwpa.pdf (Exploit)

MLIST - [dailydave] 20081107 All Ur WiFi(WPA) R Belong 2 PacSec http://lists.immunitysec.com/pipermail/dailydave/2008-
November/005413.html
MISC - http://www.aircrack-ng.org/doku.php?id=tkiptun-ng http://www.aircrack-ng.org/doku.php?id=tkiptun-ng
BID - 32164 http://www.securityfocus.com/bid/32164
MISC - http://trac.aircrack-ng.org/svn/trunk/src/tkiptun-ng.c http://trac.aircrack-ng.org/svn/trunk/src/tkiptun-ng.c (Exploit)
MISC - http://radajo.blogspot.com/2008/11/wpatkip-chopchop-attack.html http://radajo.blogspot.com/2008/11/wpatkip-
chopchop-attack.html
CISCO - 20081121 Cisco Response to TKIP Encryption Weakness
http://www.cisco.com/en/US/products/products_security_response09186a0080a30036.html
MISC - http://arstechnica.com/articles/paedia/wpa-cracked.ars http://arstechnica.com/articles/paedia/wpa-cracked.ars

CVE-2013-1217 MEDIUM

CVSS v2 Rating

Score: 6.8 (Medium)

Base: AV:N/AC:L/Au:S/C:N/I:N/A:C (6.8)
Temporal: E:ND/RL:ND/RC:ND (6.8)
Environmental: CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND (6.8)
 Affected Devices

Cisco Catalyst Switch JED-DC-CORE-SW.catrion.local

Description

The generic input/output control implementation in Cisco IOS does not properly manage buffers, which allows remote
authenticated users to cause a denial of service (device reload) by sending many SNMP requests at the same time, aka Bug ID
CSCub41105.

References

CISCO - 20130419 Generic Input/Output SNMP Vulnerability

http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013-1217 (Vendor Advisory)

Common Weakness Information

Invictux performed a lookup of the CWE details as part of the vulnerability audit. This section details that information for this
finding.

Improper Restriction of Operations within the Bounds of a Memory Buffer

Information

CWE ID : 119
Likelihood : High
Related : Child of CWE ID 118, Child of CWE ID 20

The software performs operations on a memory buffer, but it can read from or write to a memory location that is outside of
the intended boundary of the buffer.

Detail

Certain languages allow direct addressing of memory locations and do not automatically ensure that these locations are
valid for the memory buffer that is being referenced. This can cause read or write operations to be performed on memory
locations that may be associated with other variables, data structures, or internal program data.As a result, an attacker may
be able to execute arbitrary code, alter the intended control flow, read sensitive information, or cause the system to crash.

Consequences
 Scope Impact Notes

If the memory accessible by the attacker can be effectively controlled, it may be

possible to execute arbitrary code, as with a standard buffer overflow. If the attacker
Execute
can overwrite a pointer's worth of memory (usually 32 or 64 bits), they can redirect
Unauthorized
a function pointer to their own malicious code. Even when the attacker can only
Integrity Code or
modify a single byte arbitrary code execution can be possible. Sometimes this is
Commands
because the same problem can be exploited repeatedly to the same effect. Other
Modify Memory
times it is because the attacker can overwrite security-critical application-specific
data -- such as a flag indicating whether the user is an administrator.

Read Memory
DoS: Crash, Exit,
or Restart
Out of bounds memory access will very likely result in the corruption of relevant
DoS: Resource
memory, and perhaps instructions, possibly leading to a crash. Other attacks
Availability Consumption
leading to lack of availability are possible, including putting the program into an
(CPU)
infinite loop.
DoS: Resource
Consumption
(Memory)

In the case of an out-of-bounds read, the attacker may have access to sensitive
information. If the sensitive information contains system details, such as the current
Confidentiality Read Memory
buffers position in memory, this knowledge can be used to craft further attacks,
possibly with more severe consequences.

Table 89: CWE ID 119 consequences

Mitigation

Requirements:
Use a language that does not allow this weakness to occur or provides constructs that make this weakness easier to
avoid.For example, many languages that perform their own memory management, such as Java and Perl, are not
subject to buffer overflows. Other languages, such as Ada and C#, typically provide overflow protection, but the
protection can be disabled by the programmer.Be wary that a language's interface to native code may still be subject
to overflows, even if the language itself is theoretically safe;
Architecture and Design:
Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this
weakness easier to avoid.Examples include the Safe C String Library (SafeStr) by Messier and Viega [REF-57], and the
Strsafe.h library from Microsoft [REF-56]. These libraries provide safer versions of overflow-prone string-handling
functions;
Build and Compilation:
Run or compile the software using features or extensions that automatically provide a protection mechanism that
mitigates or eliminates buffer overflows.For example, certain compilers and extensions provide automatic buffer
overflow detection mechanisms that are built into the compiled code. Examples include the Microsoft Visual Studio
/GS flag, Fedora/Red Hat FORTIFY_SOURCE GCC flag, StackGuard, and ProPolice;
Implementation:
Consider adhering to the following rules when allocating and managing an application's memory:Double check that
the buffer is as large as specified.When using functions that accept a number of bytes to copy, such as strncpy(), be
aware that if the destination buffer size is equal to the source buffer size, it may not NULL-terminate the string.Check
buffer boundaries if accessing the buffer in a loop and make sure there is no danger of writing past the allocated
space.If necessary, truncate all input strings to a reasonable length before passing them to the copy and
concatenation functions;
 Operation:
Run or compile the software using features or extensions that randomly arrange the positions of a program's
executable and libraries in memory. Because this makes the addresses unpredictable, it can prevent an attacker from
reliably jumping to exploitable code.Examples include Address Space Layout Randomization (ASLR) [REF-58] [REF-60]
and Position-Independent Executables (PIE) [REF-64];
Operation:
Use a CPU and operating system that offers Data Execution Protection (NX) or its equivalent [REF-60] [REF-61];
Implementation:
Replace unbounded copy functions with analogous functions that support length arguments, such as strcpy with
strncpy. Create these if they are not available.

CVE-2013-5522 MEDIUM

CVSS v2 Rating

Score: 6.8 (Medium)

Base: AV:L/AC:L/Au:S/C:C/I:C/A:C (6.8)
Temporal: E:ND/RL:ND/RC:ND (6.8)
Environmental: CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND (6.8)

Affected Devices

Cisco Catalyst Switch JED-DC-CORE-SW.catrion.local

Description

Cisco IOS on Catalyst 3750X switches has default Service Module credentials, which makes it easier for local users to gain
privileges via a Service Module login, aka Bug ID CSCue92286.

References

CISCO - 20131024 Cisco Catalyst 3750X Default Credentials Vulnerability

http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013-5522 (Vendor Advisory)

CVE-2014-3299 MEDIUM

CVSS v2 Rating

Score: 6.8 (Medium)

Base: AV:N/AC:L/Au:S/C:N/I:N/A:C (6.8)
Temporal: E:ND/RL:ND/RC:ND (6.8)
Environmental: CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND (6.8)
 Affected Devices

Cisco Catalyst Switch JED-DC-CORE-SW.catrion.local

Description

Cisco IOS allows remote authenticated users to cause a denial of service (device reload) via malformed IPsec packets, aka Bug ID
CSCui79745.

References

CISCO - 20140624 Cisco IOS Software IPsec Denial of Service Vulnerability

http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014-3299 (Vendor Advisory)
SECTRACK - 1030473 http://www.securitytracker.com/id/1030473 (Third Party Advisory, VDB Entry)
BID - 68177 http://www.securityfocus.com/bid/68177 (Third Party Advisory, VDB Entry)
SECUNIA - 59382 http://secunia.com/advisories/59382

Common Weakness Information

Invictux performed a lookup of the CWE details as part of the vulnerability audit. This section details that information for
this finding.

Improper Input Validation

Information

CWE ID : 20
Likelihood : High
Related : Child of CWE ID 707, A peer of CWE ID 345, Can precede CWE ID 22, Can precede CWE ID 41, Can precede
CWE ID 74, Can precede CWE ID 119, Can precede CWE ID 770

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are
required to process the data safely and correctly.

Detail

Input validation is a frequently-used technique for checking potentially dangerous inputs in order to ensure that the inputs
are safe for processing within the code, or when communicating with other components. When software does not validate
input properly, an attacker is able to craft the input in a form that is not expected by the rest of the application. This will
lead to parts of the system receiving unintended input, which may result in altered control flow, arbitrary control of a
resource, or arbitrary code execution.Input validation is not the only technique for processing input, however. Other
techniques attempt to transform potentially-dangerous input into something safe, such as filtering (CWE-790) - which
 attempts to remove dangerous inputs - or encoding/escaping (CWE-116), which attempts to ensure that the input is not
misinterpreted when it is included in output to another component. Other techniques exist as well (see CWE-138 for more
examples.)Input validation can be applied to:raw data - strings, numbers, parameters, file contents, etc.metadata -
information about the raw data, such as headers or sizeData can be simple or structured. Structured data can be composed
of many nested layers, composed of combinations of metadata and raw data, with other simple or structured data.Many
properties of raw data or metadata may need to be validated upon entry into the code, such as:specified quantities such as
size, length, frequency, price, rate, number of operations, time, etc.implied or derived quantities, such as the actual size of a
file instead of a specified sizeindexes, offsets, or positions into more complex data structuressymbolic keys or other
elements into hash tables, associative arrays, etc.well-formedness, i.e. syntactic correctness - compliance with expected
syntax lexical token correctness - compliance with rules for what is treated as a tokenspecified or derived type - the actual
type of the input (or what the input appears to be)consistency - between individual data elements, between raw data and
metadata, between references, etc.conformance to domain-specific rules, e.g. business logic equivalence - ensuring that
equivalent inputs are treated the sameauthenticity, ownership, or other attestations about the input, e.g. a cryptographic
signature to prove the source of the dataImplied or derived properties of data must often be calculated or inferred by the
code itself. Errors in deriving properties may be considered a contributing factor to improper input validation. Note that
"input validation" has very different meanings to different people, or within different classification schemes. Caution must
be used when referencing this CWE entry or mapping to it. For example, some weaknesses might involve inadvertently
giving control to an attacker over an input when they should not be able to provide an input at all, but sometimes this is
referred to as input validation.Finally, it is important to emphasize that the distinctions between input validation and output
escaping are often blurred, and developers must be careful to understand the difference, including how input validation is
not always sufficient to prevent vulnerabilities, especially when less stringent data types must be supported, such as free-
form text. Consider a SQL injection scenario in which a person's last name is inserted into a query. The name "O'Reilly"
would likely pass the validation step since it is a common last name in the English language. However, this valid name
cannot be directly inserted into the database because it contains the "'" apostrophe character, which would need to be
escaped or otherwise transformed. In this case, removing the apostrophe might reduce the risk of SQL injection, but it
would produce incorrect behavior because the wrong name would be recorded.

Consequences

Scope Impact Notes

DoS: Crash, Exit, or Restart

DoS: Resource
An attacker could provide unexpected values and cause a program crash
Availability Consumption (CPU)
or excessive consumption of resources, such as memory and CPU.
DoS: Resource
Consumption (Memory)

Read Memory An attacker could read confidential data if they are able to control
Confidentiality
Read Files or Directories resource references.

Modify Memory
An attacker could use malicious input to modify data or possibly alter
Integrity Execute Unauthorized
control flow in unexpected ways, including arbitrary command execution.
Code or Commands

Table 90: CWE ID 20 consequences

Mitigation

Architecture and Design:

Consider using language-theoretic security (LangSec) techniques that characterize inputs using a formal language and
build "recognizers" for that language. This effectively requires parsing to be a distinct layer that effectively enforces a
boundary between raw input and internal data representations, instead of allowing parser code to be scattered
throughout the program, where it could be subject to errors or inconsistencies that create weaknesses. [REF-1109]
[REF-1110] [REF-1111];
Architecture and Design:
Use an input validation framework such as Struts or the OWASP ESAPI Validation API. Note that using a framework
does not automatically address all input validation problems; be mindful of weaknesses that could arise from
misusing the framework itself (CWE-1173);
Architecture and Design:
Understand all the potential areas where untrusted inputs can enter your software: parameters or arguments, cookies,
anything read from the network, environment variables, reverse DNS lookups, query results, request headers, URL
components, e-mail, files, filenames, databases, and any external systems that provide data to the application.
Remember that such inputs may be obtained indirectly through API calls;
Implementation:
Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable
inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or
transform it into something that does.When performing input validation, consider all potentially relevant properties,
including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across
related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically
valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors
such as "red" or "blue."Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at
least one undesirable input, especially if the code's environment changes. This can give attackers enough room to
bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which
inputs are so malformed that they should be rejected outright;
Architecture and Design:
For any security checks that are performed on the client side, ensure that these checks are duplicated on the server
side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks
have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values
would be submitted to the server.Even though client-side checks provide minimal benefits with respect to server-side
security, they are still useful. First, they can support intrusion detection. If the server receives input that should have
been rejected by the client, then it may be an indication of an attack. Second, client-side error-checking can provide
helpful feedback to the user about the expectations for valid input. Third, there may be a reduction in server-side
processing time for accidental input errors, although this is typically a small savings;
Implementation:
When your application combines data from multiple sources, perform the validation after the sources have been
combined. The individual data elements may pass the validation step but violate the intended restrictions after they
have been combined;
Implementation:
Be especially careful to validate all input when invoking code that crosses language boundaries, such as from an
interpreted language to native code. This could create an unexpected interaction between the language boundaries.
Ensure that you are not violating any of the expectations of the language with which you are interfacing. For example,
even though Java may not be susceptible to buffer overflows, providing a large argument in a call to native code
might trigger an overflow;
Implementation:
Directly convert your input type into the expected data type, such as using a conversion function that translates a
string into a number. After converting to the expected data type, ensure that the input's values fall within the
expected range of allowable values and that multi-field consistencies are maintained;
Implementation:
Inputs should be decoded and canonicalized to the application's current internal representation before being
validated (CWE-180, CWE-181). Make sure that your application does not inadvertently decode the same input twice
(CWE-174). Such errors could be used to bypass allowlist schemes by introducing dangerous inputs after they have
been checked. Use libraries such as the OWASP ESAPI Canonicalization control.Consider performing repeated
canonicalization until your input does not change any more. This will avoid double-decoding and similar scenarios,
but it might inadvertently modify inputs that are allowed to contain properly-encoded dangerous content;
 Implementation:
When exchanging data between components, ensure that both components are using the same character encoding.
Ensure that the proper encoding is applied at each interface. Explicitly set the encoding you are using whenever the
protocol allows you to do so.

CVE-2015-0598 MEDIUM

CVSS v2 Rating

Score: 6.8 (Medium)

Base: AV:N/AC:L/Au:S/C:N/I:N/A:C (6.8)
Temporal: E:ND/RL:ND/RC:ND (6.8)
Environmental: CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND (6.8)

Affected Devices

Cisco Catalyst Switch JED-DC-CORE-SW.catrion.local

Description

The RADIUS implementation in Cisco IOS and IOS XE allows remote attackers to cause a denial of service (device reload) via
crafted IPv6 Attributes in Access-Accept packets, aka Bug IDs CSCur84322 and CSCur27693.

References

CISCO - 20150305 Cisco IOS Software and Cisco IOS XE Software Crafted RADIUS Packet Denial of Service Vulnerability
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2015-0598 (Vendor Advisory)
SECTRACK - 1031842 http://www.securitytracker.com/id/1031842

CVE-2013-1241 MEDIUM

CVSS v2 Rating

Score: 6.3 (Medium)

Base: AV:N/AC:M/Au:S/C:N/I:N/A:C (6.3)
Temporal: E:ND/RL:ND/RC:ND (6.3)
Environmental: CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND (6.3)

Affected Devices

Cisco Catalyst Switch JED-DC-CORE-SW.catrion.local

Description

The ISM module in Cisco IOS on ISR G2 routers does not properly handle authentication-header packets, which allows remote
authenticated users to cause a denial of service (module reload) via a series of malformed packets, aka Bug ID CSCub92025.

References

CISCO - 20130506 Cisco ISM Malformed Authentication Header Packet Denial of Service Vulnerability
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013-1241 (Vendor Advisory)

Common Weakness Information

Invictux performed a lookup of the CWE details as part of the vulnerability audit. This section details that information for
this finding.

Improper Authentication

Information

CWE ID : 287
Likelihood : High
Related : Child of CWE ID 284, Child of CWE ID 284

When an actor claims to have a given identity, the software does not prove or insufficiently proves that the claim is correct.

Consequences

Scope Impact Notes

Read Application Data

Gain Privileges or This weakness can lead to the exposure of resources or functionality to
Integrity Assume Identity unintended actors, possibly providing attackers with sensitive information or
Execute Unauthorized even execute arbitrary code.
Code or Commands

Table 91: CWE ID 287 consequences

Mitigation

Architecture and Design:

Use an authentication framework or library such as the OWASP ESAPI Authentication feature.
CVE-2013-6705 MEDIUM

CVSS v2 Rating

Score: 6.1 (Medium)

Base: AV:A/AC:L/Au:N/C:N/I:N/A:C (6.1)
Temporal: E:ND/RL:ND/RC:ND (6.1)
Environmental: CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND (6.1)

Affected Devices

Cisco Catalyst Switch JED-DC-CORE-SW.catrion.local

Description

The IP Device Tracking (IPDT) feature in Cisco IOS and IOS XE allows remote attackers to cause a denial of service (IPDT AVL
corruption and device reload) via a crafted sequence of ARP packets, aka Bug ID CSCuh38133.

References

CISCO - 20131203 Cisco IOS Software IP Device Tracking Denial of Service Vulnerability
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013-6705 (Vendor Advisory)
SECTRACK - 1029423 http://www.securitytracker.com/id/1029423 (Third Party Advisory, VDB Entry)

Common Weakness Information

Invictux performed a lookup of the CWE details as part of the vulnerability audit. This section details that information for
this finding.

Improper Input Validation

Information

CWE ID : 20
Likelihood : High
Related : Child of CWE ID 707, A peer of CWE ID 345, Can precede CWE ID 22, Can precede CWE ID 41, Can precede
CWE ID 74, Can precede CWE ID 119, Can precede CWE ID 770

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are
required to process the data safely and correctly.
Detail

Input validation is a frequently-used technique for checking potentially dangerous inputs in order to ensure that the inputs
are safe for processing within the code, or when communicating with other components. When software does not validate
input properly, an attacker is able to craft the input in a form that is not expected by the rest of the application. This will
lead to parts of the system receiving unintended input, which may result in altered control flow, arbitrary control of a
resource, or arbitrary code execution.Input validation is not the only technique for processing input, however. Other
techniques attempt to transform potentially-dangerous input into something safe, such as filtering (CWE-790) - which
attempts to remove dangerous inputs - or encoding/escaping (CWE-116), which attempts to ensure that the input is not
misinterpreted when it is included in output to another component. Other techniques exist as well (see CWE-138 for more
examples.)Input validation can be applied to:raw data - strings, numbers, parameters, file contents, etc.metadata -
information about the raw data, such as headers or sizeData can be simple or structured. Structured data can be composed
of many nested layers, composed of combinations of metadata and raw data, with other simple or structured data.Many
properties of raw data or metadata may need to be validated upon entry into the code, such as:specified quantities such as
size, length, frequency, price, rate, number of operations, time, etc.implied or derived quantities, such as the actual size of a
file instead of a specified sizeindexes, offsets, or positions into more complex data structuressymbolic keys or other
elements into hash tables, associative arrays, etc.well-formedness, i.e. syntactic correctness - compliance with expected
syntax lexical token correctness - compliance with rules for what is treated as a tokenspecified or derived type - the actual
type of the input (or what the input appears to be)consistency - between individual data elements, between raw data and
metadata, between references, etc.conformance to domain-specific rules, e.g. business logic equivalence - ensuring that
equivalent inputs are treated the sameauthenticity, ownership, or other attestations about the input, e.g. a cryptographic
signature to prove the source of the dataImplied or derived properties of data must often be calculated or inferred by the
code itself. Errors in deriving properties may be considered a contributing factor to improper input validation. Note that
"input validation" has very different meanings to different people, or within different classification schemes. Caution must
be used when referencing this CWE entry or mapping to it. For example, some weaknesses might involve inadvertently
giving control to an attacker over an input when they should not be able to provide an input at all, but sometimes this is
referred to as input validation.Finally, it is important to emphasize that the distinctions between input validation and output
escaping are often blurred, and developers must be careful to understand the difference, including how input validation is
not always sufficient to prevent vulnerabilities, especially when less stringent data types must be supported, such as free-
form text. Consider a SQL injection scenario in which a person's last name is inserted into a query. The name "O'Reilly"
would likely pass the validation step since it is a common last name in the English language. However, this valid name
cannot be directly inserted into the database because it contains the "'" apostrophe character, which would need to be
escaped or otherwise transformed. In this case, removing the apostrophe might reduce the risk of SQL injection, but it
would produce incorrect behavior because the wrong name would be recorded.

Consequences

Scope Impact Notes

DoS: Crash, Exit, or Restart

DoS: Resource
An attacker could provide unexpected values and cause a program crash
Availability Consumption (CPU)
or excessive consumption of resources, such as memory and CPU.
DoS: Resource
Consumption (Memory)

Read Memory An attacker could read confidential data if they are able to control
Confidentiality
Read Files or Directories resource references.

Modify Memory
An attacker could use malicious input to modify data or possibly alter
Integrity Execute Unauthorized
control flow in unexpected ways, including arbitrary command execution.
Code or Commands
 Table 92: CWE ID 20 consequences

Mitigation

Architecture and Design:

Consider using language-theoretic security (LangSec) techniques that characterize inputs using a formal language and
build "recognizers" for that language. This effectively requires parsing to be a distinct layer that effectively enforces a
boundary between raw input and internal data representations, instead of allowing parser code to be scattered
throughout the program, where it could be subject to errors or inconsistencies that create weaknesses. [REF-1109]
[REF-1110] [REF-1111];
Architecture and Design:
Use an input validation framework such as Struts or the OWASP ESAPI Validation API. Note that using a framework
does not automatically address all input validation problems; be mindful of weaknesses that could arise from
misusing the framework itself (CWE-1173);
Architecture and Design:
Understand all the potential areas where untrusted inputs can enter your software: parameters or arguments, cookies,
anything read from the network, environment variables, reverse DNS lookups, query results, request headers, URL
components, e-mail, files, filenames, databases, and any external systems that provide data to the application.
Remember that such inputs may be obtained indirectly through API calls;
Implementation:
Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable
inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or
transform it into something that does.When performing input validation, consider all potentially relevant properties,
including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across
related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically
valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors
such as "red" or "blue."Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at
least one undesirable input, especially if the code's environment changes. This can give attackers enough room to
bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which
inputs are so malformed that they should be rejected outright;
Architecture and Design:
For any security checks that are performed on the client side, ensure that these checks are duplicated on the server
side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks
have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values
would be submitted to the server.Even though client-side checks provide minimal benefits with respect to server-side
security, they are still useful. First, they can support intrusion detection. If the server receives input that should have
been rejected by the client, then it may be an indication of an attack. Second, client-side error-checking can provide
helpful feedback to the user about the expectations for valid input. Third, there may be a reduction in server-side
processing time for accidental input errors, although this is typically a small savings;
Implementation:
When your application combines data from multiple sources, perform the validation after the sources have been
combined. The individual data elements may pass the validation step but violate the intended restrictions after they
have been combined;
Implementation:
Be especially careful to validate all input when invoking code that crosses language boundaries, such as from an
interpreted language to native code. This could create an unexpected interaction between the language boundaries.
Ensure that you are not violating any of the expectations of the language with which you are interfacing. For example,
even though Java may not be susceptible to buffer overflows, providing a large argument in a call to native code
might trigger an overflow;
Implementation:
Directly convert your input type into the expected data type, such as using a conversion function that translates a
 string into a number. After converting to the expected data type, ensure that the input's values fall within the
expected range of allowable values and that multi-field consistencies are maintained;
Implementation:
Inputs should be decoded and canonicalized to the application's current internal representation before being
validated (CWE-180, CWE-181). Make sure that your application does not inadvertently decode the same input twice
(CWE-174). Such errors could be used to bypass allowlist schemes by introducing dangerous inputs after they have
been checked. Use libraries such as the OWASP ESAPI Canonicalization control.Consider performing repeated
canonicalization until your input does not change any more. This will avoid double-decoding and similar scenarios,
but it might inadvertently modify inputs that are allowed to contain properly-encoded dangerous content;
Implementation:
When exchanging data between components, ensure that both components are using the same character encoding.
Ensure that the proper encoding is applied at each interface. Explicitly set the encoding you are using whenever the
protocol allows you to do so.

CVE-2014-2131 MEDIUM

CVSS v2 Rating

Score: 6.1 (Medium)

Base: AV:A/AC:L/Au:N/C:N/I:N/A:C (6.1)
Temporal: E:ND/RL:ND/RC:ND (6.1)
Environmental: CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND (6.1)

Affected Devices

Cisco Catalyst Switch JED-DC-CORE-SW.catrion.local

Description

The packet driver in Cisco IOS allows remote attackers to cause a denial of service (device reload) via a series of (1) Virtual
Switching Systems (VSS) or (2) Bidirectional Forwarding Detection (BFD) packets, aka Bug IDs CSCug41049 and CSCue61890.

References

CISCO - 20140328 Cisco IOS Software High Priority Queue Denial of Service Vulnerability
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014-2131 (Vendor Advisory)

CVE-2014-3273 MEDIUM

CVSS v2 Rating

Score: 6.1 (Medium)

Base: AV:A/AC:L/Au:N/C:N/I:N/A:C (6.1)
 Temporal: E:ND/RL:ND/RC:ND (6.1)
Environmental: CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND (6.1)

Affected Devices

Cisco Catalyst Switch JED-DC-CORE-SW.catrion.local

Description

The LLDP implementation in Cisco IOS allows remote attackers to cause a denial of service (device reload) via a malformed packet,
aka Bug ID CSCum96282.

References

CISCO - 20140519 Cisco IOS Software LLDP Denial of Service Vulnerability

http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014-3273 (Vendor Advisory)
SECTRACK - 1030257 http://www.securitytracker.com/id/1030257 (Third Party Advisory, VDB Entry)

Common Weakness Information

Invictux performed a lookup of the CWE details as part of the vulnerability audit. This section details that information for
this finding.

Improper Input Validation

Information

CWE ID : 20
Likelihood : High
Related : Child of CWE ID 707, A peer of CWE ID 345, Can precede CWE ID 22, Can precede CWE ID 41, Can precede
CWE ID 74, Can precede CWE ID 119, Can precede CWE ID 770

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are
required to process the data safely and correctly.

Detail

Input validation is a frequently-used technique for checking potentially dangerous inputs in order to ensure that the inputs
are safe for processing within the code, or when communicating with other components. When software does not validate
input properly, an attacker is able to craft the input in a form that is not expected by the rest of the application. This will
lead to parts of the system receiving unintended input, which may result in altered control flow, arbitrary control of a
 resource, or arbitrary code execution.Input validation is not the only technique for processing input, however. Other
techniques attempt to transform potentially-dangerous input into something safe, such as filtering (CWE-790) - which
attempts to remove dangerous inputs - or encoding/escaping (CWE-116), which attempts to ensure that the input is not
misinterpreted when it is included in output to another component. Other techniques exist as well (see CWE-138 for more
examples.)Input validation can be applied to:raw data - strings, numbers, parameters, file contents, etc.metadata -
information about the raw data, such as headers or sizeData can be simple or structured. Structured data can be composed
of many nested layers, composed of combinations of metadata and raw data, with other simple or structured data.Many
properties of raw data or metadata may need to be validated upon entry into the code, such as:specified quantities such as
size, length, frequency, price, rate, number of operations, time, etc.implied or derived quantities, such as the actual size of a
file instead of a specified sizeindexes, offsets, or positions into more complex data structuressymbolic keys or other
elements into hash tables, associative arrays, etc.well-formedness, i.e. syntactic correctness - compliance with expected
syntax lexical token correctness - compliance with rules for what is treated as a tokenspecified or derived type - the actual
type of the input (or what the input appears to be)consistency - between individual data elements, between raw data and
metadata, between references, etc.conformance to domain-specific rules, e.g. business logic equivalence - ensuring that
equivalent inputs are treated the sameauthenticity, ownership, or other attestations about the input, e.g. a cryptographic
signature to prove the source of the dataImplied or derived properties of data must often be calculated or inferred by the
code itself. Errors in deriving properties may be considered a contributing factor to improper input validation. Note that
"input validation" has very different meanings to different people, or within different classification schemes. Caution must
be used when referencing this CWE entry or mapping to it. For example, some weaknesses might involve inadvertently
giving control to an attacker over an input when they should not be able to provide an input at all, but sometimes this is
referred to as input validation.Finally, it is important to emphasize that the distinctions between input validation and output
escaping are often blurred, and developers must be careful to understand the difference, including how input validation is
not always sufficient to prevent vulnerabilities, especially when less stringent data types must be supported, such as free-
form text. Consider a SQL injection scenario in which a person's last name is inserted into a query. The name "O'Reilly"
would likely pass the validation step since it is a common last name in the English language. However, this valid name
cannot be directly inserted into the database because it contains the "'" apostrophe character, which would need to be
escaped or otherwise transformed. In this case, removing the apostrophe might reduce the risk of SQL injection, but it
would produce incorrect behavior because the wrong name would be recorded.

Consequences

Scope Impact Notes

DoS: Crash, Exit, or Restart

DoS: Resource
An attacker could provide unexpected values and cause a program crash
Availability Consumption (CPU)
or excessive consumption of resources, such as memory and CPU.
DoS: Resource
Consumption (Memory)

Read Memory An attacker could read confidential data if they are able to control
Confidentiality
Read Files or Directories resource references.

Modify Memory
An attacker could use malicious input to modify data or possibly alter
Integrity Execute Unauthorized
control flow in unexpected ways, including arbitrary command execution.
Code or Commands

Table 93: CWE ID 20 consequences

Mitigation
Architecture and Design:
Consider using language-theoretic security (LangSec) techniques that characterize inputs using a formal language and
build "recognizers" for that language. This effectively requires parsing to be a distinct layer that effectively enforces a
boundary between raw input and internal data representations, instead of allowing parser code to be scattered
throughout the program, where it could be subject to errors or inconsistencies that create weaknesses. [REF-1109]
[REF-1110] [REF-1111];
Architecture and Design:
Use an input validation framework such as Struts or the OWASP ESAPI Validation API. Note that using a framework
does not automatically address all input validation problems; be mindful of weaknesses that could arise from
misusing the framework itself (CWE-1173);
Architecture and Design:
Understand all the potential areas where untrusted inputs can enter your software: parameters or arguments, cookies,
anything read from the network, environment variables, reverse DNS lookups, query results, request headers, URL
components, e-mail, files, filenames, databases, and any external systems that provide data to the application.
Remember that such inputs may be obtained indirectly through API calls;
Implementation:
Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable
inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or
transform it into something that does.When performing input validation, consider all potentially relevant properties,
including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across
related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically
valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors
such as "red" or "blue."Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at
least one undesirable input, especially if the code's environment changes. This can give attackers enough room to
bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which
inputs are so malformed that they should be rejected outright;
Architecture and Design:
For any security checks that are performed on the client side, ensure that these checks are duplicated on the server
side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks
have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values
would be submitted to the server.Even though client-side checks provide minimal benefits with respect to server-side
security, they are still useful. First, they can support intrusion detection. If the server receives input that should have
been rejected by the client, then it may be an indication of an attack. Second, client-side error-checking can provide
helpful feedback to the user about the expectations for valid input. Third, there may be a reduction in server-side
processing time for accidental input errors, although this is typically a small savings;
Implementation:
When your application combines data from multiple sources, perform the validation after the sources have been
combined. The individual data elements may pass the validation step but violate the intended restrictions after they
have been combined;
Implementation:
Be especially careful to validate all input when invoking code that crosses language boundaries, such as from an
interpreted language to native code. This could create an unexpected interaction between the language boundaries.
Ensure that you are not violating any of the expectations of the language with which you are interfacing. For example,
even though Java may not be susceptible to buffer overflows, providing a large argument in a call to native code
might trigger an overflow;
Implementation:
Directly convert your input type into the expected data type, such as using a conversion function that translates a
string into a number. After converting to the expected data type, ensure that the input's values fall within the
expected range of allowable values and that multi-field consistencies are maintained;
Implementation:
Inputs should be decoded and canonicalized to the application's current internal representation before being
validated (CWE-180, CWE-181). Make sure that your application does not inadvertently decode the same input twice
(CWE-174). Such errors could be used to bypass allowlist schemes by introducing dangerous inputs after they have
 been checked. Use libraries such as the OWASP ESAPI Canonicalization control.Consider performing repeated
canonicalization until your input does not change any more. This will avoid double-decoding and similar scenarios,
but it might inadvertently modify inputs that are allowed to contain properly-encoded dangerous content;
Implementation:
When exchanging data between components, ensure that both components are using the same character encoding.
Ensure that the proper encoding is applied at each interface. Explicitly set the encoding you are using whenever the
protocol allows you to do so.

CVE-2014-7997 MEDIUM

CVSS v2 Rating

Score: 6.1 (Medium)

Base: AV:A/AC:L/Au:N/C:N/I:N/A:C (6.1)
Temporal: E:ND/RL:ND/RC:ND (6.1)
Environmental: CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND (6.1)

Affected Devices

Cisco Catalyst Switch JED-DC-CORE-SW.catrion.local

Description

The DHCP implementation in Cisco IOS on Aironet access points does not properly handle error conditions with short leases and
unsuccessful lease-renewal attempts, which allows remote attackers to cause a denial of service (device restart) by triggering a
transition into a recovery state that was intended to involve a network-interface restart but actually involves a full device restart,
aka Bug ID CSCtn16281.

References

CISCO - 20141114 Cisco Aironet DHCP Denial of Service Vulnerabilty

http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014-7997 (Vendor Advisory)
SECTRACK - 1031218 http://www.securitytracker.com/id/1031218
XF - cisco-aironet-cve20147997-dos(98691) https://exchange.xforce.ibmcloud.com/vulnerabilities/98691

CVE-2013-5499 MEDIUM

CVSS v2 Rating

Score: 5.7 (Medium)

Base: AV:A/AC:M/Au:N/C:N/I:N/A:C (5.7)
Temporal: E:ND/RL:ND/RC:ND (5.7)
 Environmental: CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND (5.7)

Affected Devices

Cisco Catalyst Switch JED-DC-CORE-SW.catrion.local

Description

The remember feature in the DHCP server in Cisco IOS allows remote attackers to cause a denial of service (device reload) by
acquiring a lease and then sending a DHCPRELEASE message, aka Bug ID CSCuh46822.

References

CISCO - 20131007 Cisco IOS Software DHCP Server remember Functionality Vulnerability
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013-5499 (Vendor Advisory)

CVE-2013-5527 MEDIUM

CVSS v2 Rating

Score: 5.7 (Medium)

Base: AV:A/AC:M/Au:N/C:N/I:N/A:C (5.7)
Temporal: E:ND/RL:ND/RC:ND (5.7)
Environmental: CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND (5.7)

Affected Devices

Cisco Catalyst Switch JED-DC-CORE-SW.catrion.local

Description

The OSPF functionality in Cisco IOS and IOS XE allows remote attackers to cause a denial of service (device reload) via crafted
options in an LSA type 11 packet, aka Bug ID CSCui21030.

References

CISCO - 20131009 Cisco IOS Software OSPF Opaque LSA Denial of Service Vulnerability
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013-5527 (Vendor Advisory)
OSVDB - 98253 http://osvdb.org/98253
BID - 62904 http://www.securityfocus.com/bid/62904 (Third Party Advisory, VDB Entry)
XF - cisco-ios-cve20135527-dos(87762) https://exchange.xforce.ibmcloud.com/vulnerabilities/87762
Common Weakness Information

Invictux performed a lookup of the CWE details as part of the vulnerability audit. This section details that information for
this finding.

Improper Input Validation

Information

CWE ID : 20
Likelihood : High
Related : Child of CWE ID 707, A peer of CWE ID 345, Can precede CWE ID 22, Can precede CWE ID 41, Can precede
CWE ID 74, Can precede CWE ID 119, Can precede CWE ID 770

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are
required to process the data safely and correctly.

Detail

Input validation is a frequently-used technique for checking potentially dangerous inputs in order to ensure that the inputs
are safe for processing within the code, or when communicating with other components. When software does not validate
input properly, an attacker is able to craft the input in a form that is not expected by the rest of the application. This will
lead to parts of the system receiving unintended input, which may result in altered control flow, arbitrary control of a
resource, or arbitrary code execution.Input validation is not the only technique for processing input, however. Other
techniques attempt to transform potentially-dangerous input into something safe, such as filtering (CWE-790) - which
attempts to remove dangerous inputs - or encoding/escaping (CWE-116), which attempts to ensure that the input is not
misinterpreted when it is included in output to another component. Other techniques exist as well (see CWE-138 for more
examples.)Input validation can be applied to:raw data - strings, numbers, parameters, file contents, etc.metadata -
information about the raw data, such as headers or sizeData can be simple or structured. Structured data can be composed
of many nested layers, composed of combinations of metadata and raw data, with other simple or structured data.Many
properties of raw data or metadata may need to be validated upon entry into the code, such as:specified quantities such as
size, length, frequency, price, rate, number of operations, time, etc.implied or derived quantities, such as the actual size of a
file instead of a specified sizeindexes, offsets, or positions into more complex data structuressymbolic keys or other
elements into hash tables, associative arrays, etc.well-formedness, i.e. syntactic correctness - compliance with expected
syntax lexical token correctness - compliance with rules for what is treated as a tokenspecified or derived type - the actual
type of the input (or what the input appears to be)consistency - between individual data elements, between raw data and
metadata, between references, etc.conformance to domain-specific rules, e.g. business logic equivalence - ensuring that
equivalent inputs are treated the sameauthenticity, ownership, or other attestations about the input, e.g. a cryptographic
signature to prove the source of the dataImplied or derived properties of data must often be calculated or inferred by the
code itself. Errors in deriving properties may be considered a contributing factor to improper input validation. Note that
"input validation" has very different meanings to different people, or within different classification schemes. Caution must
be used when referencing this CWE entry or mapping to it. For example, some weaknesses might involve inadvertently
giving control to an attacker over an input when they should not be able to provide an input at all, but sometimes this is
referred to as input validation.Finally, it is important to emphasize that the distinctions between input validation and output
escaping are often blurred, and developers must be careful to understand the difference, including how input validation is
not always sufficient to prevent vulnerabilities, especially when less stringent data types must be supported, such as free-
 form text. Consider a SQL injection scenario in which a person's last name is inserted into a query. The name "O'Reilly"
would likely pass the validation step since it is a common last name in the English language. However, this valid name
cannot be directly inserted into the database because it contains the "'" apostrophe character, which would need to be
escaped or otherwise transformed. In this case, removing the apostrophe might reduce the risk of SQL injection, but it
would produce incorrect behavior because the wrong name would be recorded.

Consequences

Scope Impact Notes

DoS: Crash, Exit, or Restart

DoS: Resource
An attacker could provide unexpected values and cause a program crash
Availability Consumption (CPU)
or excessive consumption of resources, such as memory and CPU.
DoS: Resource
Consumption (Memory)

Read Memory An attacker could read confidential data if they are able to control
Confidentiality
Read Files or Directories resource references.

Modify Memory
An attacker could use malicious input to modify data or possibly alter
Integrity Execute Unauthorized
control flow in unexpected ways, including arbitrary command execution.
Code or Commands

Table 94: CWE ID 20 consequences

Mitigation

Architecture and Design:

Consider using language-theoretic security (LangSec) techniques that characterize inputs using a formal language and
build "recognizers" for that language. This effectively requires parsing to be a distinct layer that effectively enforces a
boundary between raw input and internal data representations, instead of allowing parser code to be scattered
throughout the program, where it could be subject to errors or inconsistencies that create weaknesses. [REF-1109]
[REF-1110] [REF-1111];
Architecture and Design:
Use an input validation framework such as Struts or the OWASP ESAPI Validation API. Note that using a framework
does not automatically address all input validation problems; be mindful of weaknesses that could arise from
misusing the framework itself (CWE-1173);
Architecture and Design:
Understand all the potential areas where untrusted inputs can enter your software: parameters or arguments, cookies,
anything read from the network, environment variables, reverse DNS lookups, query results, request headers, URL
components, e-mail, files, filenames, databases, and any external systems that provide data to the application.
Remember that such inputs may be obtained indirectly through API calls;
Implementation:
Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable
inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or
transform it into something that does.When performing input validation, consider all potentially relevant properties,
including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across
related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically
valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors
such as "red" or "blue."Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at
least one undesirable input, especially if the code's environment changes. This can give attackers enough room to
 bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which
inputs are so malformed that they should be rejected outright;
Architecture and Design:
For any security checks that are performed on the client side, ensure that these checks are duplicated on the server
side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks
have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values
would be submitted to the server.Even though client-side checks provide minimal benefits with respect to server-side
security, they are still useful. First, they can support intrusion detection. If the server receives input that should have
been rejected by the client, then it may be an indication of an attack. Second, client-side error-checking can provide
helpful feedback to the user about the expectations for valid input. Third, there may be a reduction in server-side
processing time for accidental input errors, although this is typically a small savings;
Implementation:
When your application combines data from multiple sources, perform the validation after the sources have been
combined. The individual data elements may pass the validation step but violate the intended restrictions after they
have been combined;
Implementation:
Be especially careful to validate all input when invoking code that crosses language boundaries, such as from an
interpreted language to native code. This could create an unexpected interaction between the language boundaries.
Ensure that you are not violating any of the expectations of the language with which you are interfacing. For example,
even though Java may not be susceptible to buffer overflows, providing a large argument in a call to native code
might trigger an overflow;
Implementation:
Directly convert your input type into the expected data type, such as using a conversion function that translates a
string into a number. After converting to the expected data type, ensure that the input's values fall within the
expected range of allowable values and that multi-field consistencies are maintained;
Implementation:
Inputs should be decoded and canonicalized to the application's current internal representation before being
validated (CWE-180, CWE-181). Make sure that your application does not inadvertently decode the same input twice
(CWE-174). Such errors could be used to bypass allowlist schemes by introducing dangerous inputs after they have
been checked. Use libraries such as the OWASP ESAPI Canonicalization control.Consider performing repeated
canonicalization until your input does not change any more. This will avoid double-decoding and similar scenarios,
but it might inadvertently modify inputs that are allowed to contain properly-encoded dangerous content;
Implementation:
When exchanging data between components, ensure that both components are using the same character encoding.
Ensure that the proper encoding is applied at each interface. Explicitly set the encoding you are using whenever the
protocol allows you to do so.

CVE-2015-0632 MEDIUM

CVSS v2 Rating

Score: 5.7 (Medium)

Base: AV:A/AC:M/Au:N/C:N/I:N/A:C (5.7)
Temporal: E:ND/RL:ND/RC:ND (5.7)
Environmental: CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND (5.7)

Affected Devices
Cisco Catalyst Switch JED-DC-CORE-SW.catrion.local

Description

Race condition in the Neighbor Discovery (ND) protocol implementation in Cisco IOS and IOS XE allows remote attackers to cause
a denial of service via a flood of Router Solicitation messages on the local network, aka Bug ID CSCuo67770.

References

CISCO - 20150226 Vulnerability in IPv6 Neighbor Discovery in Cisco IOS and IOS-XE Software
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2015-0632 (Vendor Advisory)
SECTRACK - 1031816 http://www.securitytracker.com/id/1031816
BID - 72797 http://www.securityfocus.com/bid/72797

Common Weakness Information

Invictux performed a lookup of the CWE details as part of the vulnerability audit. This section details that information for
this finding.

Concurrent Execution using Shared Resource with Improper

Synchronization ('Race Condition')

Information

CWE ID : 362
Likelihood : Medium
Related : Child of CWE ID 691

The program contains a code sequence that can run concurrently with other code, and the code sequence requires temporary,
exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another
code sequence that is operating concurrently.

Detail

This can have security implications when the expected synchronization is in security-critical code, such as recording whether
a user is authenticated or modifying important state information that should not be influenced by an outsider.A race
condition occurs within concurrent environments, and is effectively a property of a code sequence. Depending on the
context, a code sequence may be in the form of a function call, a small number of instructions, a series of program
invocations, etc.A race condition violates these properties, which are closely related:Exclusivity - the code sequence is given
exclusive access to the shared resource, i.e., no other code sequence can modify properties of the shared resource before
the original sequence has completed execution.Atomicity - the code sequence is behaviorally atomic, i.e., no other thread or
process can concurrently execute the same sequence of instructions (or a subset) against the same resource.A race
condition exists when an "interfering code sequence" can still access the shared resource, violating exclusivity. Programmers
 may assume that certain code sequences execute too quickly to be affected by an interfering code sequence; when they are
not, this violates atomicity. For example, the single "x++" statement may appear atomic at the code layer, but it is actually
non-atomic at the instruction layer, since it involves a read (the original value of x), followed by a computation (x+1),
followed by a write (save the result to x).The interfering code sequence could be "trusted" or "untrusted." A trusted
interfering code sequence occurs within the program; it cannot be modified by the attacker, and it can only be invoked
indirectly. An untrusted interfering code sequence can be authored directly by the attacker, and typically it is external to the
vulnerable program.

Consequences

Scope Impact Notes

DoS: Resource
Consumption (CPU)
DoS: Resource When a race condition makes it possible to bypass a resource cleanup
Availability Consumption routine or trigger multiple initialization routines, it may lead to resource
(Memory) exhaustion (CWE-400).
DoS: Resource
Consumption (Other)

DoS: Crash, Exit, or When a race condition allows multiple control flows to access a resource
Availability Restart simultaneously, it might lead the program(s) into unexpected states, possibly
DoS: Instability resulting in a crash.

Read Files or When a race condition is combined with predictable resource names and
Confidentiality Directories loose permissions, it may be possible for an attacker to overwrite or access
Read Application Data confidential data (CWE-59).

Table 95: CWE ID 362 consequences

Mitigation

Architecture and Design:

In languages that support it, use synchronization primitives. Only wrap these around critical code to minimize the
impact on performance;
Architecture and Design:
Use thread-safe capabilities such as the data access abstraction in Spring;
Architecture and Design:
Minimize the usage of shared resources in order to remove as much complexity as possible from the control flow and
to reduce the likelihood of unexpected conditions occurring.Additionally, this will minimize the amount of
synchronization necessary and may even help to reduce the likelihood of a denial of service where an attacker may be
able to repeatedly trigger a critical section (CWE-400);
Implementation:
When using multithreading and operating on shared variables, only use thread-safe functions;
Implementation:
Use atomic operations on shared variables. Be wary of innocent-looking constructs such as "x++". This may appear
atomic at the code layer, but it is actually non-atomic at the instruction layer, since it involves a read, followed by a
computation, followed by a write;
Implementation:
Use a mutex if available, but be sure to avoid related weaknesses such as CWE-412;
 Implementation:
Avoid double-checked locking (CWE-609) and other implementation errors that arise when trying to avoid the
overhead of synchronization;
Implementation:
Disable interrupts or signals over critical parts of the code, but also make sure that the code does not go into a large
or infinite loop;
Implementation:
Use the volatile type modifier for critical variables to avoid unexpected compiler optimization or reordering. This does
not necessarily solve the synchronization problem, but it can help;
Architecture and Design:
Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible,
create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will
not immediately give the attacker access to the rest of the software or its environment. For example, database
applications rarely need to run as the database administrator, especially in day-to-day operations.

CVE-2013-1100 MEDIUM

CVSS v2 Rating

Score: 5.4 (Medium)

Base: AV:N/AC:H/Au:N/C:N/I:N/A:C (5.4)
Temporal: E:ND/RL:ND/RC:ND (5.4)
Environmental: CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND (5.4)

Affected Devices

Cisco Catalyst Switch JED-DC-CORE-SW.catrion.local

Description

The HTTP server in Cisco IOS on Catalyst switches does not properly handle TCP socket events, which allows remote attackers to
cause a denial of service (device crash) via crafted packets on TCP port (1) 80 or (2) 443, aka Bug ID CSCuc53853.

References

CISCO - 20130130 Cisco IOS Software HTTP Server Denial of Service Vulnerability
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013-1100

CVE-2000-0486 MEDIUM

CVSS v2 Rating

Score: 5.0 (Medium)

 Base: AV:N/AC:L/Au:N/C:N/I:N/A:P (5.0)
Temporal: E:ND/RL:ND/RC:ND (5.0)
Environmental: CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND (5.0)

Affected Devices

Cisco Catalyst Switch JED-DC-CORE-SW.catrion.local

Description

Buffer overflow in Cisco TACACS+ tac_plus server allows remote attackers to cause a denial of service via a malformed packet with
a long length field.

References

BUGTRAQ - 20000530 An Analysis of the TACACS+ Protocol and its Implementations

http://archives.neohapsis.com/archives/bugtraq/2000-05/0369.html (Patch, Vendor Advisory)
CONFIRM - http://archives.neohapsis.com/archives/bugtraq/2000-05/0370.html
http://archives.neohapsis.com/archives/bugtraq/2000-05/0370.html
BID - 1293 http://www.securityfocus.com/bid/1293
XF - tacacsplus-packet-length-dos(4985) https://exchange.xforce.ibmcloud.com/vulnerabilities/4985

CVE-2006-3906 MEDIUM

CVSS v2 Rating

Score: 5.0 (Medium)

Base: AV:N/AC:L/Au:N/C:N/I:N/A:P (5.0)
Temporal: E:ND/RL:ND/RC:ND (5.0)
Environmental: CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND (5.0)

Affected Devices

Cisco Catalyst Switch JED-DC-CORE-SW.catrion.local

Description

Internet Key Exchange (IKE) version 1 protocol, as implemented on Cisco IOS, VPN 3000 Concentrators, and PIX firewalls, allows
remote attackers to cause a denial of service (resource exhaustion) via a flood of IKE Phase-1 packets that exceed the session
expiration rate. NOTE: it has been argued that this is due to a design weakness of the IKE version 1 protocol, in which case other
vendors and implementations would also be affected.
 References

MISC - http://www.nta-monitor.com/posts/2006/07/cisco-concentrator-dos.html http://www.nta-

monitor.com/posts/2006/07/cisco-concentrator-dos.html
CISCO - 20060726 Internet Key Exchange Resource Exhaustion Attack
http://www.cisco.com/en/US/tech/tk583/tk372/tsd_technology_security_response09186a00806f33d4.html
BID - 19176 http://www.securityfocus.com/bid/19176
SECTRACK - 1016582 http://securitytracker.com/id?1016582
BUGTRAQ - 20060728 Re: Cisco VPN Concentrator IKE resource exhaustion DoS Advisory
http://archives.neohapsis.com/archives/bugtraq/2006-07/0531.html
OSVDB - 29068 http://www.osvdb.org/29068
SREASON - 1293 http://securityreason.com/securityalert/1293
XF - cisco-ike-resource-exhaustion-dos(27972) https://exchange.xforce.ibmcloud.com/vulnerabilities/27972
OVAL - oval:org.mitre.oval:def:5299
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5299
BUGTRAQ - 20060726 Cisco VPN Concentrator IKE resource exhaustion DoS Advisory
http://www.securityfocus.com/archive/1/441203/100/0/threaded

CVE-2007-5550 MEDIUM

CVSS v2 Rating

Score: 5.0 (Medium)

Base: AV:N/AC:L/Au:N/C:P/I:N/A:N (5.0)
Temporal: E:ND/RL:ND/RC:ND (5.0)
Environmental: CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND (5.0)

Affected Devices

Cisco Catalyst Switch JED-DC-CORE-SW.catrion.local

Description

Unspecified vulnerability in Cisco IOS allows remote attackers to obtain the IOS version via unspecified vectors involving a
"common network service", aka PSIRT-1255024833. NOTE: as of 20071016, the only disclosure is a vague pre-advisory with no
actionable information. However, since it is from a well-known researcher, it is being assigned a CVE identifier for tracking
purposes.

References

MISC - http://www.irmplc.com/index.php/111-Vendor-Alerts http://www.irmplc.com/index.php/111-Vendor-Alerts

Common Weakness Information

Invictux performed a lookup of the CWE details as part of the vulnerability audit. This section details that information for
this finding.

Exposure of Sensitive Information to an Unauthorized Actor

Information

CWE ID : 200
Likelihood : High
Related : Child of CWE ID 668

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

Detail

There are many different kinds of mistakes that introduce information exposures. The severity of the error can range widely,
depending on the context in which the product operates, the type of sensitive information that is revealed, and the benefits
it may provide to an attacker. Some kinds of sensitive information include:private, personal information, such as personal
messages, financial data, health records, geographic location, or contact detailssystem status and environment, such as the
operating system and installed packagesbusiness secrets and intellectual propertynetwork status and configurationthe
product's own code or internal statemetadata, e.g. logging of connections or message headersindirect information, such as
a discrepancy between two internal operations that can be observed by an outsiderInformation might be sensitive to
different parties, each of which may have their own expectations for whether the information should be protected. These
parties include:the product's own userspeople or organizations whose information is created or used by the product, even if
they are not direct product usersthe product's administrators, including the admins of the system(s) and/or networks on
which the product operatesthe developerInformation exposures can occur in different ways:the code explicitly inserts
sensitive information into resources or messages that are intentionally made accessible to unauthorized actors, but should
not contain the information - i.e., the information should have been "scrubbed" or "sanitized"a different weakness or
mistake indirectly inserts the sensitive information into resources, such as a web script error revealing the full system path of
the program.the code manages resources that intentionally contain sensitive information, but the resources are
unintentionally made accessible to unauthorized actors. In this case, the information exposure is resultant - i.e., a different
weakness enabled the access to the information in the first place.It is common practice to describe any loss of
confidentiality as an "information exposure," but this can lead to overuse of CWE-200 in CWE mapping. From the CWE
perspective, loss of confidentiality is a technical impact that can arise from dozens of different weaknesses, such as insecure
file permissions or out-of-bounds read. CWE-200 and its lower-level descendants are intended to cover the mistakes that
occur in behaviors that explicitly manage, store, transfer, or cleanse sensitive information.

Consequences

Scope Impact Notes

Confidentiality Read Application Data

Table 96: CWE ID 200 consequences

 Mitigation

Architecture and Design:

Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow
sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside
of the safe area.Ensure that appropriate compartmentalization is built into the system design, and the
compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely
on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges.

CVE-2013-3436 MEDIUM

CVSS v2 Rating

Score: 5.0 (Medium)

Base: AV:N/AC:L/Au:N/C:P/I:N/A:N (5.0)
Temporal: E:ND/RL:ND/RC:ND (5.0)
Environmental: CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND (5.0)

Affected Devices

Cisco Catalyst Switch JED-DC-CORE-SW.catrion.local

Description

The default configuration of the Group Encrypted Transport VPN (GET VPN) feature on Cisco IOS uses an improper mechanism for
enabling Group Domain of Interpretation (GDOI) traffic flow, which allows remote attackers to bypass the encryption policy via
certain uses of UDP port 848, aka Bug ID CSCui07698.

References

CISCO - 20130718 Cisco IOS GET VPN Encryption Policy Bypass Vulnerability
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013-3436 (Vendor Advisory)
OSVDB - 95460 http://osvdb.org/95460
CONFIRM - http://tools.cisco.com/security/center/viewAlert.x?alertId=30140
http://tools.cisco.com/security/center/viewAlert.x?alertId=30140 (Vendor Advisory)
SECTRACK - 1028810 http://www.securitytracker.com/id/1028810
BID - 61362 http://www.securityfocus.com/bid/61362
XF - ciscoios-cve20133436-sec-bypass(85868) https://exchange.xforce.ibmcloud.com/vulnerabilities/85868

CVE-2014-3309 MEDIUM

CVSS v2 Rating
 Score: 5.0 (Medium)
Base: AV:N/AC:L/Au:N/C:P/I:N/A:N (5.0)
Temporal: E:ND/RL:ND/RC:ND (5.0)
Environmental: CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND (5.0)

Affected Devices

Cisco Catalyst Switch JED-DC-CORE-SW.catrion.local

Description

The NTP implementation in Cisco IOS and IOS XE does not properly support use of the access-group command for a "deny all"
configuration, which allows remote attackers to bypass intended restrictions on time synchronization via a standard query, aka
Bug ID CSCuj66318.

References

CISCO - 20140708 Cisco IOS and IOS XE Software NTP Access Group Vulnerability
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014-3309 (Vendor Advisory)
SECTRACK - 1030549 http://www.securitytracker.com/id/1030549
BID - 68463 http://www.securityfocus.com/bid/68463
XF - ciscoios-cve20143309-info-disc(94420) https://exchange.xforce.ibmcloud.com/vulnerabilities/94420

CVE-2014-7992 MEDIUM

CVSS v2 Rating

Score: 5.0 (Medium)

Base: AV:N/AC:L/Au:N/C:P/I:N/A:N (5.0)
Temporal: E:ND/RL:ND/RC:ND (5.0)
Environmental: CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND (5.0)

Affected Devices

Cisco Catalyst Switch JED-DC-CORE-SW.catrion.local

Description

The DLSw implementation in Cisco IOS does not initialize packet buffers, which allows remote attackers to obtain sensitive
credential information from process memory via a session on TCP port 2067, aka Bug ID CSCur14014.
References

CISCO - 20141117 Cisco IOS DLSw Information Disclosure Vulnerability

http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014-7992 (Vendor Advisory)
CONFIRM - http://tools.cisco.com/security/center/viewAlert.x?alertId=36453
http://tools.cisco.com/security/center/viewAlert.x?alertId=36453 (Vendor Advisory)
SECTRACK - 1031220 http://www.securitytracker.com/id/1031220
BID - 71145 http://www.securityfocus.com/bid/71145
XF - ciscoios-cve20147992-info-disc(98724) https://exchange.xforce.ibmcloud.com/vulnerabilities/98724

Common Weakness Information

Invictux performed a lookup of the CWE details as part of the vulnerability audit. This section details that information for
this finding.

Exposure of Sensitive Information to an Unauthorized Actor

Information

CWE ID : 200
Likelihood : High
Related : Child of CWE ID 668

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

Detail

There are many different kinds of mistakes that introduce information exposures. The severity of the error can range widely,
depending on the context in which the product operates, the type of sensitive information that is revealed, and the benefits
it may provide to an attacker. Some kinds of sensitive information include:private, personal information, such as personal
messages, financial data, health records, geographic location, or contact detailssystem status and environment, such as the
operating system and installed packagesbusiness secrets and intellectual propertynetwork status and configurationthe
product's own code or internal statemetadata, e.g. logging of connections or message headersindirect information, such as
a discrepancy between two internal operations that can be observed by an outsiderInformation might be sensitive to
different parties, each of which may have their own expectations for whether the information should be protected. These
parties include:the product's own userspeople or organizations whose information is created or used by the product, even if
they are not direct product usersthe product's administrators, including the admins of the system(s) and/or networks on
which the product operatesthe developerInformation exposures can occur in different ways:the code explicitly inserts
sensitive information into resources or messages that are intentionally made accessible to unauthorized actors, but should
not contain the information - i.e., the information should have been "scrubbed" or "sanitized"a different weakness or
mistake indirectly inserts the sensitive information into resources, such as a web script error revealing the full system path of
the program.the code manages resources that intentionally contain sensitive information, but the resources are
unintentionally made accessible to unauthorized actors. In this case, the information exposure is resultant - i.e., a different
weakness enabled the access to the information in the first place.It is common practice to describe any loss of
confidentiality as an "information exposure," but this can lead to overuse of CWE-200 in CWE mapping. From the CWE
 perspective, loss of confidentiality is a technical impact that can arise from dozens of different weaknesses, such as insecure
file permissions or out-of-bounds read. CWE-200 and its lower-level descendants are intended to cover the mistakes that
occur in behaviors that explicitly manage, store, transfer, or cleanse sensitive information.

Consequences

Scope Impact Notes

Confidentiality Read Application Data

Table 97: CWE ID 200 consequences

Mitigation

Architecture and Design:

Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow
sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside
of the safe area.Ensure that appropriate compartmentalization is built into the system design, and the
compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely
on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges.

CVE-2015-0659 MEDIUM

CVSS v2 Rating

Score: 5.0 (Medium)

Base: AV:N/AC:L/Au:N/C:N/I:P/A:N (5.0)
Temporal: E:ND/RL:ND/RC:ND (5.0)
Environmental: CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND (5.0)

Affected Devices

Cisco Catalyst Switch JED-DC-CORE-SW.catrion.local

Description

The Autonomic Networking Infrastructure (ANI) implementation in Cisco IOS allows remote attackers to trigger self-referential
adjacencies via a crafted Autonomic Networking (AN) message, aka Bug ID CSCup62157.

References
 CISCO - 20150305 Cisco IOS Autonomic Networking Infrastructure Self-Referential Vulnerability
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2015-0659 (Vendor Advisory)
SECTRACK - 1031845 http://www.securitytracker.com/id/1031845

CVE-2015-0606 MEDIUM

CVSS v2 Rating

Score: 4.9 (Medium)

Base: AV:L/AC:L/Au:N/C:N/I:N/A:C (4.9)
Temporal: E:ND/RL:ND/RC:ND (4.9)
Environmental: CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND (4.9)

Affected Devices

Cisco Catalyst Switch JED-DC-CORE-SW.catrion.local

Description

The IOS Shell in Cisco IOS allows local users to cause a denial of service (device crash) via unspecified commands, aka Bug ID
CSCur59696.

References

CISCO - 20150210 Cisco IOS Shell Denial of Service Vulnerability

http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2015-0606 (Vendor Advisory)
SECTRACK - 1031717 http://www.securitytracker.com/id/1031717
BID - 72550 http://www.securityfocus.com/bid/72550
XF - ciscoios-cve20150606-dos(100810) https://exchange.xforce.ibmcloud.com/vulnerabilities/100810

Common Weakness Information

Invictux performed a lookup of the CWE details as part of the vulnerability audit. This section details that information for
this finding.

Improper Input Validation

Information

CWE ID : 20
Likelihood : High
 Related : Child of CWE ID 707, A peer of CWE ID 345, Can precede CWE ID 22, Can precede CWE ID 41, Can precede
CWE ID 74, Can precede CWE ID 119, Can precede CWE ID 770

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are
required to process the data safely and correctly.

Detail

Input validation is a frequently-used technique for checking potentially dangerous inputs in order to ensure that the inputs
are safe for processing within the code, or when communicating with other components. When software does not validate
input properly, an attacker is able to craft the input in a form that is not expected by the rest of the application. This will
lead to parts of the system receiving unintended input, which may result in altered control flow, arbitrary control of a
resource, or arbitrary code execution.Input validation is not the only technique for processing input, however. Other
techniques attempt to transform potentially-dangerous input into something safe, such as filtering (CWE-790) - which
attempts to remove dangerous inputs - or encoding/escaping (CWE-116), which attempts to ensure that the input is not
misinterpreted when it is included in output to another component. Other techniques exist as well (see CWE-138 for more
examples.)Input validation can be applied to:raw data - strings, numbers, parameters, file contents, etc.metadata -
information about the raw data, such as headers or sizeData can be simple or structured. Structured data can be composed
of many nested layers, composed of combinations of metadata and raw data, with other simple or structured data.Many
properties of raw data or metadata may need to be validated upon entry into the code, such as:specified quantities such as
size, length, frequency, price, rate, number of operations, time, etc.implied or derived quantities, such as the actual size of a
file instead of a specified sizeindexes, offsets, or positions into more complex data structuressymbolic keys or other
elements into hash tables, associative arrays, etc.well-formedness, i.e. syntactic correctness - compliance with expected
syntax lexical token correctness - compliance with rules for what is treated as a tokenspecified or derived type - the actual
type of the input (or what the input appears to be)consistency - between individual data elements, between raw data and
metadata, between references, etc.conformance to domain-specific rules, e.g. business logic equivalence - ensuring that
equivalent inputs are treated the sameauthenticity, ownership, or other attestations about the input, e.g. a cryptographic
signature to prove the source of the dataImplied or derived properties of data must often be calculated or inferred by the
code itself. Errors in deriving properties may be considered a contributing factor to improper input validation. Note that
"input validation" has very different meanings to different people, or within different classification schemes. Caution must
be used when referencing this CWE entry or mapping to it. For example, some weaknesses might involve inadvertently
giving control to an attacker over an input when they should not be able to provide an input at all, but sometimes this is
referred to as input validation.Finally, it is important to emphasize that the distinctions between input validation and output
escaping are often blurred, and developers must be careful to understand the difference, including how input validation is
not always sufficient to prevent vulnerabilities, especially when less stringent data types must be supported, such as free-
form text. Consider a SQL injection scenario in which a person's last name is inserted into a query. The name "O'Reilly"
would likely pass the validation step since it is a common last name in the English language. However, this valid name
cannot be directly inserted into the database because it contains the "'" apostrophe character, which would need to be
escaped or otherwise transformed. In this case, removing the apostrophe might reduce the risk of SQL injection, but it
would produce incorrect behavior because the wrong name would be recorded.

Consequences

Scope Impact Notes

Availability DoS: Crash, Exit, or Restart An attacker could provide unexpected values and cause a program crash
DoS: Resource or excessive consumption of resources, such as memory and CPU.
Consumption (CPU)
 Scope Impact Notes
DoS: Resource
Consumption (Memory)

Read Memory An attacker could read confidential data if they are able to control
Confidentiality
Read Files or Directories resource references.

Modify Memory
An attacker could use malicious input to modify data or possibly alter
Integrity Execute Unauthorized
control flow in unexpected ways, including arbitrary command execution.
Code or Commands

Table 98: CWE ID 20 consequences

Mitigation

Architecture and Design:

Consider using language-theoretic security (LangSec) techniques that characterize inputs using a formal language and
build "recognizers" for that language. This effectively requires parsing to be a distinct layer that effectively enforces a
boundary between raw input and internal data representations, instead of allowing parser code to be scattered
throughout the program, where it could be subject to errors or inconsistencies that create weaknesses. [REF-1109]
[REF-1110] [REF-1111];
Architecture and Design:
Use an input validation framework such as Struts or the OWASP ESAPI Validation API. Note that using a framework
does not automatically address all input validation problems; be mindful of weaknesses that could arise from
misusing the framework itself (CWE-1173);
Architecture and Design:
Understand all the potential areas where untrusted inputs can enter your software: parameters or arguments, cookies,
anything read from the network, environment variables, reverse DNS lookups, query results, request headers, URL
components, e-mail, files, filenames, databases, and any external systems that provide data to the application.
Remember that such inputs may be obtained indirectly through API calls;
Implementation:
Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable
inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or
transform it into something that does.When performing input validation, consider all potentially relevant properties,
including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across
related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically
valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors
such as "red" or "blue."Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at
least one undesirable input, especially if the code's environment changes. This can give attackers enough room to
bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which
inputs are so malformed that they should be rejected outright;
Architecture and Design:
For any security checks that are performed on the client side, ensure that these checks are duplicated on the server
side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks
have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values
would be submitted to the server.Even though client-side checks provide minimal benefits with respect to server-side
security, they are still useful. First, they can support intrusion detection. If the server receives input that should have
been rejected by the client, then it may be an indication of an attack. Second, client-side error-checking can provide
helpful feedback to the user about the expectations for valid input. Third, there may be a reduction in server-side
processing time for accidental input errors, although this is typically a small savings;
Implementation:
When your application combines data from multiple sources, perform the validation after the sources have been
 combined. The individual data elements may pass the validation step but violate the intended restrictions after they
have been combined;
Implementation:
Be especially careful to validate all input when invoking code that crosses language boundaries, such as from an
interpreted language to native code. This could create an unexpected interaction between the language boundaries.
Ensure that you are not violating any of the expectations of the language with which you are interfacing. For example,
even though Java may not be susceptible to buffer overflows, providing a large argument in a call to native code
might trigger an overflow;
Implementation:
Directly convert your input type into the expected data type, such as using a conversion function that translates a
string into a number. After converting to the expected data type, ensure that the input's values fall within the
expected range of allowable values and that multi-field consistencies are maintained;
Implementation:
Inputs should be decoded and canonicalized to the application's current internal representation before being
validated (CWE-180, CWE-181). Make sure that your application does not inadvertently decode the same input twice
(CWE-174). Such errors could be used to bypass allowlist schemes by introducing dangerous inputs after they have
been checked. Use libraries such as the OWASP ESAPI Canonicalization control.Consider performing repeated
canonicalization until your input does not change any more. This will avoid double-decoding and similar scenarios,
but it might inadvertently modify inputs that are allowed to contain properly-encoded dangerous content;
Implementation:
When exchanging data between components, ensure that both components are using the same character encoding.
Ensure that the proper encoding is applied at each interface. Explicitly set the encoding you are using whenever the
protocol allows you to do so.

CVE-2013-1136 MEDIUM

CVSS v2 Rating

Score: 4.6 (Medium)

Base: AV:L/AC:L/Au:S/C:N/I:N/A:C (4.6)
Temporal: E:ND/RL:ND/RC:ND (4.6)
Environmental: CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND (4.6)

Affected Devices

Cisco Catalyst Switch JED-DC-CORE-SW.catrion.local

Description

The crypto engine process in Cisco IOS on Aggregation Services Router (ASR) Route Processor 2 does not properly manage
memory, which allows local users to cause a denial of service (route processor crash) by creating multiple tunnels and then
examining encryption statistics, aka Bug ID CSCuc52193.

References
 CISCO - 20130510 Cisco ASR Route Processor 2 Dynamic Multipoint Virtual Private Network Vulnerability
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013-1136 (Vendor Advisory)

CVE-2007-5547 MEDIUM

CVSS v2 Rating

Score: 4.3 (Medium)

Base: AV:N/AC:M/Au:N/C:N/I:P/A:N (4.3)
Temporal: E:ND/RL:ND/RC:ND (4.3)
Environmental: CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND (4.3)

Affected Devices

Cisco Catalyst Switch JED-DC-CORE-SW.catrion.local

Description

Cross-site scripting (XSS) vulnerability in Cisco IOS allows remote attackers to inject arbitrary web script or HTML, and execute IOS
commands, via unspecified vectors, aka PSIRT-2022590358. NOTE: as of 20071016, the only disclosure is a vague pre-advisory
with no actionable information. However, since it is from a well-known researcher, it is being assigned a CVE identifier for tracking
purposes.

References

MISC - http://www.irmplc.com/index.php/111-Vendor-Alerts http://www.irmplc.com/index.php/111-Vendor-Alerts

OSVDB - 43742 http://osvdb.org/43742

Common Weakness Information

Invictux performed a lookup of the CWE details as part of the vulnerability audit. This section details that information for this
finding.

Improper Neutralization of Input During Web Page Generation ('Cross-site

Scripting')

Information

CWE ID : 79
Likelihood : High
 Related : Child of CWE ID 74, Child of CWE ID 74, Can precede CWE ID 494, A peer of CWE ID 352

The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a
web page that is served to other users.

Detail

Cross-site scripting (XSS) vulnerabilities occur when:Untrusted data enters a web application, typically from a web
request.The web application dynamically generates a web page that contains this untrusted data.During page generation,
the application does not prevent the data from containing content that is executable by a web browser, such as JavaScript,
HTML tags, HTML attributes, mouse events, Flash, ActiveX, etc.A victim visits the generated web page through a web
browser, which contains malicious script that was injected using the untrusted data.Since the script comes from a web page
that was sent by the web server, the victim's web browser executes the malicious script in the context of the web server's
domain.This effectively violates the intention of the web browser's same-origin policy, which states that scripts in one
domain should not be able to access resources or run code in a different domain.There are three main kinds of XSS:Type 1:
Reflected XSS (or Non-Persistent) - The server reads data directly from the HTTP request and reflects it back in the HTTP
response. Reflected XSS exploits occur when an attacker causes a victim to supply dangerous content to a vulnerable web
application, which is then reflected back to the victim and executed by the web browser. The most common mechanism for
delivering malicious content is to include it as a parameter in a URL that is posted publicly or e-mailed directly to the victim.
URLs constructed in this manner constitute the core of many phishing schemes, whereby an attacker convinces a victim to
visit a URL that refers to a vulnerable site. After the site reflects the attacker's content back to the victim, the content is
executed by the victim's browser.Type 2: Stored XSS (or Persistent) - The application stores dangerous data in a database,
message forum, visitor log, or other trusted data store. At a later time, the dangerous data is subsequently read back into
the application and included in dynamic content. From an attacker's perspective, the optimal place to inject malicious
content is in an area that is displayed to either many users or particularly interesting users. Interesting users typically have
elevated privileges in the application or interact with sensitive data that is valuable to the attacker. If one of these users
executes malicious content, the attacker may be able to perform privileged operations on behalf of the user or gain access
to sensitive data belonging to the user. For example, the attacker might inject XSS into a log message, which might not be
handled properly when an administrator views the logs. Type 0: DOM-Based XSS - In DOM-based XSS, the client performs
the injection of XSS into the page; in the other types, the server performs the injection. DOM-based XSS generally involves
server-controlled, trusted script that is sent to the client, such as Javascript that performs sanity checks on a form before the
user submits it. If the server-supplied script processes user-supplied data and then injects it back into the web page (such as
with dynamic HTML), then DOM-based XSS is possible. Once the malicious script is injected, the attacker can perform a
variety of malicious activities. The attacker could transfer private information, such as cookies that may include session
information, from the victim's machine to the attacker. The attacker could send malicious requests to a web site on behalf of
the victim, which could be especially dangerous to the site if the victim has administrator privileges to manage that site.
Phishing attacks could be used to emulate trusted web sites and trick the victim into entering a password, allowing the
attacker to compromise the victim's account on that web site. Finally, the script could exploit a vulnerability in the web
browser itself possibly taking over the victim's machine, sometimes referred to as "drive-by hacking."In many cases, the
attack can be launched without the victim even being aware of it. Even with careful users, attackers frequently use a variety
of methods to encode the malicious portion of the attack, such as URL encoding or Unicode, so the request looks less
suspicious.

Background

Same Origin PolicyThe same origin policy states that browsers should limit the resources accessible to scripts running on a
given web site, or "origin", to the resources associated with that web site on the client-side, and not the client-side
resources of any other sites or "origins". The goal is to prevent one site from being able to modify or read the contents of
 an unrelated site. Since the World Wide Web involves interactions between many sites, this policy is important for browsers
to enforce.DomainThe Domain of a website when referring to XSS is roughly equivalent to the resources associated with
that website on the client-side of the connection. That is, the domain can be thought of as all resources the browser is
storing for the user's interactions with this particular site.

Consequences

Scope Impact Notes

Bypass The most common attack performed with cross-site scripting involves the disclosure
Protection of information stored in user cookies. Typically, a malicious user will craft a client-
Access Mechanism side script, which -- when parsed by a web browser -- performs some activity (such
Control Read as sending all site cookies to a given E-mail address). This script will be loaded and
Application run by each user visiting the web site. Since the site requesting to run the script has
Data access to the cookies in question, the malicious script does also.

Execute
Unauthorized In some circumstances it may be possible to run arbitrary code on a victim's
Integrity
Code or computer when cross-site scripting is combined with other flaws.
Commands

The consequence of an XSS attack is the same regardless of whether it is stored or

Execute
reflected. The difference is in how the payload arrives at the server. XSS can cause a
Unauthorized
variety of problems for the end user that range in severity from an annoyance to
Code or
complete account compromise. Some cross-site scripting vulnerabilities can be
Commands
exploited to manipulate or steal cookies, create requests that can be mistaken for
Bypass
Confidentiality those of a valid user, compromise confidential information, or execute malicious
Protection
code on the end user systems for a variety of nefarious purposes. Other damaging
Mechanism
attacks include the disclosure of end user files, installation of Trojan horse programs,
Read
redirecting the user to some other page or site, running "Active X" controls (under
Application
Microsoft Internet Explorer) from sites that a user perceives as trustworthy, and
Data
modifying presentation of content.

Table 99: CWE ID 79 consequences

Mitigation

Architecture and Design:

Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this
weakness easier to avoid.Examples of libraries and frameworks that make it easier to generate properly encoded
output include Microsoft's Anti-XSS library, the OWASP ESAPI Encoding module, and Apache Wicket;
Implementation:
Understand the context in which your data will be used and the encoding that will be expected. This is especially
important when transmitting data between different components, or when generating outputs that can contain
multiple encodings at the same time, such as web pages or multi-part mail messages. Study all expected
communication protocols and data representations to determine the required encoding strategies.For any data that
will be output to another web page, especially any data that was received from external inputs, use the appropriate
encoding on all non-alphanumeric characters.Parts of the same output document may require different encodings,
which will vary depending on whether the output is in the:HTML bodyElement attributes (such as
src="XYZ")URIsJavaScript sectionsCascading Style Sheets and style propertyetc. Note that HTML Entity Encoding is
only appropriate for the HTML body.Consult the XSS Prevention Cheat Sheet [REF-724] for more details on the types
of encoding and escaping that are needed;
Architecture and Design:
Understand all the potential areas where untrusted inputs can enter your software: parameters or arguments, cookies,
anything read from the network, environment variables, reverse DNS lookups, query results, request headers, URL
components, e-mail, files, filenames, databases, and any external systems that provide data to the application.
Remember that such inputs may be obtained indirectly through API calls;
Architecture and Design:
For any security checks that are performed on the client side, ensure that these checks are duplicated on the server
side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks
have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values
would be submitted to the server;
Architecture and Design:
If available, use structured mechanisms that automatically enforce the separation between data and code. These
mechanisms may be able to provide the relevant quoting, encoding, and validation automatically, instead of relying
on the developer to provide this capability at every point where output is generated;
Implementation:
Use and specify an output encoding that can be handled by the downstream component that is reading the output.
Common encodings include ISO-8859-1, UTF-7, and UTF-8. When an encoding is not specified, a downstream
component may choose a different encoding, either by assuming a default encoding or automatically inferring which
encoding is being used, which can be erroneous. When the encodings are inconsistent, the downstream component
might treat some character or byte sequences as special, even if they are not special in the original encoding.
Attackers might then be able to exploit this discrepancy and conduct injection attacks; they even might be able to
bypass protection mechanisms that assume the original encoding is also being used by the downstream
component.The problem of inconsistent output encodings often arises in web pages. If an encoding is not specified in
an HTTP header, web browsers often guess about which encoding is being used. This can open up the browser to
subtle XSS attacks;
Implementation:
With Struts, write all data from form beans with the bean's filter attribute set to true;
Implementation:
To help mitigate XSS attacks against the user's session cookie, set the session cookie to be HttpOnly. In browsers that
support the HttpOnly feature (such as more recent versions of Internet Explorer and Firefox), this attribute can prevent
the user's session cookie from being accessible to malicious client-side scripts that use document.cookie. This is not a
complete solution, since HttpOnly is not supported by all browsers. More importantly, XMLHTTPRequest and other
powerful browser technologies provide read access to HTTP headers, including the Set-Cookie header in which the
HttpOnly flag is set;
Implementation:
Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable
inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or
transform it into something that does.When performing input validation, consider all potentially relevant properties,
including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across
related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically
valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors
such as "red" or "blue."Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at
least one undesirable input, especially if the code's environment changes. This can give attackers enough room to
bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which
inputs are so malformed that they should be rejected outright.When dynamically constructing web pages, use
stringent allowlists that limit the character set based on the expected value of the parameter in the request. All input
should be validated and cleansed, not just parameters that the user is supposed to specify, but all data in the request,
including hidden fields, cookies, headers, the URL itself, and so forth. A common mistake that leads to continuing XSS
vulnerabilities is to validate only fields that are expected to be redisplayed by the site. It is common to see data from
the request that is reflected by the application server or the application that the development team did not anticipate.
Also, a field that is not currently reflected may be used by a future developer. Therefore, validating ALL parts of the
 HTTP request is recommended.Note that proper output encoding, escaping, and quoting is the most effective
solution for preventing XSS, although input validation may provide some defense-in-depth. This is because it
effectively limits what will appear in output. Input validation will not always prevent XSS, especially if you are required
to support free-form text fields that could contain arbitrary characters. For example, in a chat application, the heart
emoticon ("<3") would likely pass the validation step, since it is commonly used. However, it cannot be directly
inserted into the web page because it contains the "<" character, which would need to be escaped or otherwise
handled. In this case, stripping the "<" might reduce the risk of XSS, but it would produce incorrect behavior because
the emoticon would not be recorded. This might seem to be a minor inconvenience, but it would be more important
in a mathematical forum that wants to represent inequalities.Even if you make a mistake in your validation (such as
forgetting one out of 100 input fields), appropriate encoding is still likely to protect you from injection-based attacks.
As long as it is not done in isolation, input validation is still a useful technique, since it may significantly reduce your
attack surface, allow you to detect some attacks, and provide other security benefits that proper encoding does not
address.Ensure that you perform input validation at well-defined interfaces within the application. This will help
protect the application even if a component is reused or moved elsewhere;
Architecture and Design:
When the set of acceptable objects, such as filenames or URLs, is limited or known, create a mapping from a set of
fixed input values (such as numeric IDs) to the actual filenames or URLs, and reject all other inputs;
Operation:
Use an application firewall that can detect attacks against this weakness. It can be beneficial in cases in which the
code cannot be fixed (because it is controlled by a third party), as an emergency prevention measure while more
comprehensive software assurance measures are applied, or to provide defense in depth;
Operation:
When using PHP, configure the application so that it does not use register_globals. During implementation, develop
the application so that it does not rely on this feature, but be wary of implementing a register_globals emulation that
is subject to weaknesses such as CWE-95, CWE-621, and similar issues.

CVE-2013-5548 MEDIUM

CVSS v2 Rating

Score: 4.3 (Medium)

Base: AV:N/AC:M/Au:N/C:N/I:P/A:N (4.3)
Temporal: E:ND/RL:ND/RC:ND (4.3)
Environmental: CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND (4.3)

Affected Devices

Cisco Catalyst Switch JED-DC-CORE-SW.catrion.local

Description

The IKEv2 implementation in Cisco IOS, when AES-GCM or AES-GMAC is used, allows remote attackers to bypass certain IPsec
anti-replay features via IPsec tunnel traffic, aka Bug ID CSCuj47795.

References
 CISCO - 20131029 Internet Key Exchange Version 2 Anti-replay Protection Disabled Vulnerability
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013-5548 (Vendor Advisory)

CVE-2013-6694 MEDIUM

CVSS v2 Rating

Score: 4.3 (Medium)

Base: AV:N/AC:M/Au:N/C:N/I:N/A:P (4.3)
Temporal: E:ND/RL:ND/RC:ND (4.3)
Environmental: CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND (4.3)

Affected Devices

Cisco Catalyst Switch JED-DC-CORE-SW.catrion.local

Description

The IPSec implementation in Cisco IOS allows remote attackers to cause a denial of service (MTU change and tunnel-session drop)
via crafted ICMP packets, aka Bug ID CSCul29918.

References

CISCO - 20131122 Cisco IOS Software IPSec MTU Vulnerability

http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013-6694 (Vendor Advisory)

Common Weakness Information

Invictux performed a lookup of the CWE details as part of the vulnerability audit. This section details that information for
this finding.

Improper Input Validation

Information

CWE ID : 20
Likelihood : High
Related : Child of CWE ID 707, A peer of CWE ID 345, Can precede CWE ID 22, Can precede CWE ID 41, Can precede
CWE ID 74, Can precede CWE ID 119, Can precede CWE ID 770
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are
required to process the data safely and correctly.

Detail

Input validation is a frequently-used technique for checking potentially dangerous inputs in order to ensure that the inputs
are safe for processing within the code, or when communicating with other components. When software does not validate
input properly, an attacker is able to craft the input in a form that is not expected by the rest of the application. This will
lead to parts of the system receiving unintended input, which may result in altered control flow, arbitrary control of a
resource, or arbitrary code execution.Input validation is not the only technique for processing input, however. Other
techniques attempt to transform potentially-dangerous input into something safe, such as filtering (CWE-790) - which
attempts to remove dangerous inputs - or encoding/escaping (CWE-116), which attempts to ensure that the input is not
misinterpreted when it is included in output to another component. Other techniques exist as well (see CWE-138 for more
examples.)Input validation can be applied to:raw data - strings, numbers, parameters, file contents, etc.metadata -
information about the raw data, such as headers or sizeData can be simple or structured. Structured data can be composed
of many nested layers, composed of combinations of metadata and raw data, with other simple or structured data.Many
properties of raw data or metadata may need to be validated upon entry into the code, such as:specified quantities such as
size, length, frequency, price, rate, number of operations, time, etc.implied or derived quantities, such as the actual size of a
file instead of a specified sizeindexes, offsets, or positions into more complex data structuressymbolic keys or other
elements into hash tables, associative arrays, etc.well-formedness, i.e. syntactic correctness - compliance with expected
syntax lexical token correctness - compliance with rules for what is treated as a tokenspecified or derived type - the actual
type of the input (or what the input appears to be)consistency - between individual data elements, between raw data and
metadata, between references, etc.conformance to domain-specific rules, e.g. business logic equivalence - ensuring that
equivalent inputs are treated the sameauthenticity, ownership, or other attestations about the input, e.g. a cryptographic
signature to prove the source of the dataImplied or derived properties of data must often be calculated or inferred by the
code itself. Errors in deriving properties may be considered a contributing factor to improper input validation. Note that
"input validation" has very different meanings to different people, or within different classification schemes. Caution must
be used when referencing this CWE entry or mapping to it. For example, some weaknesses might involve inadvertently
giving control to an attacker over an input when they should not be able to provide an input at all, but sometimes this is
referred to as input validation.Finally, it is important to emphasize that the distinctions between input validation and output
escaping are often blurred, and developers must be careful to understand the difference, including how input validation is
not always sufficient to prevent vulnerabilities, especially when less stringent data types must be supported, such as free-
form text. Consider a SQL injection scenario in which a person's last name is inserted into a query. The name "O'Reilly"
would likely pass the validation step since it is a common last name in the English language. However, this valid name
cannot be directly inserted into the database because it contains the "'" apostrophe character, which would need to be
escaped or otherwise transformed. In this case, removing the apostrophe might reduce the risk of SQL injection, but it
would produce incorrect behavior because the wrong name would be recorded.

Consequences

Scope Impact Notes

DoS: Crash, Exit, or Restart

DoS: Resource
An attacker could provide unexpected values and cause a program crash
Availability Consumption (CPU)
or excessive consumption of resources, such as memory and CPU.
DoS: Resource
Consumption (Memory)

Read Memory An attacker could read confidential data if they are able to control
Confidentiality
Read Files or Directories resource references.
 Scope Impact Notes

Modify Memory
An attacker could use malicious input to modify data or possibly alter
Integrity Execute Unauthorized
control flow in unexpected ways, including arbitrary command execution.
Code or Commands

Table 100: CWE ID 20 consequences

Mitigation

Architecture and Design:

Consider using language-theoretic security (LangSec) techniques that characterize inputs using a formal language and
build "recognizers" for that language. This effectively requires parsing to be a distinct layer that effectively enforces a
boundary between raw input and internal data representations, instead of allowing parser code to be scattered
throughout the program, where it could be subject to errors or inconsistencies that create weaknesses. [REF-1109]
[REF-1110] [REF-1111];
Architecture and Design:
Use an input validation framework such as Struts or the OWASP ESAPI Validation API. Note that using a framework
does not automatically address all input validation problems; be mindful of weaknesses that could arise from
misusing the framework itself (CWE-1173);
Architecture and Design:
Understand all the potential areas where untrusted inputs can enter your software: parameters or arguments, cookies,
anything read from the network, environment variables, reverse DNS lookups, query results, request headers, URL
components, e-mail, files, filenames, databases, and any external systems that provide data to the application.
Remember that such inputs may be obtained indirectly through API calls;
Implementation:
Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable
inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or
transform it into something that does.When performing input validation, consider all potentially relevant properties,
including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across
related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically
valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors
such as "red" or "blue."Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at
least one undesirable input, especially if the code's environment changes. This can give attackers enough room to
bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which
inputs are so malformed that they should be rejected outright;
Architecture and Design:
For any security checks that are performed on the client side, ensure that these checks are duplicated on the server
side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks
have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values
would be submitted to the server.Even though client-side checks provide minimal benefits with respect to server-side
security, they are still useful. First, they can support intrusion detection. If the server receives input that should have
been rejected by the client, then it may be an indication of an attack. Second, client-side error-checking can provide
helpful feedback to the user about the expectations for valid input. Third, there may be a reduction in server-side
processing time for accidental input errors, although this is typically a small savings;
Implementation:
When your application combines data from multiple sources, perform the validation after the sources have been
combined. The individual data elements may pass the validation step but violate the intended restrictions after they
have been combined;
Implementation:
Be especially careful to validate all input when invoking code that crosses language boundaries, such as from an
interpreted language to native code. This could create an unexpected interaction between the language boundaries.
 Ensure that you are not violating any of the expectations of the language with which you are interfacing. For example,
even though Java may not be susceptible to buffer overflows, providing a large argument in a call to native code
might trigger an overflow;
Implementation:
Directly convert your input type into the expected data type, such as using a conversion function that translates a
string into a number. After converting to the expected data type, ensure that the input's values fall within the
expected range of allowable values and that multi-field consistencies are maintained;
Implementation:
Inputs should be decoded and canonicalized to the application's current internal representation before being
validated (CWE-180, CWE-181). Make sure that your application does not inadvertently decode the same input twice
(CWE-174). Such errors could be used to bypass allowlist schemes by introducing dangerous inputs after they have
been checked. Use libraries such as the OWASP ESAPI Canonicalization control.Consider performing repeated
canonicalization until your input does not change any more. This will avoid double-decoding and similar scenarios,
but it might inadvertently modify inputs that are allowed to contain properly-encoded dangerous content;
Implementation:
When exchanging data between components, ensure that both components are using the same character encoding.
Ensure that the proper encoding is applied at each interface. Explicitly set the encoding you are using whenever the
protocol allows you to do so.

CVE-1999-0524 LOW

CVSS v2 Rating

Score: 2.1 (Low)

Base: AV:L/AC:L/Au:N/C:P/I:N/A:N (2.1)
Temporal: E:ND/RL:ND/RC:ND (2.1)
Environmental: CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND (2.1)

Affected Devices

Cisco Catalyst Switch JED-DC-CORE-SW.catrion.local

Description

ICMP information such as (1) netmask and (2) timestamp is allowed from arbitrary hosts.

References

MISC - http://descriptions.securescout.com/tc/11010 http://descriptions.securescout.com/tc/11010 (Broken Link)

MISC - http://descriptions.securescout.com/tc/11011 http://descriptions.securescout.com/tc/11011 (Broken Link)
MISC - http://kb.vmware.com/selfservice/microsites/search.do?cmd=displayKC&externalId=1434
http://kb.vmware.com/selfservice/microsites/search.do?cmd=displayKC&externalId=1434 (Third Party Advisory)
OSVDB - 95 http://www.osvdb.org/95 (Broken Link)
CONFIRM - https://kc.mcafee.com/corporate/index?page=content&id=SB10053 https://kc.mcafee.com/corporate/index?
page=content&id=SB10053 (Broken Link)
 CONFIRM - http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10705 http://kb.juniper.net/InfoCenter/index?
page=content&id=JSA10705 (Third Party Advisory)
XF - icmp-timestamp(322) https://exchange.xforce.ibmcloud.com/vulnerabilities/322 (Third Party Advisory, VDB Entry)
XF - icmp-netmask(306) https://exchange.xforce.ibmcloud.com/vulnerabilities/306 (Third Party Advisory, VDB Entry)

Common Weakness Information

Invictux performed a lookup of the CWE details as part of the vulnerability audit. This section details that information for
this finding.

Exposure of Sensitive Information to an Unauthorized Actor

Information

CWE ID : 200
Likelihood : High
Related : Child of CWE ID 668

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

Detail

There are many different kinds of mistakes that introduce information exposures. The severity of the error can range widely,
depending on the context in which the product operates, the type of sensitive information that is revealed, and the benefits
it may provide to an attacker. Some kinds of sensitive information include:private, personal information, such as personal
messages, financial data, health records, geographic location, or contact detailssystem status and environment, such as the
operating system and installed packagesbusiness secrets and intellectual propertynetwork status and configurationthe
product's own code or internal statemetadata, e.g. logging of connections or message headersindirect information, such as
a discrepancy between two internal operations that can be observed by an outsiderInformation might be sensitive to
different parties, each of which may have their own expectations for whether the information should be protected. These
parties include:the product's own userspeople or organizations whose information is created or used by the product, even if
they are not direct product usersthe product's administrators, including the admins of the system(s) and/or networks on
which the product operatesthe developerInformation exposures can occur in different ways:the code explicitly inserts
sensitive information into resources or messages that are intentionally made accessible to unauthorized actors, but should
not contain the information - i.e., the information should have been "scrubbed" or "sanitized"a different weakness or
mistake indirectly inserts the sensitive information into resources, such as a web script error revealing the full system path of
the program.the code manages resources that intentionally contain sensitive information, but the resources are
unintentionally made accessible to unauthorized actors. In this case, the information exposure is resultant - i.e., a different
weakness enabled the access to the information in the first place.It is common practice to describe any loss of
confidentiality as an "information exposure," but this can lead to overuse of CWE-200 in CWE mapping. From the CWE
perspective, loss of confidentiality is a technical impact that can arise from dozens of different weaknesses, such as insecure
file permissions or out-of-bounds read. CWE-200 and its lower-level descendants are intended to cover the mistakes that
occur in behaviors that explicitly manage, store, transfer, or cleanse sensitive information.

Consequences
 Scope Impact Notes

Confidentiality Read Application Data

Table 101: CWE ID 200 consequences

Mitigation

Architecture and Design:

Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow
sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside
of the safe area.Ensure that appropriate compartmentalization is built into the system design, and the
compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely
on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges.

CVE-2007-5549 LOW

CVSS v2 Rating

Score: 2.1 (Low)

Base: AV:L/AC:L/Au:N/C:P/I:N/A:N (2.1)
Temporal: E:ND/RL:ND/RC:ND (2.1)
Environmental: CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND (2.1)

Affected Devices

Cisco Catalyst Switch JED-DC-CORE-SW.catrion.local

Description

Unspecified vulnerability in Command EXEC in Cisco IOS allows local users to bypass command restrictions and obtain sensitive
information via an unspecified "variation of an IOS command" involving "two different methods", aka CSCsk16129. NOTE: as of
20071016, the only disclosure is a vague pre-advisory with no actionable information. However, since it is from a well-known
researcher, it is being assigned a CVE identifier for tracking purposes.

References

MISC - http://www.irmplc.com/index.php/111-Vendor-Alerts http://www.irmplc.com/index.php/111-Vendor-Alerts

OSVDB - 45363 http://osvdb.org/45363

Common Weakness Information

Invictux performed a lookup of the CWE details as part of the vulnerability audit. This section details that information for
this finding.

Exposure of Sensitive Information to an Unauthorized Actor

Information

CWE ID : 200
Likelihood : High
Related : Child of CWE ID 668

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

Detail

There are many different kinds of mistakes that introduce information exposures. The severity of the error can range widely,
depending on the context in which the product operates, the type of sensitive information that is revealed, and the benefits
it may provide to an attacker. Some kinds of sensitive information include:private, personal information, such as personal
messages, financial data, health records, geographic location, or contact detailssystem status and environment, such as the
operating system and installed packagesbusiness secrets and intellectual propertynetwork status and configurationthe
product's own code or internal statemetadata, e.g. logging of connections or message headersindirect information, such as
a discrepancy between two internal operations that can be observed by an outsiderInformation might be sensitive to
different parties, each of which may have their own expectations for whether the information should be protected. These
parties include:the product's own userspeople or organizations whose information is created or used by the product, even if
they are not direct product usersthe product's administrators, including the admins of the system(s) and/or networks on
which the product operatesthe developerInformation exposures can occur in different ways:the code explicitly inserts
sensitive information into resources or messages that are intentionally made accessible to unauthorized actors, but should
not contain the information - i.e., the information should have been "scrubbed" or "sanitized"a different weakness or
mistake indirectly inserts the sensitive information into resources, such as a web script error revealing the full system path of
the program.the code manages resources that intentionally contain sensitive information, but the resources are
unintentionally made accessible to unauthorized actors. In this case, the information exposure is resultant - i.e., a different
weakness enabled the access to the information in the first place.It is common practice to describe any loss of
confidentiality as an "information exposure," but this can lead to overuse of CWE-200 in CWE mapping. From the CWE
perspective, loss of confidentiality is a technical impact that can arise from dozens of different weaknesses, such as insecure
file permissions or out-of-bounds read. CWE-200 and its lower-level descendants are intended to cover the mistakes that
occur in behaviors that explicitly manage, store, transfer, or cleanse sensitive information.

Consequences

Scope Impact Notes

Confidentiality Read Application Data

Table 102: CWE ID 200 consequences

 Mitigation

Architecture and Design:

Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow
sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside
of the safe area.Ensure that appropriate compartmentalization is built into the system design, and the
compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely
on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges.

Conclusions
Invictux performed a software vulnerability audit on Wednesday, December 11, 2024. The audit was a comparison between the
device version details and those detailed in the NVD to identify any known vulnerabilities in the software currently being used.

Invictux identified 42 vulnerabilities of which the highest was rated as critical.

CVE Rating Devices Section

CVE-2007-5552 9.3 JED-DC-CORE-SW.catrion.local CVE-2007-5552

CVE-2020-3426 9.1 JED-DC-CORE-SW.catrion.local CVE-2020-3426

CVE-2018-0172 8.6 JED-DC-CORE-SW.catrion.local CVE-2018-0172

CVE-2020-3475 8.1 JED-DC-CORE-SW.catrion.local CVE-2020-3475

CVE-1999-0293 7.5 JED-DC-CORE-SW.catrion.local CVE-1999-0293

CVE-2018-0154 7.5 JED-DC-CORE-SW.catrion.local CVE-2018-0154

CVE-2020-3479 7.5 JED-DC-CORE-SW.catrion.local CVE-2020-3479

CVE-2022-20726 7.5 JED-DC-CORE-SW.catrion.local CVE-2022-20726

CVE-2007-5551 7.1 JED-DC-CORE-SW.catrion.local CVE-2007-5551

CVE-2008-4609 7.1 JED-DC-CORE-SW.catrion.local CVE-2008-4609

CVE-2008-4963 7.1 JED-DC-CORE-SW.catrion.local CVE-2008-4963

CVE-2013-5469 7.1 JED-DC-CORE-SW.catrion.local CVE-2013-5469

CVE-2014-7998 7.1 JED-DC-CORE-SW.catrion.local CVE-2014-7998

CVE-2007-5548 6.9 JED-DC-CORE-SW.catrion.local CVE-2007-5548

CVE-2008-5230 6.8 JED-DC-CORE-SW.catrion.local CVE-2008-5230

CVE-2013-1217 6.8 JED-DC-CORE-SW.catrion.local CVE-2013-1217

CVE-2013-5522 6.8 JED-DC-CORE-SW.catrion.local CVE-2013-5522

CVE-2014-3299 6.8 JED-DC-CORE-SW.catrion.local CVE-2014-3299

CVE-2015-0598 6.8 JED-DC-CORE-SW.catrion.local CVE-2015-0598

CVE-2013-1241 6.3 JED-DC-CORE-SW.catrion.local CVE-2013-1241

CVE-2013-6705 6.1 JED-DC-CORE-SW.catrion.local CVE-2013-6705

CVE-2014-2131 6.1 JED-DC-CORE-SW.catrion.local CVE-2014-2131

 CVE Rating Devices Section

CVE-2014-3273 6.1 JED-DC-CORE-SW.catrion.local CVE-2014-3273

CVE-2014-7997 6.1 JED-DC-CORE-SW.catrion.local CVE-2014-7997

CVE-2013-5499 5.7 JED-DC-CORE-SW.catrion.local CVE-2013-5499

CVE-2013-5527 5.7 JED-DC-CORE-SW.catrion.local CVE-2013-5527

CVE-2015-0632 5.7 JED-DC-CORE-SW.catrion.local CVE-2015-0632

CVE-2013-1100 5.4 JED-DC-CORE-SW.catrion.local CVE-2013-1100

CVE-2000-0486 5.0 JED-DC-CORE-SW.catrion.local CVE-2000-0486

CVE-2006-3906 5.0 JED-DC-CORE-SW.catrion.local CVE-2006-3906

CVE-2007-5550 5.0 JED-DC-CORE-SW.catrion.local CVE-2007-5550

CVE-2013-3436 5.0 JED-DC-CORE-SW.catrion.local CVE-2013-3436

CVE-2014-3309 5.0 JED-DC-CORE-SW.catrion.local CVE-2014-3309

CVE-2014-7992 5.0 JED-DC-CORE-SW.catrion.local CVE-2014-7992

CVE-2015-0659 5.0 JED-DC-CORE-SW.catrion.local CVE-2015-0659

CVE-2015-0606 4.9 JED-DC-CORE-SW.catrion.local CVE-2015-0606

CVE-2013-1136 4.6 JED-DC-CORE-SW.catrion.local CVE-2013-1136

CVE-2007-5547 4.3 JED-DC-CORE-SW.catrion.local CVE-2007-5547

CVE-2013-5548 4.3 JED-DC-CORE-SW.catrion.local CVE-2013-5548

CVE-2013-6694 4.3 JED-DC-CORE-SW.catrion.local CVE-2013-6694

CVE-1999-0524 2.1 JED-DC-CORE-SW.catrion.local CVE-1999-0524

CVE-2007-5549 2.1 JED-DC-CORE-SW.catrion.local CVE-2007-5549

Table 103: Identified vulnerabilities

Severity Classification Vulnerability Classification

New vulnerabilities are constantly being discovered and reported, which makes it important to keep the vulnerability database up to
date. The date of the last database update, that was used for this audit, was Monday, September 30, 2024.

It is worth noting that although a software vulnerability may be present, it may not be exploitable without the device being in a
specific configuration. It is also worth noting that, the vulnerability database only contains publically known vulnerabilities and not
undisclosed issues known only to the manufacturers and third parties; the database may also not contain all affected software
versions.
Recommendations
Regardless of the number of vulnerabilities identified, they will all typically all be resolved by following the recommendations listed
below.

1. Invictux recommends that the latest software updates should be applied to all devices.
2. Invictux recommends that the current patching policy should be reviewed. That review should include the scheduling of
updates and whether automation can be used to automatically deploy the updated versions. Although Invictux
understands that it may not be possible to achieve automation for all devices.
3. Finally, Invictux recommends that all devices are regularly audited against the latest vulnerability databases to identify any
systems that may be at risk.

CIS - Excluded Devices

Introduction

The following devices were excluded from the CIS Security Benchmark:

Device Name OS

Cisco Catalyst Switch JED-DC-CORE-SW.catrion.local IOS 17.9

Table 104: CIS - Excluded Devices audit devices

NIST SP 800-53

Introduction
The NIST ITL promotes the U.S. economy and public welfare by providing technical leadership for the Nation’s measurement and
standards infrastructure. ITL develops tests, test methods, reference data, proof of concept implementations, and technical analyses
to advance the development and productive use of IT. ITL’s responsibilities include the development of management, administrative,
technical, and physical standards and guidelines for the cost-effective security of other than national security-related information in
federal information systems. The Special Publication 800-series reports on ITL’s research, guidelines, and outreach efforts in
information systems security and privacy and its collaborative activities with industry, government, and academic organizations.

NIST 800-53 provides a catalog of security and privacy controls for information systems and organizations to protect organizational
operations and assets, individuals, other organizations, and the Nation from a diverse set of threats and risks, including hostile
attacks, human errors, natural disasters, structural failures, foreign intelligence entities, and privacy risks. The controls are flexible and
customizable and implemented as part of an organization-wide process to manage risk. The controls address diverse requirements
derived from mission and business needs, laws, executive orders, directives, regulations, policies, standards, and guidelines. Finally,
the consolidated control catalog addresses security and privacy from a functionality perspective (i.e., the strength of functions and
mechanisms provided by the controls) and from an assurance perspective (i.e., the measure of confidence in the security or privacy
capability provided by the controls). Addressing functionality and assurance helps to ensure that information technology products
and the systems that rely on those products are sufficiently trustworthy.

There are three security control baselines (one for each system impact level—low-impact, moderate-impact, and high-impact), as
well as a privacy baseline that is applied to systems irrespective of impact level.

Invictux performed a NIST SP 800-53 audit on Wednesday, December 11, 2024 of the device detailed in Table 105.

Device Name OS

Cisco Catalyst Switch JED-DC-CORE-SW.catrion.local IOS 17.9

Table 105: NIST SP 800-53 audit devices

Access Control [AC]

AC-2 Account Management

Control

(a) Define and document the types of accounts allowed and specifically prohibited for use within the system;
(b) Assign account managers;
(c) Require [Assignment: organization-defined prerequisites and criteria] for group and role membership;
(d) Specify:
1. Authorized users of the system;
2. Group and role membership; and
3. Access authorizations (i.e., privileges) and [Assignment: organization-defined attributes (as required)] for each account;
(e) Require approvals by [Assignment: organization-defined personnel or roles] for requests to create accounts;
(f) Create, enable, modify, disable, and remove accounts in accordance with [Assignment: organization-defined policy,
procedures, prerequisites, and criteria];
(g) Monitor the use of accounts;
(h) Notify account managers and [Assignment: organization-defined personnel or roles] within:
1. [Assignment: organization-defined time period] when accounts are no longer required;
2. [Assignment: organization-defined time period] when users are terminated or transferred; and
3. [Assignment: organization-defined time period] when system usage or need-to-know changes for an individual;
(i) Authorize access to the system based on:
1. A valid access authorization;
2. Intended system usage; and
3. [Assignment: organization-defined attributes (as required)];
(j) Review accounts for compliance with account management requirements [Assignment: organization-defined frequency];
(k) Establish and implement a process for changing shared or group account authenticators (if deployed) when individuals are
removed from the group; and
(l) Align account management processes with personnel termination and transfer processes.

Discussion

Examples of system account types include individual, shared, group, system, guest, anonymous, emergency, developer,
temporary, and service. Identification of authorized system users and the specification of access privileges reflect the
 requirements in other controls in the security plan. Users requiring administrative privileges on system accounts receive
additional scrutiny by organizational personnel responsible for approving such accounts and privileged access, including
system owner, mission or business owner, senior agency information security officer, or senior agency official for privacy. Types
of accounts that organizations may wish to prohibit due to increased risk include shared, group, emergency, anonymous,
temporary, and guest accounts.

Where access involves personally identifiable information, security programs collaborate with the senior agency official for
privacy to establish the specific conditions for group and role membership; specify authorized users, group and role
membership, and access authorizations for each account; and create, adjust, or remove system accounts in accordance with
organizational policies. Policies can include such information as account expiration dates or other factors that trigger the
disabling of accounts. Organizations may choose to define access privileges or other attributes by account, type of account, or
a combination of the two. Examples of other attributes required for authorizing access include restrictions on time of day, day
of week, and point of origin. In defining other system account attributes, organizations consider system-related requirements
and mission/business requirements. Failure to consider these factors could affect system availability.

Temporary and emergency accounts are intended for short-term use. Organizations establish temporary accounts as part of
normal account activation procedures when there is a need for short-term accounts without the demand for immediacy in
account activation. Organizations establish emergency accounts in response to crisis situations and with the need for rapid
account activation. Therefore, emergency account activation may bypass normal account authorization processes. Emergency
and temporary accounts are not to be confused with infrequently used accounts, including local logon accounts used for
special tasks or when network resources are unavailable (may also be known as accounts of last resort). Such accounts remain
available and are not subject to automatic disabling or removal dates. Conditions for disabling or deactivating accounts
include when shared/group, emergency, or temporary accounts are no longer required and when individuals are transferred or
terminated. Changing shared/group authenticators when members leave the group is intended to ensure that former group
members do not retain access to the shared or group account. Some types of system accounts may require specialized
training.

AC-2(4) Automated Audit Actions FAIL

DISA STIG Rating

Category: CAT-II

Affected Devices

Cisco Catalyst Switch JED-DC-CORE-SW.catrion.local (Fail)

Control Defined Testing Requirements Result Rating

Automatically audit account creation, modification, enabling, disabling, DISA STIG Rating :
AC-2(4)
and removal actions. CAT-II

Table 106: Test Summary AC-2(4)

Description

Automatically audit account creation, modification, enabling, disabling, and removal actions.
 Discussion

Account management audit records are defined in accordance with AU-2 and reviewed, analyzed, and reported in
accordance with AU-6.

Findings

JED-DC-CORE-SW.catrion.local

Check Description Findings Result

Invictux examined the device

Log Config Invictux determined that JED-DC-
configuration to determine if the log
Changes CORE-SW.catrion.local was configured
configuration changes option was
Enabled to not log configuration changes.
enabled.

Table 107: Findings for JED-DC-CORE-SW.catrion.local

AC-2(7a) Privileged User Accounts FAIL

DISA STIG Rating

Category: CAT-II

Affected Devices

Cisco Catalyst Switch JED-DC-CORE-SW.catrion.local (Fail)

Control Defined Testing Requirements Result Rating

AC- Establish and administer privileged user accounts in accordance with DISA STIG
2(7a) [Selection: a role-based access scheme; an attribute-based access scheme] Rating : CAT-II

Table 108: Test Summary AC-2(7a)

Description

Establish and administer privileged user accounts in accordance with [Selection: a role-based access scheme; an attribute-
based access scheme]

Discussion
 Privileged roles are organization-defined roles assigned to individuals that allow those individuals to perform certain
security-relevant functions that ordinary users are not authorized to perform. Privileged roles include key management,
account management, database administration, system and network administration, and web administration. A role-based
access scheme organizes permitted system access and privileges into roles. In contrast, an attribute-based access scheme
specifies allowed system access and privileges based on attributes.

Findings

JED-DC-CORE-SW.catrion.local

Check Description Findings Result

Invictux examined the device configuration to determine if the

Check See Table:
number of local users was 1, excluding level change credentials and
Number of "Local
any built-in user accounts. Any user accounts that are not usable (i.e.
Users users"
disabled or expired) are excluded from the count.

Table 109: Findings for JED-DC-CORE-SW.catrion.local

User Enabled Password Privilege Filter Policy

test Yes (ENCRYPTED) 5

malmalki Yes (ENCRYPTED) 15

radelarosa Yes (ENCRYPTED) 15

msamir Yes (ENCRYPTED) 15

joey Yes (ENCRYPTED) 15

Table 110: Local users

AC-4 Information Flow Enforcement

Control

Enforce approved authorizations for controlling the flow of information within the system and between connected systems
based on information flow control policies.

Discussion

Information flow control regulates where information can travel within a system and between systems (in contrast to who is
allowed to access the information) and without regard to subsequent accesses to that information. Flow control restrictions
include blocking external traffic that claims to be from within the organization, keeping export-controlled information from
being transmitted in the clear to the Internet, restricting web requests that are not from the internal web proxy server, and
limiting information transfers between organizations based on data structures and content.
 Transferring information between organizations may require an agreement specifying how the information flow is enforced
(see CA-3). Transferring information between systems in different security or privacy domains with different security or privacy
policies introduces the risk that such transfers violate one or more domain security or privacy policies. In such situations,
information owners/stewards provide guidance at designated policy enforcement points between connected systems.

Organizations consider mandating specific architectural solutions to enforce specific security and privacy policies. Enforcement
includes prohibiting information transfers between connected systems (i.e., allowing access only), verifying write permissions
before accepting information from another security or privacy domain or connected system, employing hardware mechanisms
to enforce one-way information flows, and implementing trustworthy regrading mechanisms to reassign security or privacy
attributes and labels.

Organizations commonly employ information flow control policies and enforcement mechanisms to control the flow of
information between designated sources and destinations within systems and between connected systems. Flow control is
based on the characteristics of the information and/or the information path. Enforcement occurs, for example, in boundary
protection devices that employ rule sets or establish configuration settings that restrict system services, provide a packet-
filtering capability based on header information, or provide a message-filtering capability based on message content.

Organizations also consider the trustworthiness of filtering and/or inspection mechanisms (i.e., hardware, firmware, and
software components) that are critical to information flow enforcement. Control enhancements 3 through 32 primarily address
cross-domain solution needs that focus on more advanced filtering techniques, in-depth analysis, and stronger flow
enforcement mechanisms implemented in cross-domain products, such as high-assurance guards. Such capabilities are
generally not available in commercial off-the-shelf products. Information flow enforcement also applies to control plane traffic
(e.g., routing and DNS).

Further Information

Related Controls: AC-3, AC-6, AC-16, AC-17, AC-19, AC-21, AU-10, CA-3, CA-9, CM-7, PL-9, PM-24, SA-17, SC-4, SC-7, SC-16,
SC-31.

AC-4 Information Flow Enforcement INVESTIGATE

DISA STIG Rating

Category: CAT-II

Affected Devices

Cisco Catalyst Switch JED-DC-CORE-SW.catrion.local (Investigate)

Control Defined Testing Requirements Result Rating

Enforce approved authorizations for controlling the flow of information within

DISA STIG
AC-4 the system and between connected systems based on information flow control
Rating : CAT-II
policies.

Table 111: Test Summary AC-4

Description
 Enforce approved authorizations for controlling the flow of information within the system and between connected systems
based on information flow control policies.

Findings

JED-DC-CORE-SW.catrion.local

Check Description Findings Result

Invictux determined that the SSH service

Invictux examined the device
was disabled on JED-DC-CORE-SW.catrion.
SSH Service configuration to determine if the
local. The SSH service is configured on
Host Secure Shell (SSH) service had been
administrative lines on Cisco Catalyst Switch
Restrictions configured with access restrictions
devices. The following Table describes those
OR to limit network access to the
lines. See Table: "SSH administrative line
service.
on JED-DC-CORE-SW.catrion.local"

The configuration of the administrative lines

Check Line on JED-DC-CORE-SW.catrion.local are
Inbound ACL detailed below. See Table: "Administrative
Filter Rules line settings on JED-DC-CORE-
SW.catrion.local"

Check MSDP Invictux examined the device

limit peer configuration to determine if it was
There was no MSDP configuration identified
source active configured to limit the number of
on JED-DC-CORE-SW.catrion.local.
messages accepted source active messages
AND from all MSDP peers.

Check filtering
Invictux did not identify any MSDP
on MSDP
configuration on JED-DC-CORE-
Peers
SW.catrion.local.
AND

Invictux examined the device

Check BGP configuration to determine if
Neighbors routing updates from Border Invictux did not identify any BGP
Deny Bogon Gateway Protocol (BGP) neighbors configuration on JED-DC-CORE-
Prefix were configured with a prefix list SW.catrion.local.
AND that denies bogon Internet Protocol
version 4 (IPv4) addresses.

Invictux examined the device

configuration to determine if the
Check all PIM
device was configured with a filter
neighbors
list for all Protocol Independent There was no PIM configuration identified
have a filter
Multicast (PIM) neighbors. The on JED-DC-CORE-SW.catrion.local.
list
scope was further limited to those
AND
network interfaces with a PIM
configuration.

Potentially Invictux examined the device Invictux identified potentially unused

Unused configuration to determine if the network interfaces that were not disabled on
 Check Description Findings Result
Network device had any potentially unused JED-DC-CORE-SW.catrion.local. The
Interfaces interfaces. potentially unused interfaces are described
in the following table. See Table:
"Potentially unused interfaces that were
not disabled"

Table 112: Findings for JED-DC-CORE-SW.catrion.local

Line Access Login Level Password Telnet SSH Filter In Filter Out

VTY 0 - 4 Yes Line Password 1 CiscoAdmin No Yes 10

VTY 5 - 15 Yes Line Password 1 CiscoAdmin No Yes 10

Table 113: SSH administrative line on JED-DC-CORE-SW.catrion.local

Line Access Login Level Password Telnet SSH Filter In Filter Out

VTY 0 - 4 Yes Line Password 1 CiscoAdmin No Yes 10

VTY 5 - 15 Yes Line Password 1 CiscoAdmin No Yes 10

Table 114: Administrative line settings on JED-DC-CORE-SW.catrion.local

Interface Class Active Unsecure Address Switchport Mode VLAN Description

Loopback0 Internal Yes Unknown No (Layer 3) N/A N/A

Table 115: Potentially unused interfaces that were not disabled

AC-4(8) Security and Privacy Policy Filters PASS

DISA STIG Rating

Category: CAT-III

Affected Devices

Cisco Catalyst Switch JED-DC-CORE-SW.catrion.local (Pass)

Control Defined Testing Requirements Result Rating

(a) Enforce information flow control using [Assignment: organization-defined

security or privacy policy filters] as a basis for flow control decisions for
[Assignment: organization-defined information flows]; and DISA STIG
AC-4(8) Rating : CAT-
(b) [Selection (one or more): Block; Strip; Modify; Quarantine] data after a filter
III
processing failure in accordance with [Assignment: organization-defined security
or privacy policy].

Table 116: Test Summary AC-4(8)

 Description

(a) Enforce information flow control using [Assignment: organization-defined security or privacy policy filters] as a basis for
flow control decisions for [Assignment: organization-defined information flows]; and

(b) [Selection (one or more): Block; Strip; Modify; Quarantine] data after a filter processing failure in accordance with
[Assignment: organization-defined security or privacy policy].

Discussion

Organization- defined security or privacy policy filters can address data structures and content. For example, security or
privacy policy filters for data structures can check for maximum file lengths, maximum field sizes, and data/file types (for
structured and unstructured data). Security or privacy policy filters for data content can check for specific words,
enumerated values or data value ranges, and hidden content.

Structured data permits the interpretation of data content by applications. Unstructured data refers to digital information
without a data structure or with a data structure that does not facilitate the development of rule sets to address the impact
or classification level of the information conveyed by the data or the flow enforcement decisions. Unstructured data consists
of bitmap objects that are inherently non-language-based (i.e., image, video, or audio files) and textual objects that are
based on written or printed languages. Organizations can implement more than one security or privacy policy filter to meet
information flow control objectives.

Findings

JED-DC-CORE-SW.catrion.local

Check Description Findings Result

Invictux examined the device configuration to

Check Remote Invictux did not identify any
determine if all BGP routing enforced the remote
AS First Is BGP configuration on JED-DC-
Autonomous Systems (AS) number as the first
Enforced CORE-SW.catrion.local.
entry in the AS_PATH routing updates.

Table 117: Findings for JED-DC-CORE-SW.catrion.local

AC-4(17) Domain Authentication FAIL

DISA STIG Rating

Category: CAT-II

Affected Devices

Cisco Catalyst Switch JED-DC-CORE-SW.catrion.local (Fail)

 Control Defined Testing Requirements Result Rating

Uniquely identify and authenticate source and destination points by [Selection

AC- DISA STIG
(one or more): organization; system; application; service; individual] for
4(17) Rating : CAT-II
information transfer.

Table 118: Test Summary AC-4(17)

Description

Uniquely identify and authenticate source and destination points by [Selection (one or more): organization; system;
application; service; individual] for information transfer.

Discussion

Attribution is a critical component of a security and privacy concept of operations. The ability to identify source and
destination points for information flowing within systems allows the forensic reconstruction of events and encourages
policy compliance by attributing policy violations to specific organizations or individuals. Successful domain authentication
requires that system labels distinguish among systems, organizations, and individuals involved in preparing, sending,
receiving, or disseminating information. Attribution also allows organizations to better maintain the lineage of personally
identifiable information processing as it flows through systems and can facilitate consent tracking, as well as correction,
deletion, or access requests from individuals.

Findings

JED-DC-CORE-SW.catrion.local

Check Description Findings Result

Check all BGP Invictux examined the device Invictux did not identify any BGP
neighbors configuration to determine if all configuration on JED-DC-CORE-
authenticate BGP neighbors were configured to SW.catrion.local. Invictux identified no
AND authenticate. BGP routing on JED-DC-CORE-
SW.catrion.local.
Invictux examined the device
Check all EIGRP
configuration to determine if
routing updates
Enhanced Interior Gateway
are
Routing Protocol (EIGRP) was Invictux identified that no EIGRP was
authenticated
configured to authenticate all defined on JED-DC-CORE-SW.catrion.local.
AND
routing updates.

Invictux examined the device

configuration to determine if all
Check IS-IS
Intermediate System-to-
authentication Invictux did not identify any IS-IS
Intermediate System (IS-IS)
AND configuration on JED-DC-CORE-
routing updates were configured
SW.catrion.local.
to provide authentication.
Check Description Findings Result

Invictux identified the following OSPF

Invictux examined the device
routing configuration, applied to network
configuration to determine if all
interfaces, on JED-DC-CORE-
Check all OSPF Open Shortest Path First (OSPF)
SW.catrion.local: See Table: "OSPF
routing routing interfaces were configured
authentication on interfaces" See Table:
interfaces to provide authentication. The
"OSPF authentication on interfaces" See
authenticate scope was further limited to those
Table: "OSPF authentication on
network interfaces with a OSPF
interfaces" See Table: "OSPF
routing configuration.
authentication on interfaces"

Table 119: Findings for JED-DC-CORE-SW.catrion.local

Auth Route Hello Dead

Interface Active Passive Area Priority Type SPI Key
Mode Cost Interval Interval

Port-
Yes Yes 1 Broadcast None N/A Default 0 seconds 0 seconds
channel1

Port-
Yes Yes 1 Broadcast None N/A Default 0 seconds 0 seconds
channel2

Port-
Yes Yes 1 Broadcast None N/A Default 0 seconds 0 seconds
channel3

Port-
Yes Yes 1 Broadcast None N/A Default 0 seconds 0 seconds
channel4

Port-
Yes Yes 1 Broadcast None N/A Default 0 seconds 0 seconds
channel5

Port-
Yes Yes 1 Broadcast None N/A Default 0 seconds 0 seconds
channel6

Port-
Yes Yes 1 Broadcast None N/A Default 0 seconds 0 seconds
channel7

Port-
Yes Yes 1 Broadcast None N/A Default 0 seconds 0 seconds
channel8

Port-
Yes Yes 1 Broadcast None N/A Default 0 seconds 0 seconds
channel9

Port-
Yes Yes 1 Broadcast None N/A Default 0 seconds 0 seconds
channel10

Port-
Yes Yes 1 Broadcast None N/A Default 0 seconds 0 seconds
channel11

Port-
Yes Yes 1 Broadcast None N/A Default 0 seconds 0 seconds
channel12

Port-
Yes Yes 1 Broadcast None N/A Default 0 seconds 0 seconds
channel13

Port-
Yes Yes 1 Broadcast None N/A Default 0 seconds 0 seconds
channel14

Port-
Yes Yes 1 Broadcast None N/A Default 0 seconds 0 seconds
channel15
 Auth Route Hello Dead
Interface Active Passive Area Priority Type SPI Key
Mode Cost Interval Interval

Port-
Yes Yes 1 Broadcast None N/A Default 0 seconds 0 seconds
channel16

Port-
Yes Yes 1 Broadcast None N/A Default 0 seconds 0 seconds
channel17

Port-
Yes Yes 1 Broadcast None N/A Default 0 seconds 0 seconds
channel18

Port-
Yes Yes 1 Broadcast None N/A Default 0 seconds 0 seconds
channel19

Port-
Yes Yes 1 Broadcast None N/A Default 0 seconds 0 seconds
channel20

Port-
Yes Yes 1 Broadcast None N/A Default 0 seconds 0 seconds
channel21

Port-
Yes Yes 1 Broadcast None N/A Default 0 seconds 0 seconds
channel22

Port-
Yes Yes 1 Broadcast None N/A Default 0 seconds 0 seconds
channel25

Port-
Yes Yes 1 Broadcast None N/A Default 0 seconds 0 seconds
channel26

Port-
Yes Yes 1 Broadcast None N/A Default 0 seconds 0 seconds
channel27

Port-
Yes Yes 1 Broadcast None N/A Default 0 seconds 0 seconds
channel28

Port-
Yes Yes 1 Broadcast None N/A Default 0 seconds 0 seconds
channel30

Port-
Yes Yes 1 Broadcast None N/A Default 0 seconds 0 seconds
channel31

Port-
Yes Yes 1 Broadcast None N/A Default 0 seconds 0 seconds
channel100

Port-
Yes Yes 1 Broadcast None N/A Default 0 seconds 0 seconds
channel101

Table 120: OSPF authentication on interfaces

Auth Route Hello Dead

Interface Active Passive Area Priority Type SPI Key
Mode Cost Interval Interval

0 0
TwentyFiveGigE1/0/1 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE1/0/2 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE1/0/3 Yes Yes 1 Broadcast None N/A Default
seconds seconds
 Auth Route Hello Dead
Interface Active Passive Area Priority Type SPI Key
Mode Cost Interval Interval

0 0
TwentyFiveGigE1/0/4 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE1/0/5 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE1/0/6 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE1/0/7 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE1/0/8 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE1/0/9 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE1/0/10 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE1/0/11 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE1/0/12 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE1/0/13 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE1/0/14 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE1/0/15 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE1/0/16 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE1/0/17 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE1/0/18 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE1/0/19 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE1/0/20 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE1/0/21 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE1/0/22 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE1/0/23 Yes Yes 1 Broadcast None N/A Default
seconds seconds
 Auth Route Hello Dead
Interface Active Passive Area Priority Type SPI Key
Mode Cost Interval Interval

0 0
TwentyFiveGigE1/0/24 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE1/0/25 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE1/0/26 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE1/0/27 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE1/0/28 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE1/0/29 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE1/0/30 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE1/0/31 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE1/0/32 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE1/0/33 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE1/0/34 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE1/0/35 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE1/0/36 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE1/0/37 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE1/0/38 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE1/0/39 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE1/0/40 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE1/0/41 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE1/0/42 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE1/0/43 Yes Yes 1 Broadcast None N/A Default
seconds seconds
 Auth Route Hello Dead
Interface Active Passive Area Priority Type SPI Key
Mode Cost Interval Interval

0 0
TwentyFiveGigE1/0/44 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE1/0/45 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE1/0/46 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE1/0/47 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE1/0/48 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE2/0/1 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE2/0/2 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE2/0/3 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE2/0/4 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE2/0/5 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE2/0/6 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE2/0/7 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE2/0/8 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE2/0/9 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE2/0/10 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE2/0/11 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE2/0/12 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE2/0/13 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE2/0/14 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE2/0/15 Yes Yes 1 Broadcast None N/A Default
seconds seconds
 Auth Route Hello Dead
Interface Active Passive Area Priority Type SPI Key
Mode Cost Interval Interval

0 0
TwentyFiveGigE2/0/16 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE2/0/17 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE2/0/18 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE2/0/19 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE2/0/20 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE2/0/21 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE2/0/22 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE2/0/23 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE2/0/24 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE2/0/25 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE2/0/26 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE2/0/27 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE2/0/28 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE2/0/29 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE2/0/30 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE2/0/31 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE2/0/32 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE2/0/33 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE2/0/34 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE2/0/35 Yes Yes 1 Broadcast None N/A Default
seconds seconds
 Auth Route Hello Dead
Interface Active Passive Area Priority Type SPI Key
Mode Cost Interval Interval

0 0
TwentyFiveGigE2/0/36 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE2/0/37 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE2/0/38 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE2/0/39 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE2/0/40 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE2/0/41 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE2/0/42 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE2/0/43 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE2/0/44 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE2/0/45 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE2/0/46 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE2/0/47 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE2/0/48 Yes Yes 1 Broadcast None N/A Default
seconds seconds

Table 121: OSPF authentication on interfaces

Auth Route Hello Dead

Interface Active Passive Area Priority Type SPI Key
Mode Cost Interval Interval

0 0
HundredGigE1/0/49 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
HundredGigE1/0/50 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
HundredGigE1/0/51 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
HundredGigE1/0/52 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
HundredGigE2/0/49 Yes Yes 1 Broadcast None N/A Default
seconds seconds
 Auth Route Hello Dead
Interface Active Passive Area Priority Type SPI Key
Mode Cost Interval Interval

0 0
HundredGigE2/0/50 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
HundredGigE2/0/51 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
HundredGigE2/0/52 Yes Yes 1 Broadcast None N/A Default
seconds seconds

Table 122: OSPF authentication on interfaces

Auth Route Hello Dead

Interface Active Passive Area Priority Type SPI Key
Mode Cost Interval Interval

Vlan1 Yes Yes 1 Broadcast None N/A Default 0 seconds 0 seconds

Vlan2 Yes Yes 1 Broadcast None N/A Default 0 seconds 0 seconds

Vlan99 Yes Yes 1 Broadcast None N/A Default 0 seconds 0 seconds

Vlan106 Yes Yes 1 Broadcast None N/A Default 0 seconds 0 seconds

Vlan276 Yes Yes 1 Broadcast None N/A Default 0 seconds 0 seconds

Vlan302 Yes Yes 1 Broadcast None N/A Default 0 seconds 0 seconds

Vlan306 Yes Yes 1 Broadcast None N/A Default 0 seconds 0 seconds

Vlan308 Yes Yes 1 Broadcast None N/A Default 0 seconds 0 seconds

Vlan310 Yes Yes 1 Broadcast None N/A Default 0 seconds 0 seconds

Vlan312 Yes Yes 1 Broadcast None N/A Default 0 seconds 0 seconds

Vlan313 Yes Yes 1 Broadcast None N/A Default 0 seconds 0 seconds

Vlan314 Yes Yes 1 Broadcast None N/A Default 0 seconds 0 seconds

Vlan316 Yes Yes 1 Broadcast None N/A Default 0 seconds 0 seconds

Vlan317 Yes Yes 1 Broadcast None N/A Default 0 seconds 0 seconds

Vlan728 Yes Yes 1 Broadcast None N/A Default 0 seconds 0 seconds

Vlan729 Yes Yes 1 Broadcast None N/A Default 10 seconds 40 seconds

Vlan730 Yes Yes 1 Broadcast None N/A Default 10 seconds 40 seconds

Point to
Vlan1800 Yes Yes 1 None N/A Default 10 seconds 40 seconds
Point

Vlan874 Yes No 1 Broadcast None N/A Default 0 seconds 0 seconds

Vlan870 Yes No 1 Broadcast None N/A Default 0 seconds 0 seconds

Vlan862 Yes No 1 Broadcast None N/A Default 0 seconds 0 seconds

Table 123: OSPF authentication on interfaces

AC-6 Least Privilege

Control

Employ the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) that
are necessary to accomplish assigned organizational tasks.

Discussion

Organizations employ least privilege for specific duties and systems. The principle of least privilege is also applied to system
processes, ensuring that the processes have access to systems and operate at privilege levels no higher than necessary to
accomplish organizational missions or business functions. Organizations consider the creation of additional processes, roles,
and accounts as necessary to achieve least privilege. Organizations apply least privilege to the development, implementation,
and operation of organizational systems.

Further Information

Related Controls: AC-2, AC-3, AC-5, AC-16, CM-5, CM-11, PL-2, PM-12, SA-8, SA-15, SA-17, SC-38.

AC-6(9) Log Use Of Privileged Functions FAIL

DISA STIG Rating

Category: CAT-II

Affected Devices

Cisco Catalyst Switch JED-DC-CORE-SW.catrion.local (Fail)

Control Defined Testing Requirements Result Rating

AC-6(9) Log the execution of privileged functions. DISA STIG Rating : CAT-II

Table 124: Test Summary AC-6(9)

Description

Log the execution of privileged functions.

Discussion

The misuse of privileged functions, either intentionally or unintentionally by authorized users or by unauthorized external
entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse
 impacts on organizations. Logging and analyzing the use of privileged functions is one way to detect such misuse and, in
doing so, help mitigate the risk from insider threats and the advanced persistent threat.

Findings

JED-DC-CORE-SW.catrion.local

Check Description Findings Result

Invictux examined the device

Log Config Invictux determined that JED-DC-
configuration to determine if the log
Changes CORE-SW.catrion.local was configured
configuration changes option was
Enabled to not log configuration changes.
enabled.

Table 125: Findings for JED-DC-CORE-SW.catrion.local

AC-7 Unsuccessful Logon Attempts

Control

(a) Enforce a limit of [Assignment: organization-defined number] consecutive invalid logon attempts by a user during a
[Assignment: organization-defined time period]; and

(b) Automatically [Selection (one or more): lock the account or node for an [Assignment: organization-defined time period]; lock
the account or node until released by an administrator; delay next logon prompt per [Assignment: organization-defined delay
algorithm]; notify system administrator; take other [Assignment: organization-defined action]] when the maximum number of
unsuccessful attempts is exceeded.

Discussion

The need to limit unsuccessful logon attempts and take subsequent action when the maximum number of attempts is
exceeded applies regardless of whether the logon occurs via a local or network connection. Due to the potential for denial of
service, automatic lockouts initiated by systems are usually temporary and automatically release after a predetermined,
organization-defined time period. If a delay algorithm is selected, organizations may employ different algorithms for different
components of the system based on the capabilities of those components. Responses to unsuccessful logon attempts may be
implemented at the operating system and the application levels.

Organization- defined actions that may be taken when the number of allowed consecutive invalid logon attempts is exceeded
include prompting the user to answer a secret question in addition to the username and password, invoking a lockdown mode
with limited user capabilities (instead of full lockout), allowing users to only logon from specified Internet Protocol (IP)
addresses, requiring a CAPTCHA to prevent automated attacks, or applying user profiles such as location, time of day, IP
address, device, or Media Access Control (MAC) address. If automatic system lockout or execution of a delay algorithm is not
implemented in support of the availability objective, organizations consider a combination of other actions to help prevent
brute force attacks.

In addition to the above, organizations can prompt users to respond to a secret question before the number of allowed
unsuccessful logon attempts is exceeded. Automatically unlocking an account after a specified period of time is generally not
 permitted. However, exceptions may be required based on operational mission or need.

AC-7(a) Unsuccessful Logon Attempts FAIL

DISA STIG Rating

Category: CAT-II

Affected Devices

Cisco Catalyst Switch JED-DC-CORE-SW.catrion.local (Fail)

Control Defined Testing Requirements Result Rating

Enforce a limit of [Assignment: organization-defined number] consecutive

DISA STIG
AC-7(a) invalid logon attempts by a user during a [Assignment: organization-defined
Rating : CAT-II
time period]

Table 126: Test Summary AC-7(a)

Description

Enforce a limit of [Assignment: organization-defined number] consecutive invalid logon attempts by a user during a
[Assignment: organization-defined time period]

Findings

JED-DC-CORE-SW.catrion.local

Check Description Findings Result

Check Invictux examined the device configuration

See Table: "Users on JED-DC-
Maximum to determine if the maximum number of
CORE-SW.catrion.local failed login
Login failed login attempts on the device was set
attempt account lockout policy"
Attempts to three or less.

Table 127: Findings for JED-DC-CORE-SW.catrion.local

User Finding Status

test The device was not configured to lock the account after failed login attempts. FAIL

malmalki The device was not configured to lock the account after failed login attempts. FAIL

radelarosa The device was not configured to lock the account after failed login attempts. FAIL

msamir The device was not configured to lock the account after failed login attempts. FAIL
 User Finding Status

joey The device was not configured to lock the account after failed login attempts. FAIL

Table 128: Users on JED-DC-CORE-SW.catrion.local failed login attempt account lockout policy

AC-8 System Use Notification

Control

(a). Display [Assignment: organization-defined system use notification message or banner] to users before granting access to the
system that provides privacy and security notices consistent with applicable laws, executive orders, directives, regulations,
policies, standards, and guidelines and state that:
1. Users are accessing a U.S. Government system;
2.System usage may be monitored, recorded, and subject to audit;
3.Unauthorized use of the system is prohibited and subject to criminal and civil penalties; and
4.Use of the system indicates consent to monitoring and recording;

(b) Retain the notification message or banner on the screen until users acknowledge the usage conditions and take explicit
actions to log on to or further access the system; and

(c) For publicly accessible systems:

1. Display system use information [Assignment: organization-defined conditions], before granting further access to the publicly
accessible system;
2. Display references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such
systems that generally prohibit those activities; and
3. Include a description of the authorized uses of the system.

Discussion

System use notifications can be implemented using messages or warning banners displayed before individuals log in to
systems. System use notifications are used only for access via logon interfaces with human users. Notifications are not required
when human interfaces do not exist. Based on an assessment of risk, organizations consider whether or not a secondary
system use notification is needed to access applications or other system resources after the initial network logon.

Organizations consider system use notification messages or banners displayed in multiple languages based on organizational
needs and the demographics of system users. Organizations consult with the privacy office for input regarding privacy
messaging and the Office of the General Counsel or organizational equivalent for legal review and approval of warning banner
content.

AC-8(a) System Use Notification FAIL

DISA STIG Rating

Category: CAT-II

Affected Devices
Cisco Catalyst Switch JED-DC-CORE-SW.catrion.local (Fail)

Control Defined Testing Requirements Result Rating

Display [Assignment: organization-defined system use notification message or

banner] to users before granting access to the system that provides privacy and
security notices consistent with applicable laws, executive orders, directives,
regulations, policies, standards, and guidelines and state that: DISA STIG
AC-8(a) 1. Users are accessing a U.S. Government system; Rating :
2. System usage may be monitored, recorded, and subject to audit; CAT-II
3. Unauthorized use of the system is prohibited and subject to criminal and civil
penalties; and
4. Use of the system indicates consent to monitoring and recording

Table 129: Test Summary AC-8(a)

Description

Display [Assignment: organization-defined system use notification message or banner] to users before granting access to the
system that provides privacy and security notices consistent with applicable laws, executive orders, directives, regulations,
policies, standards, and guidelines and state that:
1. Users are accessing a U.S. Government system;
2. System usage may be monitored, recorded, and subject to audit;
3. Unauthorized use of the system is prohibited and subject to criminal and civil penalties; and
4. Use of the system indicates consent to monitoring and recording

Findings

JED-DC-CORE-SW.catrion.local

Check Description Findings Result

Banner Invictux The Login banner message on JED-DC-CORE-SW.catrion.local was:

Match examined the CCCCCCCCC
OR device ****************************************************************-
configuration to ************ * * * * * UNAUTHORIZED ACCESS TO THIS NETWORK
determine if the DEVICE IS PROHIBITED. * * * * You must have explicit permission to
pre-login banner access or configure this device. * * All activities performed on this
message was set device may be logged, and violations * * of this policy may result in
to the following, disciplinary action, and may be reported * * to law enforcement. There
excluding is no right to privacy on this device. * * Contact:
punctuation: You [email protected], Ext. 7000 * * * * *
S.
areGovernment
accessing a U. ****************************************************************************
(USG) Information
System (IS) that is
provided for USG-
authorized use
only. By using this
IS (which includes
Check Description Findings Result
any device
attached to this
IS), you consent to
the following
conditions: -The
USG routinely
intercepts and
monitors
communications
on this IS for
purposes
including, but not
limited to,
penetration
testing, COMSEC
monitoring,
network
operations and
defense, personnel
misconduct (PM),
law enforcement
(LE), and
counterintelligence
(CI) investigations.
-At any time, the
USG may inspect
and seize data
stored on this IS. -
Communications
using, or data
stored on, this IS
are not private, are
subject to routine
monitoring,
interception, and
search, and may
be disclosed or
used for any USG-
authorized
purpose. -This IS
includes security
measures (e.g.,
authentication and
access controls) to
protect USG
interests--not for
your personal
benefit or privacy.
-Notwithstanding
the above, using
this IS does not
Check Description Findings Result
constitute consent
to PM, LE or CI
investigative
searching or
monitoring of the
content of
privileged
communications,
or work product,
related to personal
representation or
services by
attorneys,
psychotherapists,
or clergy, and their
assistants. Such
communications
and work product
are private and
confidential. See
User Agreement
for details.

Invictux examined
The Login banner message on JED-DC-CORE-SW.catrion.local was:
the device
CCCCCCCCC
configuration to
****************************************************************-
determine if the
************ * * * * * UNAUTHORIZED ACCESS TO THIS NETWORK
pre-login banner
Banner DEVICE IS PROHIBITED. * * * * You must have explicit permission to
message was set
Match access or configure this device. * * All activities performed on this
to the following,
OR device may be logged, and violations * * of this policy may result in
excluding
disciplinary action, and may be reported * * to law enforcement. There
punctuation: I've
is no right to privacy on this device. * * Contact:
read & consent to
[email protected], Ext. 7000 * * * * *
terms in IS user
****************************************************************************
agreem't.

Invictux examined
The Login banner message on JED-DC-CORE-SW.catrion.local was:
the device
CCCCCCCCC
configuration to
****************************************************************-
determine if the
************ * * * * * UNAUTHORIZED ACCESS TO THIS NETWORK
pre-login banner
DEVICE IS PROHIBITED. * * * * You must have explicit permission to
Banner message was set
access or configure this device. * * All activities performed on this
Match to the following,
device may be logged, and violations * * of this policy may result in
excluding
disciplinary action, and may be reported * * to law enforcement. There
punctuation: I've
is no right to privacy on this device. * * Contact:
read and consent
[email protected], Ext. 7000 * * * * *
to terms in IS user
****************************************************************************
agreem't.

Table 130: Findings for JED-DC-CORE-SW.catrion.local

AC-10 Concurrent Session Control

Control

Limit the number of concurrent sessions for each [Assignment: organization-defined account and/or account type] to
[Assignment: organization-defined number]

Discussion

Organizations may define the maximum number of concurrent sessions for system accounts globally, by account type, by
account, or any combination thereof. For example, organizations may limit the number of concurrent sessions for system
administrators or other individuals working in particularly sensitive domains or mission-critical applications. Concurrent session
control addresses concurrent sessions for system accounts. It does not, however, address concurrent sessions by single users
via multiple system accounts.

Further Information

Related Controls: SC-23

AC-10 Concurrent Session Control FAIL

DISA STIG Rating

Category: CAT-II

Affected Devices

Cisco Catalyst Switch JED-DC-CORE-SW.catrion.local (Fail)

Control Defined Testing Requirements Result Rating

Limit the number of concurrent sessions for each [Assignment: organization-

DISA STIG
AC-10 defined account and/or account type] to [Assignment: organization-defined
Rating : CAT-II
number]

Table 131: Test Summary AC-10

Description

Limit the number of concurrent sessions for each [Assignment: organization-defined account and/or account type] to
[Assignment: organization-defined number]
 Findings

JED-DC-CORE-SW.catrion.local

Check Description Findings Result

Line Invictux examined the usable administrative lines See Table: "Administrative lines
Session to determine if the concurrent session limit for on JED-DC-CORE-
Limit administration services is set to two sessions. SW.catrion.local"

Table 132: Findings for JED-DC-CORE-SW.catrion.local

Exec Absolute Session Login Session Filter Filter

Line Access Login Callback
Timeout Timeout Timeout Timeout Limit In Out

VTY 0 Line 10 30
Yes None None None 10 N/A
-4 Password minutes seconds

VTY 5 Line 10 30
Yes None None None 10 N/A
- 15 Password minutes seconds

Table 133: Administrative lines on JED-DC-CORE-SW.catrion.local

AC-12 Session Termination

Control

Automatically terminate a user session after [Assignment: organization-defined conditions or trigger events requiring session
disconnect].

Discussion

Session termination addresses the termination of user-initiated logical sessions (in contrast to SC-10, which addresses the
termination of network connections associated with communications sessions (i.e. network disconnect)). A logical session (for
local, network, and remote access) is initiated whenever a user (or process acting on behalf of a user) accesses an
organizational system. Such user sessions can be terminated without terminating network sessions. Session termination ends
all processes associated with a user’s logical session except for those processes that are specifically created by the user (i.e.
session owner) to continue after the session is terminated. Conditions or trigger events that require automatic termination of
the session include organization-defined periods of user inactivity, targeted responses to certain types of incidents, or time-of-
day restrictions on system use.

Further Information

Related Controls: MA-4, SC-10, SC-23.

AC-12 Session Termination FAIL

DISA STIG Rating

Category: CAT-I

Affected Devices

Cisco Catalyst Switch JED-DC-CORE-SW.catrion.local (Fail)

Control Defined Testing Requirements Result Rating

Automatically terminate a user session after [Assignment: organization- DISA STIG

AC-12
defined conditions or trigger events requiring session disconnect]. Rating : CAT-I

Table 134: Test Summary AC-12

Description

Automatically terminate a user session after [Assignment: organization-defined conditions or trigger events requiring session
disconnect].

Findings

JED-DC-CORE-SW.catrion.local

Check Description Findings Result

Invictux examined the device configuration to

determine if authentication against a remote Invictux determined
Check authentication system, such as Terminal Access there were no remote
Remote Auth Controller Access Control System Plus (TACACS+), authentication systems
Is Configured Remote Authentication Dial-In User Service configured on JED-DC-
(RADIUS) or Lightweight Directory Access Protocol CORE-SW.catrion.local.
(LDAP), was configured.

Table 135: Findings for JED-DC-CORE-SW.catrion.local

AC-17 Remote Access

Control
 (a) Establish and document usage restrictions, configuration/connection requirements, and implementation guidance for each
type of remote access allowed; and

(b) Authorize each type of remote access to the system prior to allowing such connections.

Discussion

Remote access is access to organizational systems (or processes acting on behalf of users) that communicate through external
networks such as the Internet. Types of remote access include dial-up, broadband, and wireless. Organizations use encrypted
virtual private networks (VPNs) to enhance confidentiality and integrity for remote connections. The use of encrypted VPNs
provides sufficient assurance to the organization that it can effectively treat such connections as internal networks if the
cryptographic mechanisms used are implemented in accordance with applicable laws, executive orders, directives, regulations,
policies, standards, and guidelines.

Still, VPN connections traverse external networks, and the encrypted VPN does not enhance the availability of remote
connections. VPNs with encrypted tunnels can also affect the ability to adequately monitor network communications traffic for
malicious code. Remote access controls apply to systems other than public web servers or systems designed for public access.

Authorization of each remote access type addresses authorization prior to allowing remote access without specifying the
specific formats for such authorization. While organizations may use information exchange and system connection security
agreements to manage remote access connections to other systems, such agreements are addressed as part of CA-3. Enforcing
access restrictions for remote access is addressed via AC-3.

Further Information

Related Controls:
AC-2, AC-3, AC-4, AC-18, AC-19, AC-20, CA-3, CM-10, IA-2, IA-3, IA-8, MA-4, PE-17, PL-2, PL-4, SC-10, SC-12, SC-13, SI-4.

AC-17(2) Protection Of Confidentiality & Integrity Using PASS

Encryption

DISA STIG Rating

Category: CAT-I

Affected Devices

Cisco Catalyst Switch JED-DC-CORE-SW.catrion.local (Pass)

Control Defined Testing Requirements Result Rating

AC- Implement cryptographic mechanisms to protect the confidentiality and DISA STIG Rating
17(2) integrity of remote access sessions. : CAT-I

Table 136: Test Summary AC-17(2)

Description

Implement cryptographic mechanisms to protect the confidentiality and integrity of remote access sessions.

Discussion

Virtual private networks can be used to protect the confidentiality and integrity of remote access sessions. Transport Layer
Security (TLS) is an example of a cryptographic protocol that provides end-to-end communications security over networks
and is used for Internet communications and online transactions.

Findings

JED-DC-CORE-SW.catrion.local

Check Description Findings Result

Invictux examined the device

Check IPSec Phase- configuration to determine if Invictux did not identify any IPSec
1 hash algorithm IPSec phase-1 was configured to phase-1 configuration on JED-DC-CORE-
AND use any SHA 2+ hashing SW. catrion.local.
algorithm.

Invictux examined the device

Check IPSec
configuration to determine if Invictux did not identify any IPSec
Transformation Set
IPSec transformation set was tranformation set configuration on JED-
hash algorithm
configured to use any SHA 2+ DC-CORE-SW.catrion.local.
AND
hashing algorithm.

Invictux examined the device

Check IPSec Phase configuration to determine if the Invictux did not identify any IPSec phase
1 DH Configuration devices IPSec Phase 1 was 1 configurations on JED-DC-CORE-SW.
AND configured to use Diffie-Hellman catrion.local.
(DH) group 5 or higher.

Check IPSec Invictux examined the device

transformation set configuration to determine if all Invictux did not identify any IPSec
encryption IPSec transformation sets were transformation set configuration on JED-
algorithm configured to use any AES DC-CORE-SW.catrion.local.
AND encryption algorithm.

Invictux examined the device

configuration to determine if the
Check HTTPS FIPS
HTTPS server encryption ciphers See Table: "Web-based administration
Ciphers
were Federal Information service settings"
AND
Processing Standard (FIPS)
compliant.

Check IPSec phase- Invictux examined the device Invictux did not identify any IPSec
1 encryption configuration to determine if all phase-1 configuration on JED-DC-CORE-
SW.
 Check Description Findings Result
algorithm IPSec phase-1 were configured to catrion.local.
AND use any AES encryption algorithm.

Invictux determined that no SNMP

Invictux examined the device
community strings were defined on JED-
Check SNMP FIPS configuration to determine if
DC-CORE-SW. catrion.local. Invictux
Encryption Simple Network Management
determined that SNMP versions 1/2c
Configured Protocol (SNMP) was configured
were disabled on JED-DC-CORE-SW.
to use only FIPS 140-2 encryption.
catrion.local.

Table 137: Findings for JED-DC-CORE-SW.catrion.local

Description Value

Web Administration Service (HTTPS) Disabled

HTTPS TCP Port 443

Web Administration Service (IPv6 HTTPS) Disabled

IPv6 HTTPS TCP Port 443

Table 138: Web-based administration service settings

Audit and Accountability [AU]

AU-3 Content of Audit Records

Control

Ensure that audit records contain information that establishes the following:
a. What type of event occurred;
b. When the event occurred;
c. Where the event occurred;
d. Source of the event;
e. Outcome of the event; and
f. Identity of any individuals, subjects, or objects/entities associated with the event.

Discussion

Audit record content that may be necessary to support the auditing function includes event descriptions (item a), time stamps
(item b), source and destination addresses (item c), user or process identifiers (items d and f), success or fail indications (item
e), and filenames involved (items a, c, e, and f) . Event outcomes include indicators of event success or failure and event-specific
results, such as the system security and privacy posture after the event occurred. Organizations consider how audit records can
reveal information about individuals that may give rise to privacy risks and how best to mitigate such risks. For example, there
is the potential to reveal personally identifiable information in the audit trail, especially if the trail records inputs or is based on
patterns or time of usage.
AU-3 Content Of Audit Records PASS

DISA STIG Rating

Category: CAT-II

Affected Devices

Cisco Catalyst Switch JED-DC-CORE-SW.catrion.local (Pass)

Control Defined Testing Requirements Result Rating

Ensure that audit records contain information that establishes the

following:
a. What type of event occurred;
b. When the event occurred;
DISA STIG Rating :
AU-3 c. Where the event occurred;
CAT-II
d. Source of the event;
e. Outcome of the event; and
f. Identity of any individuals, subjects, or objects/entities associated
with the event.

Table 139: Test Summary AU-3

Description

Ensure that audit records contain information that establishes the following:
a. What type of event occurred;
b. When the event occurred;
c. Where the event occurred;
d. Source of the event;
e. Outcome of the event; and
f. Identity of any individuals, subjects, or objects/entities associated with the event.

Findings

JED-DC-CORE-SW.catrion.local

Check Description Findings Result

Check Logging Invictux examined the device Invictux determined that logging
is Enabled configuration to determine if logging was enabled on JED-DC-CORE-
AND had been enabled. SW.catrion.local.
 Check Description Findings Result

All Deny Rules Invictux examined the device

The check has passed on the device.
Log configuration to determine if all deny
No finding available at present.
AND filter rules were configured to log.

Log With Invictux examined the device Invictux determined that JED-DC-
Timestamps configuration to determine if log CORE-SW.catrion.local was
Enabled messages was configured to include a configured to log messages with a
AND timestamp. timestamp.

Invictux examined the device

All Deny Rules configuration to determine if all deny The check has passed on the device.
Log Input filter rules that can log the input rule No finding available at present.
were configured to do so.

Table 140: Findings for JED-DC-CORE-SW.catrion.local

AU-3(1) Additional Audit Information FAIL

DISA STIG Rating

Category: CAT-II

Affected Devices

Cisco Catalyst Switch JED-DC-CORE-SW.catrion.local (Fail)

Control Defined Testing Requirements Result Rating

Generate audit records containing the following additional information: DISA STIG Rating :
AU-3(1)
additional information. CAT-II

Table 141: Test Summary AU-3(1)

Description

Generate audit records containing the following additional information: additional information.

Discussion

The ability to add information generated in audit records is dependent on system functionality to configure the audit record
content. Organizations may consider additional information in audit records including, but not limited to, access control or
flow control rules invoked and individual identities of group account users. Organizations may also consider limiting
additional audit record information to only information that is explicitly needed for audit requirements. This facilitates the
use of audit trails and audit logs by not including information in audit records that could potentially be misleading, make it
more difficult to locate information of interest, or increase the risk to individuals' privacy.
 Findings

JED-DC-CORE-SW.catrion.local

Check Description Findings Result

Invictux examined the device

Log Config Invictux determined that JED-DC-
configuration to determine if the log
Changes CORE-SW.catrion.local was configured
configuration changes option was
Enabled to not log configuration changes.
enabled.

Table 142: Findings for JED-DC-CORE-SW.catrion.local

AU-4 Audit Log Storage Capacity

Control

Allocate audit log storage capacity to accommodate audit log retention requirements.

Discussion

Organizations consider the types of audit logging to be performed and the audit log processing requirements when allocating
audit log storage capacity. Allocating sufficient audit log storage capacity reduces the likelihood of such capacity being
exceeded and resulting in the potential loss or reduction of audit logging capability.

AU-4 Audit Log Storage Capacity FAIL

DISA STIG Rating

Category: CAT-II

Affected Devices

Cisco Catalyst Switch JED-DC-CORE-SW.catrion.local (Fail)

Control Defined Testing Requirements Result Rating

Allocate audit log storage capacity to accommodate audit log retention DISA STIG Rating :
AU-4
requirements. CAT-II

Table 143: Test Summary AU-4

 Description

Allocate audit log storage capacity to accommodate audit log retention requirements.

Findings

JED-DC-CORE-SW.catrion.local

Check Description Findings Result

Check Invictux examined the device

Invictux determined that message
Buffered configuration to determine if the
buffered logging was configured with a
Logging Has buffered message logging had been
size of 125.00 KiB on JED-DC-CORE-
Byte Size configured with a size of at least 0 bytes
SW.catrion.local.
AND bytes.

Invictux examined the device

Check File
configuration to determine if the file The check has failed on the device. No
Logging Has
message logging had been configured finding available at present.
Byte Size
with a byte size.

Table 144: Findings for JED-DC-CORE-SW.catrion.local

AU-4(1) Transfer to Alternate Storage PASS

DISA STIG Rating

Category: CAT-I

Affected Devices

Cisco Catalyst Switch JED-DC-CORE-SW.catrion.local (Pass)

Control Defined Testing Requirements Result Rating

Transfer audit logs frequency to a different system, system component, or DISA STIG
AU-4(1)
media other than the system or system component conducting the logging. Rating : CAT-I

Table 145: Test Summary AU-4(1)

Description

Transfer audit logs frequency to a different system, system component, or media other than the system or system
component conducting the logging.
 Discussion

Audit log transfer, also known as off-loading, is a common process in systems with limited audit log storage capacity and
thus supports availability of the audit logs. The initial audit log storage is only used in a transitory fashion until the system
can communicate with the secondary or alternate system allocated to audit log storage, at which point the audit logs are
transferred. Transferring audit logs to alternate storage is similar to AU-9(2) in that audit logs are transferred to a different
entity. However, the purpose of selecting AU-9(2) is to protect the confidentiality and integrity of audit records.
Organizations can select either control enhancement to obtain the benefit of increased audit log storage capacity and
preserving the confidentiality, integrity, and availability of audit records and logs.

Findings

JED-DC-CORE-SW.catrion.local

Check Description Findings Result

Check Invictux examined the device

Invictux determined that logging to a Syslog
Syslog is configuration to determine if
server was enabled on JED-DC-CORE-SW.
Enabled logging to a Syslog server had
catrion.local. See Table: "Syslog hosts"
AND been configured.

Invictux determined that Syslog message logging

Invictux examined the device
Check was configured to log messages with at least
configuration to determine if
Syslog Notification severity level on JED-DC-CORE-
the Syslog message logging
Facility & SW.catrion.local. The following matching Syslog
severity level was at least
Severity hosts were configured. See Table: "Matching
Notification severity level.
Syslog hosts"

Table 146: Findings for JED-DC-CORE-SW.catrion.local

Host Protocol Port

10.240.253.101 UDP 514

192.168.100.155 UDP 514

Table 147: Syslog hosts

Host Protocol Port

10.240.253.101 UDP 514

192.168.100.155 UDP 514

Table 148: Matching Syslog hosts

AU-5 Response to Audit Logging Process Failures

Control

(a) Alert personnel or roles within time period in the event of an audit logging process failure; and
(b) Take the following additional actions: additional actions.

Discussion

Audit logging process failures include software and hardware errors, failures in audit log capturing mechanisms, and reaching
or exceeding audit log storage capacity. Organization-defined actions include overwriting oldest audit records, shutting down
the system, and stopping the generation of audit records. Organizations may choose to define additional actions for audit
logging process failures based on the type of failure, the location of the failure, the severity of the failure, or a combination of
such factors. When the audit logging process failure is related to storage, the response is carried out for the audit log storage
repository (i.e., the distinct system component where the audit logs are stored), the system on which the audit logs reside, the
total audit log storage capacity of the organization (i.e., all audit log storage repositories combined), or all three. Organizations
may decide to take no additional actions after alerting designated roles or personnel.

AU-5(2) Real-time Alerts PASS

DISA STIG Rating

Category: CAT-II

Affected Devices

Cisco Catalyst Switch JED-DC-CORE-SW.catrion.local (Pass)

Control Defined Testing Requirements Result Rating

Provide an alert within real-time period to personnel, roles, and/or locations DISA STIG
AU-5(2) when the following audit failure events occur: audit logging failure events Rating : CAT-
requiring real-time alerts. II

Table 149: Test Summary AU-5(2)

Description

Provide an alert within real-time period to personnel, roles, and/or locations when the following audit failure events occur:
audit logging failure events requiring real-time alerts.

Discussion

Alerts provide organizations with urgent messages. Real-time alerts provide these messages at information technology
speed (i.e., the time from event detection to alert occurs in seconds or less).
 Findings

JED-DC-CORE-SW.catrion.local

Check Description Findings Result

Check Invictux examined the device

Invictux determined that logging to a Syslog
Syslog is configuration to determine if
server was enabled on JED-DC-CORE-SW.
Enabled logging to a Syslog server had
catrion.local. See Table: "Syslog hosts"
AND been configured.

Invictux determined that Syslog message logging

Invictux examined the device
Check was configured to log messages with at least
configuration to determine if
Syslog Notification severity level on JED-DC-CORE-
the Syslog message logging
Facility & SW.catrion.local. The following matching Syslog
severity level was at least
Severity hosts were configured. See Table: "Matching
Notification severity level.
Syslog hosts"

Table 150: Findings for JED-DC-CORE-SW.catrion.local

Host Protocol Port

10.240.253.101 UDP 514

192.168.100.155 UDP 514

Table 151: Syslog hosts

Host Protocol Port

10.240.253.101 UDP 514

192.168.100.155 UDP 514

Table 152: Matching Syslog hosts

AU-5(4) Shutdown on Failure INVESTIGATE

DISA STIG Rating

Category: CAT-II

Affected Devices

Cisco Catalyst Switch JED-DC-CORE-SW.catrion.local (Investigate)

Control Defined Testing Requirements Result Rating

AU-5(4) Invoke a full system shutdown or partial system shutdown or degraded DISA STIG
operational mode with limited mission or business functionality available in the Rating :
 Control Defined Testing Requirements Result Rating
event of audit logging failures , unless an alternate audit logging capability CAT-II
exists.

Table 153: Test Summary AU-5(4)

Description

Invoke a full system shutdown or partial system shutdown or degraded operational mode with limited mission or business
functionality available in the event of audit logging failures , unless an alternate audit logging capability exists.

Discussion

Organizations determine the types of audit logging failures that can trigger automatic system shutdowns or degraded
operations. Because of the importance of ensuring mission and business continuity, organizations may determine that the
nature of the audit logging failure is not so severe that it warrants a complete shutdown of the system supporting the core
organizational mission and business functions. In those instances, partial system shutdowns or operating in a degraded
mode with reduced capability may be viable alternatives.

Findings

JED-DC-CORE-SW.catrion.local

Check Description Findings Result

Check Syslog
Invictux examined the device configuration to Invictux was
Message Queue
determine if the Syslog logging message queue was unable to
Size
configured to store at least 513 messages. automate this
AND
check.
Check Syslog
Invictux examined the device configuration to
Permits Host Invictux was
determine if the Syslog permit host down option was
Down unable to
enabled.
automate this
Table 154: Findings for JED-DC-CORE-SW.catrion.local
check.

AU-8 Time Stamps

Control

a. Use internal system clocks to generate time stamps for audit records; and
b. Record time stamps for audit records that meet granularity of time measurement and that use Coordinated Universal Time,
have a fixed local time offset from Coordinated Universal Time, or that include the local time offset as part of the time stamp.
Discussion

Time stamps generated by the system include date and time. Time is commonly expressed in Coordinated Universal Time
(UTC), a modern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC. Granularity of time
measurements refers to the degree of synchronization between system clocks and reference clocks (e.g., clocks synchronizing
within hundreds of milliseconds or tens of milliseconds). Organizations may define different time granularities for different
system components. Time service can be critical to other security capabilities such as access control and identification and
authentication, depending on the nature of the mechanisms used to support those capabilities.

AU-8(b) Record time stamps for audit records FAIL

DISA STIG Rating

Category: CAT-II

Affected Devices

Cisco Catalyst Switch JED-DC-CORE-SW.catrion.local (Fail)

Control Defined Testing Requirements Result Rating

Record time stamps for audit records that meet granularity of time measurement
DISA STIG
and that use Coordinated Universal Time, have a fixed local time offset from
AU-8(b) Rating :
Coordinated Universal Time, or that include the local time offset as part of the
CAT-II
time stamp.

Table 155: Test Summary AU-8(b)

Description

Record time stamps for audit records that meet granularity of time measurement and that use Coordinated Universal Time,
have a fixed local time offset from Coordinated Universal Time, or that include the local time offset as part of the time
stamp.

Findings

JED-DC-CORE-SW.catrion.local

Check Description Findings Result

Check Number Invictux examined the device configuration to determine See Table: "NTP
of NTP Time if the Network Time Protocol (NTP) client was configured client time
Sources to sync its time against two NTP time sources. sources"
 Table 156: Findings for JED-DC-CORE-SW.catrion.local

Address Auth Key Version

192.168.101.101 3

Table 157: NTP client time sources

AU-9 Protection of Audit Information

Control

(a) Protect audit information and audit logging tools from unauthorized access, modification, and deletion; and
(b) Alert personnel or roles upon detection of unauthorized access, modification, or deletion of audit information.

Discussion

Audit information includes all information needed to successfully audit system activity, such as audit records, audit log settings,
audit reports, and personally identifiable information. Audit logging tools are those programs and devices used to conduct
system audit and logging activities. Protection of audit information focuses on technical protection and limits the ability to
access and execute audit logging tools to authorized individuals. Physical protection of audit information is addressed by both
media protection controls and physical and environmental protection controls.

AU-9 Protection Of Audit Information PASS

DISA STIG Rating

Category: CAT-II

Affected Devices

Cisco Catalyst Switch JED-DC-CORE-SW.catrion.local (Pass)

Control Defined Testing Requirements Result Rating

a. Protect audit information and audit logging tools from unauthorized

access, modification, and deletion; and DISA STIG Rating
AU-9
b. Alert personnel or roles upon detection of unauthorized access, : CAT-II
modification, or deletion of audit information.

Table 158: Test Summary AU-9

Description
 a. Protect audit information and audit logging tools from unauthorized access, modification, and deletion; and
b. Alert personnel or roles upon detection of unauthorized access, modification, or deletion of audit information.

Findings

JED-DC-CORE-SW.catrion.local

Check Description Findings Result

Check File
Invictux examined the device configuration The check has passed on the
Logging is
to determine if file logging had been device. No finding available at
Disabled
configured. present.
OR

Check File Invictux examined the device configuration The check has failed on the
Logging is to determine if file logging had been device. No finding available at
Enabled configured. present.

Table 159: Findings for JED-DC-CORE-SW.catrion.local

AU-10 Non-repudiation

Control

Provide irrefutable evidence that an individual (or process acting on behalf of an individual) has performed actions.

Discussion

Types of individual actions covered by non-repudiation include creating information, sending and receiving messages, and
approving information. Non-repudiation protects against claims by authors of not having authored certain documents, senders
of not having transmitted messages, receivers of not having received messages, and signatories of not having signed
documents. Non-repudiation services can be used to determine if information originated from an individual or if an individual
took specific actions (e.g., sending an email, signing a contract, approving a procurement request, or receiving specific
information). Organizations obtain non-repudiation services by employing various techniques or mechanisms, including digital
signatures and digital message receipts.

AU-10 Non-Repudiation FAIL

DISA STIG Rating

Category: CAT-II
 Affected Devices

Cisco Catalyst Switch JED-DC-CORE-SW.catrion.local (Fail)

Control Defined Testing Requirements Result Rating

Provide irrefutable evidence that an individual (or process acting on behalf DISA STIG Rating
AU-10
of an individual) has performed actions. : CAT-II

Table 160: Test Summary AU-10

Description

Provide irrefutable evidence that an individual (or process acting on behalf of an individual) has performed actions.

Findings

JED-DC-CORE-SW.catrion.local

Check Description Findings Result

Invictux examined the device

Log Config Invictux determined that JED-DC-
configuration to determine if the log
Changes CORE-SW.catrion.local was configured
configuration changes option was
Enabled to not log configuration changes.
enabled.

Table 161: Findings for JED-DC-CORE-SW.catrion.local

AU-12 Audit Record Generation

Control

a. Provide audit record generation capability for the event types the system is capable of auditing as defined in AU-2a on
system components;
b. Allow personnel or roles to select the event types that are to be logged by specific components of the system; and
c. Generate audit records for the event types defined in AU-2c that include the audit record content defined in AU-3.

Discussion

Audit records can be generated from many different system components. The event types specified in AU-2d are the event
types for which audit logs are to be generated and are a subset of all event types for which the system can generate audit
records.
AU-12(a) Audit Record Generation PASS

DISA STIG Rating

Category: CAT-II

Affected Devices

Cisco Catalyst Switch JED-DC-CORE-SW.catrion.local (Pass)

Control Defined Testing Requirements Result Rating

AU- Provide audit record generation capability for the event types the system is DISA STIG
12(a) capable of auditing as defined in AU-2(a) on system components Rating : CAT-II

Table 162: Test Summary AU-12(a)

Description

Provide audit record generation capability for the event types the system is capable of auditing as defined in AU-2(a) on
system components

Findings

JED-DC-CORE-SW.catrion.local

Check Description Findings Result

Invictux examined the device Invictux identified that no user groups

Group has
configuration to determine if all users are configured on JED-DC-CORE-
access time
have their access restricted to specific SW.catrion. local that were relevant to
restrictions
days and times. this check.

Table 163: Findings for JED-DC-CORE-SW.catrion.local

AU-12(b) Audit Record Generation FAIL

DISA STIG Rating

Category: CAT-II

Affected Devices
Cisco Catalyst Switch JED-DC-CORE-SW.catrion.local (Fail)

Control Defined Testing Requirements Result Rating

AU- Allow personnel or roles to select the event types that are to be logged by DISA STIG Rating :
12(b) specific components of the system CAT-II

Table 164: Test Summary AU-12(b)

Description

Allow personnel or roles to select the event types that are to be logged by specific components of the system

Findings

JED-DC-CORE-SW.catrion.local

Check Description Findings Result

Invictux examined the device

Check
configuration to determine if
Syslog
the Syslog message logging The check has failed on the device. No finding
Facility &
severity level was at least available at present.
Severity
Information severity level with
OR
"change-log" facility.

Invictux examined the device

Check File configuration to determine if
Facility & the file message logging The check has failed on the device. No finding
Severity severity level was at least available at present.
OR Information severity level with
"change-log" facility.

Invictux examined the device Invictux determined that terminal message

Check configuration to determine if logging was not configured to log change-log
Terminal the terminal message logging facility messages with at least Information severity
Facility & severity level was at least level on JED-DC-CORE-SW.catrion.local. The
Severity Information severity level with following terminal logging configurations were
"change-log" facility. identified. See Table: "Terminal Logging 1
configuration"
Table 165: Findings for JED-DC-CORE-SW.catrion.local

Setting Value

User Terminals All

Terminal Logging Enabled

Severity All : Critical (2)

Table 166: Terminal Logging 1 configuration

 AU-12(c) Audit Record Generation FAIL

DISA STIG Rating

Category: CAT-II

Affected Devices

Cisco Catalyst Switch JED-DC-CORE-SW.catrion.local (Fail)

Control Defined Testing Requirements Result Rating

AU- Generate audit records for the event types defined in AU-2(c) that include DISA STIG Rating
12(c) the audit record content defined in AU-3 : CAT-II

Table 167: Test Summary AU-12(c)

Description

Generate audit records for the event types defined in AU-2(c) that include the audit record content defined in AU-3

Findings

JED-DC-CORE-SW.catrion.local

Check Description Findings Result

Invictux examined the device

Log Config Invictux determined that JED-DC-
configuration to determine if the log
Changes CORE-SW.catrion.local was configured
configuration changes option was
Enabled to not log configuration changes.
enabled.

Table 168: Findings for JED-DC-CORE-SW.catrion.local

Further Information

Related to the following NIST 800-53 controls: AC-6, AC-17, AU-2, AU-3, AU-4, AU-5, AU-6, AU-7, AU-14, CM-5, MA-4, MP-4,
PM-12, SA-8, SC-18, SI-3, SI-4, SI-7, SI-10.

Configuration Management (CM)

CM-5 Access Restrictions for Change

Control

Define, document, approve, and enforce physical and logical access restrictions associated with changes to the system.

Discussion

Changes to the hardware, software, or firmware components of systems or the operational procedures related to the system
can potentially have significant effects on the security of the systems or individuals’ privacy. Therefore, organizations permit
only qualified and authorized individuals to access systems for purposes of initiating changes. Access restrictions include
physical and logical access controls (see AC-3 and PE-3 ), software libraries, workflow automation, media libraries, abstract
layers (i.e., changes implemented into external interfaces rather than directly into systems), and change windows (i.e., changes
occur only during specified times).

CM-5(6) Limit Library Privileges PASS

DISA STIG Rating

Category: CAT-II

Affected Devices

Cisco Catalyst Switch JED-DC-CORE-SW.catrion.local (Pass)

Control Defined Testing Requirements Result Rating

Limit privileges to change software resident within software DISA STIG Rating : CAT-
CM-5(6)
libraries. II

Table 169: Test Summary CM-5(6)

Description

Limit privileges to change software resident within software libraries.

Findings

JED-DC-CORE-SW.catrion.local
 Check Description Findings Result

Invictux examined the device Invictux determined that minimum

Check File
configuration to determine if the privilege level to access files was
Access
minimum privilege level required to configured as level 15 on JED-DC-
Level
access files had been set to 15. CORE-SW.catrion.local.

Table 170: Findings for JED-DC-CORE-SW.catrion.local

CM-6 Configuration Settings

Control

(a) Establish and document configuration settings for components employed within the system that reflect the most restrictive
mode consistent with operational requirements using common secure configurations;
(b) Implement the configuration settings;
(c) Identify, document, and approve any deviations from established configuration settings for system components based on
operational requirements ; and
(d) Monitor and control changes to the configuration settings in accordance with organizational policies and procedures.

Discussion

Configuration settings are the parameters that can be changed in the hardware, software, or firmware components of the
system that affect the security and privacy posture or functionality of the system. Information technology products for which
configuration settings can be defined include mainframe computers, servers, workstations, operating systems, mobile devices,
input/output devices, protocols, and applications. Parameters that impact the security posture of systems include registry
settings; account, file, or directory permission settings; and settings for functions, protocols, ports, services, and remote
connections. Privacy parameters are parameters impacting the privacy posture of systems, including the parameters required
to satisfy other privacy controls. Privacy parameters include settings for access controls, data processing preferences, and
processing and retention permissions. Organizations establish organization-wide configuration settings and subsequently
derive specific configuration settings for systems. The established settings become part of the configuration baseline for the
system.

Common secure configurations (also known as security configuration checklists, lockdown and hardening guides, and security
reference guides) provide recognized, standardized, and established benchmarks that stipulate secure configuration settings
for information technology products and platforms as well as instructions for configuring those products or platforms to meet
operational requirements. Common secure configurations can be developed by a variety of organizations, including
information technology product developers, manufacturers, vendors, federal agencies, consortia, academia, industry, and other
organizations in the public and private sectors.

Implementation of a common secure configuration may be mandated at the organization level, mission and business process
level, system level, or at a higher level, including by a regulatory agency. Common secure configurations include the United
States Government Configuration Baseline *EURL*USGCB:https://csrc.nist.gov/projects/united-states-government-
configuration-baseline*-EURL* and security technical implementation guides (STIGs), which affect the implementation of CM-6
and other controls such as AC-19 and CM-7 . The Security Content Automation Protocol (SCAP) and the defined standards
within the protocol provide an effective method to uniquely identify, track, and control configuration settings.

CM-6(1) Automated Management, Application, & Verification FAIL

 DISA STIG Rating

Category: CAT-I

Affected Devices

Cisco Catalyst Switch JED-DC-CORE-SW.catrion.local (Fail)

Control Defined Testing Requirements Result Rating

CM- Manage, apply, and verify configuration settings for system components DISA STIG
6(1) using organization-defined automated mechanisms. Rating : CAT-I

Table 171: Test Summary CM-6(1)

Description

Manage, apply, and verify configuration settings for system components using organization-defined automated
mechanisms.

Discussion

Automated tools (e.g., hardening tools, baseline configuration tools) can improve the accuracy, consistency, and availability
of configuration settings information. Automation can also provide data aggregation and data correlation capabilities,
alerting mechanisms, and dashboards to support risk-based decision-making within the organization.

Findings

JED-DC-CORE-SW.catrion.local

Check Description Findings Result

Invictux examined all usable See Table: "Administrative

Check Line Remote
administrative lines to determine if they lines on JED-DC-CORE-
Authentication
prioritise remote over local authentication. SW.catrion.local"

Table 172: Findings for JED-DC-CORE-SW.catrion.local

Line Access Login Level Password Telnet SSH Filter In Filter Out

Console Yes Line Password 1 CiscoAdmin N/A N/A N/A N/A

Table 173: Administrative lines on JED-DC-CORE-SW.catrion.local

CM-7 Least Functionality

Control

a. Configure the system to provide only mission-essential capabilities ; and

b. Prohibit or restrict the use of the following functions, ports, protocols, software, and/or services: organization-defined
prohibited or restricted functions, system ports, protocols, software, and/or services.

Discussion

Systems provide a wide variety of functions and services. Some of the functions and services routinely provided by default may
not be necessary to support essential organizational missions, functions, or operations. Additionally, it is sometimes convenient
to provide multiple services from a single system component, but doing so increases risk over limiting the services provided by
that single component. Where feasible, organizations limit component functionality to a single function per component.
Organizations consider removing unused or unnecessary software and disabling unused or unnecessary physical and logical
ports and protocols to prevent unauthorized connection of components, transfer of information, and tunneling. Organizations
employ network scanning tools, intrusion detection and prevention systems, and end-point protection technologies, such as
firewalls and host-based intrusion detection systems, to identify and prevent the use of prohibited functions, protocols, ports,
and services. Least functionality can also be achieved as part of the fundamental design and development of the system (see
SA-8, SC-2 , and SC-3).

Further Information

Related to the following NIST 800-53 controls: SA-8; SC-2; SC-3.

CM-7(a) Configure the system to provide only mission-essential FAIL

capabilities

DISA STIG Rating

Category: CAT-II

Affected Devices

Cisco Catalyst Switch JED-DC-CORE-SW.catrion.local (Fail)

Control Defined Testing Requirements Result Rating

CM-7(a) Configure the system to provide only mission-essential capabilities DISA STIG Rating : CAT-II

Table 174: Test Summary CM-7(a)

Description

Configure the system to provide only mission-essential capabilities

Findings

JED-DC-CORE-SW.catrion.local

Check Description Findings Result

Invictux examined the

Check No Boot device configuration to Invictux determined that on JED-DC-CORE-
From Network determine that the device SW.catrion.local there was no network boot
AND was not configured to boot configuration specified.
from the network.

Invictux examined the remote administrative

Invictux examined the
services configured on JED-DC-CORE-SW.
No unauthorized device configuration to
catrion.local to determine their state and
administrative determine that the following
authorization. The status of each service is
services administrative services were
detailed in the following table: See Table:
AND authorized if they had been
"Authorization state of administrative services
enabled:
on JED-DC-CORE-SW.catrion.local"

Invictux examined the file transfer services

Invictux examined the configured on JED-DC-CORE-SW.catrion. local to
No unauthorized
device configuration to determine their state and authorization. The
file transfer
determine that the RCP file status of each service is detailed in the following
services
transfer service was table: See Table: "Authorization state of file
AND
authorized if it had been transfer services on JED-DC-CORE-
enabled. SW.catrion.local"

Invictux examined the miscellaneous services

configured on JED-DC-CORE-SW.catrion. local to
Invictux examined the
No unauthorized determine their state and authorization. The
device configuration to
miscellaneous status of each service is detailed in the following
determine that the following
services table: See Table: "Authorization state of
miscellaneous services were
miscellaneous services on JED-DC-CORE-
authorized if they had been
SW.catrion.local"
enabled:
Table 175: Findings for JED-DC-CORE-SW.catrion.local

Service Authorized State Status

Telnet No Disabled Pass

Clear-Text Web Administration (HTTP) No Disabled Pass

RSH Disabled Pass

Table 176: Authorization state of administrative services on JED-DC-CORE-SW.catrion.local

 Service Authorized State Status

RCP No Disabled Pass

Table 177: Authorization state of file transfer services on JED-DC-CORE-SW.catrion.local

Service Authorized State Status

BootP No Enabled Fail

Configuration Service No Disabled Pass

DNS Server No Disabled Pass

Finger No Disabled Pass

Ident No Disabled Pass

PAD No Enabled Fail

TCP Small Servers No Disabled Pass

UDP Small Servers No Disabled Pass

Table 178: Authorization state of miscellaneous services on JED-DC-CORE-SW.catrion.local

CM-7(b) Prohibit/restrict use of defined functions, ports, FAIL

protocols, software, and/or services

DISA STIG Rating

Category: CAT-I

Affected Devices

Cisco Catalyst Switch JED-DC-CORE-SW.catrion.local (Fail)

Control Defined Testing Requirements Result Rating

Prohibit or restrict the use of the following functions, ports, protocols, software, DISA STIG
CM-
and/or services: organization-defined prohibited or restricted functions, system Rating : CAT-
7(b)
ports, protocols, software, and/or services. I

Table 179: Test Summary CM-7(b)

Description

Prohibit or restrict the use of the following functions, ports, protocols, software, and/or services: organization-defined
prohibited or restricted functions, system ports, protocols, software, and/or services.

Findings
JED-DC-CORE-SW.catrion.local

Check Description Findings Result

Invictux examined the

Check No Boot device configuration to Invictux determined that on JED-DC-CORE-
From Network determine that the device SW.catrion.local there was no network boot
AND was not configured to boot configuration specified.
from the network.

Invictux examined the remote administrative

Invictux examined the
services configured on JED-DC-CORE-SW.
No unauthorized device configuration to
catrion.local to determine their state and
administrative determine that the following
authorization. The status of each service is
services administrative services were
detailed in the following table: See Table:
AND authorized if they had been
"Authorization state of administrative services
enabled:
on JED-DC-CORE-SW.catrion.local"

Invictux examined the file transfer services

Invictux examined the configured on JED-DC-CORE-SW.catrion. local to
No unauthorized
device configuration to determine their state and authorization. The
file transfer
determine that the RCP file status of each service is detailed in the following
services
transfer service was table: See Table: "Authorization state of file
AND
authorized if it had been transfer services on JED-DC-CORE-
enabled. SW.catrion.local"

Invictux examined the miscellaneous services

configured on JED-DC-CORE-SW.catrion. local to
Invictux examined the
No unauthorized determine their state and authorization. The
device configuration to
miscellaneous status of each service is detailed in the following
determine that the following
services table: See Table: "Authorization state of
miscellaneous services were
miscellaneous services on JED-DC-CORE-
authorized if they had been
SW.catrion.local"
enabled:
Table 180: Findings for JED-DC-CORE-SW.catrion.local

Service Authorized State Status

Telnet No Disabled Pass

Clear-Text Web Administration (HTTP) No Disabled Pass

RSH Disabled Pass

Table 181: Authorization state of administrative services on JED-DC-CORE-SW.catrion.local

Service Authorized State Status

RCP No Disabled Pass

Table 182: Authorization state of file transfer services on JED-DC-CORE-SW.catrion.local

Service Authorized State Status

BootP No Enabled Fail

Configuration Service No Disabled Pass

 Service Authorized State Status

DNS Server No Disabled Pass

Finger No Disabled Pass

Ident No Disabled Pass

PAD No Enabled Fail

TCP Small Servers No Disabled Pass

UDP Small Servers No Disabled Pass

Table 183: Authorization state of miscellaneous services on JED-DC-CORE-SW.catrion.local

Contingency Planning (CP)

CP-9 System Backup

Control

(a) Conduct backups of user-level information contained in system components frequency;

(b) Conduct backups of system-level information contained in the system frequency;
(c) Conduct backups of system documentation, including security- and privacy-related documentation frequency ; and
(d) Protect the confidentiality, integrity, and availability of backup information.

Discussion

System- level information includes system state information, operating system software, middleware, application software, and
licenses. User-level information includes information other than system-level information. Mechanisms employed to protect
the integrity of system backups include digital signatures and cryptographic hashes. Protection of system backup information
while in transit is addressed by MP-5 and SC-8 . System backups reflect the requirements in contingency plans as well as other
organizational requirements for backing up information.
Organizations may be subject to laws, executive orders, directives, regulations, or policies with requirements regarding specific
categories of information (e.g., personal health information). Organizational personnel consult with the senior agency official
for privacy and legal counsel regarding such requirements.

Further Information

Related to the following NIST 800-53 controls: MP-5; SC-8.

CP-9(b) Conduct backups of system documentation INVESTIGATE

DISA STIG Rating

 Category: CAT-II

Affected Devices

Cisco Catalyst Switch JED-DC-CORE-SW.catrion.local (Investigate)

Control Defined Testing Requirements Result Rating

Conduct backups of system-level information contained in the system DISA STIG Rating :
CP-9(b)
frequency. CAT-II

Table 184: Test Summary CP-9(b)

Description

Conduct backups of system-level information contained in the system frequency.

Findings

JED-DC-CORE-SW.catrion.local

Check Description Findings Result

Invictux examined the device Invictux determined that JED-DC-

Check Event configuration to determine that the device CORE-SW.catrion.local was not
Action had an automated activity with the action configured to trigger the action "copy
OR "copy run tftp" which triggered on the run tftp" on the "syslog pattern "%
"syslog pattern "%SYS-5-CONFIG_I"" SYS-5-CONFIG_I"" event.
event.
Check Auto
Config Invictux was unable to automate this
Invictux examined the device
Backup Is check.
configuration to determine if the device
Enabled
auto configuration backup facility was
enabled. Table 185: Findings for JED-DC-CORE-SW.catrion.local

Identification and Authentication (IA)

IA-2 Identification and Authentication (Organizational Users)

Description
 Uniquely identify and authenticate organizational users and associate that unique identification with processes acting on
behalf of those users.

Discussion

Organizations can satisfy the identification and authentication requirements by complying with the requirements in HSPD 12 .
Organizational users include employees or individuals who organizations consider to have an equivalent status to employees
(e.g., contractors and guest researchers). Unique identification and authentication of users applies to all accesses other than
those that are explicitly identified in AC-14 and that occur through the authorized use of group authenticators without
individual authentication. Since processes execute on behalf of groups and roles, organizations may require unique
identification of individuals in group accounts or for detailed accountability of individual activity.

Organizations employ passwords, physical authenticators, or biometrics to authenticate user identities or, in the case of multi-
factor authentication, some combination thereof. Access to organizational systems is defined as either local access or network
access. Local access is any access to organizational systems by users or processes acting on behalf of users, where access is
obtained through direct connections without the use of networks. Network access is access to organizational systems by users
(or processes acting on behalf of users) where access is obtained through network connections (i.e., nonlocal accesses). Remote
access is a type of network access that involves communication through external networks. Internal networks include local area
networks and wide area networks.

The use of encrypted virtual private networks for network connections between organization-controlled endpoints and non-
organization-controlled endpoints may be treated as internal networks with respect to protecting the confidentiality and
integrity of information traversing the network. Identification and authentication requirements for non-organizational users are
described in IA-8.

IA-2(8) Access to Accounts — Replay Resistant INVESTIGATE

DISA STIG Rating

Category: CAT-I

Affected Devices

Cisco Catalyst Switch JED-DC-CORE-SW.catrion.local (Investigate)

Control Defined Testing Requirements Result Rating

Implement replay-resistant authentication mechanisms for access to DISA STIG Rating

IA-2(8)
privileged accounts or non-privileged accounts. : CAT-I

Table 186: Test Summary IA-2(8)

Description

Implement replay-resistant authentication mechanisms for access to privileged accounts or non-privileged accounts.
Discussion

Authentication processes resist replay attacks if it is impractical to achieve successful authentications by replaying previous
authentication messages. Replay-resistant techniques include protocols that use nonces or challenges such as time
synchronous or cryptographic authenticators.

Findings

JED-DC-CORE-SW.catrion.local

Check Description Findings Result

Invictux determined that the SSH service was

Invictux examined the device
disabled on JED-DC-CORE-SW.catrion. local. The
configuration to determine if
Check SSH SSH service is configured on administrative lines
the SSH server was
Server FIPS on Cisco Catalyst Switch devices. The following
configured to use only FIPS
198-1 HMAC Table describes those lines. See Table: "SSH
198-1 Hashed Message
Configured administrative line on JED-DC-CORE-
Authentication Code or
AND SW.catrion.local" Invictux detemined that the
keyed-Hash Message
SSH service was configured to only use version 2
Authentication Code (HMAC).
of the protocol on JED-DC-CORE-SW.catrion.local.

Invictux examined the device

Check HTTPS
configuration to determine if See Table: "Web-based administration service
FIPS Ciphers
the HTTPS server encryption settings"
AND
ciphers were FIPS compliant.

Invictux examined the device

Check FIPS
configuration to determine if
Mode Is Invictux was unable to automate this check.
the device had FIPS mode
Enabled
enabled.

Table 187: Findings for JED-DC-CORE-SW.catrion.local

Line Access Login Level Password Telnet SSH Filter In Filter Out

VTY 0 - 4 Yes Line Password 1 CiscoAdmin No Yes 10

VTY 5 - 15 Yes Line Password 1 CiscoAdmin No Yes 10

Table 188: SSH administrative line on JED-DC-CORE-SW.catrion.local

Description Value

Web Administration Service (HTTPS) Disabled

HTTPS TCP Port 443

Web Administration Service (IPv6 HTTPS) Disabled

IPv6 HTTPS TCP Port 443

Table 189: Web-based administration service settings

Further Information

Related to the following NIST 800-53 controls: AC-14; IA-8.

IA-3 Device Identification and Authentication

Description

Uniquely identify and authenticate devices and/or types of devices before establishing a local or remote or network
connection.

Discussion

Devices that require unique device-to-device identification and authentication are defined by type, device, or a combination of
type and device. Organization-defined device types include devices that are not owned by the organization. Systems use
shared known information (e.g., Media Access Control [MAC], Transmission Control Protocol/Internet Protocol [TCP/IP]
addresses) for device identification or organizational authentication solutions (e.g., Institute of Electrical and Electronics
Engineers (IEEE) 802.1x and Extensible Authentication Protocol [EAP], RADIUS server with EAP-Transport Layer Security [TLS]
authentication, Kerberos) to identify and authenticate devices on local and wide area networks. Organizations determine the
required strength of authentication mechanisms based on the security categories of systems and mission or business
requirements. Because of the challenges of implementing device authentication on a large scale, organizations can restrict the
application of the control to a limited number/type of devices based on mission or business needs.

IA-3 Device Identification & Authentication PASS

DISA STIG Rating

Category: CAT-I

Affected Devices

Cisco Catalyst Switch JED-DC-CORE-SW.catrion.local (Pass)

Control Defined Testing Requirements Result Rating

IA-3 No Test Description DISA STIG Rating : CAT-I

Table 190: Test Summary IA-3

Control
 Uniquely identify and authenticate [Assignment: organization-defined devices and/or types of devices] before establishing a
[Selection (one or more): local; remote; network] connection

Discussion

Devices that require unique device-to-device identification and authentication are defined by type, device, or a combination
of type and device. Organization-defined device types include devices that are not owned by the organization. Systems use
shared known information (e.g., Media Access Control [MAC], Transmission Control Protocol/Internet Protocol [TCP/IP]
addresses) for device identification or organizational authentication solutions (e.g., Institute of Electrical and Electronics
Engineers (IEEE) 802.1x and Extensible Authentication Protocol [EAP], RADIUS server with EAP-Transport Layer Security [TLS]
authentication, Kerberos) to identify and authenticate devices on local and wide area networks. Organizations determine the
required strength of authentication mechanisms based on the security categories of systems and mission or business
requirements. Because of the challenges of implementing device authentication on a large scale, organizations can restrict
the application of the control to a limited number/type of devices based on mission or business needs.

Findings

JED-DC-CORE-SW.catrion.local

Check Description Findings Result

Check all MPLS Invictux examined the device configuration

No MPLS configuration was
LDP neighbors to determine if the device was configured to
identified on JED-DC-CORE-
authenticate authenticate all Multi Protocol Label
SW.catrion.local.
AND Switching (MPLS) LDP neighbors.

There was no MSDP

Invictux examined the device configuration
Check all MSDP configuration identified on
to determine if the device was configured
peers authenticate JED-DC-CORE-
authenticate all MPLS LDP neighbors.
SW.catrion.local.

Table 191: Findings for JED-DC-CORE-SW.catrion.local

IA-3(1) Cryptographic Bidirectional Authentication PASS

DISA STIG Rating

Category: CAT-II

Affected Devices

Cisco Catalyst Switch JED-DC-CORE-SW.catrion.local (Pass)

 Control Defined Testing Requirements Result Rating

Authenticate devices and/or types of devices before establishing local or

DISA STIG
IA-3(1) remote or network connection using bidirectional authentication that is
Rating : CAT-II
cryptographically based.

Table 192: Test Summary IA-3(1)

Description

Authenticate devices and/or types of devices before establishing local or remote or network connection using bidirectional
authentication that is cryptographically based.

Discussion

A local connection is a connection with a device that communicates without the use of a network. A network connection is a
connection with a device that communicates through a network. A remote connection is a connection with a device that
communicates through an external network. Bidirectional authentication provides stronger protection to validate the
identity of other devices for connections that are of greater risk.

Findings

JED-DC-CORE-SW.catrion.local

Check Description Findings Result

Invictux determined that no SNMP

Check SNMP FIPS Invictux examined the device community strings were defined on JED-
Encryption configuration to determine if DC-CORE-SW. catrion.local. Invictux
Configured SNMP was configured to use determined that SNMP versions 1/2c were
OR only FIPS 140-2 encryption. disabled on JED-DC-CORE-SW.
catrion.local.

Invictux examined the device

Check NTP Time configuration to determine if the
Sources Are NTP client was configured to See Table: "NTP client time sources"
Authenticated authenticate all its NTP time
sources.

Table 193: Findings for JED-DC-CORE-SW.catrion.local

Address Auth Key Version

192.168.101.101 3

Table 194: NTP client time sources

IA-5 Authenticator Management

Control

Manage system authenticators by:

(a) Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, service, or device
receiving the authenticator;
(b) Establishing initial authenticator content for any authenticators issued by the organization;
(c) Ensuring that authenticators have sufficient strength of mechanism for their intended use;
(d) Establishing and implementing administrative procedures for initial authenticator distribution, for lost or compromised or
damaged authenticators, and for revoking authenticators;
(e) Changing default authenticators prior to first use;
(f) Changing or refreshing authenticators [Assignment: organization-defined time period by authenticator type] or when
[Assignment: organization-defined events] occur;
(g) Protecting authenticator content from unauthorized disclosure and modification;
(h) Requiring individuals to take, and having devices implement, specific controls to protect authenticators; and
(i) Changing authenticators for group or role accounts when membership to those accounts changes.

Discussion

Authenticators include passwords, cryptographic devices, biometrics, certificates, one-time password devices, and ID badges.
Device authenticators include certificates and passwords. Initial authenticator content is the actual content of the authenticator
(e.g., the initial password). In contrast, the requirements for authenticator content contain specific criteria or characteristics
(e.g., minimum password length). Developers may deliver system components with factory default authentication credentials
(i.e., passwords) to allow for initial installation and configuration. Default authentication credentials are often well known, easily
discoverable, and present a significant risk. The requirement to protect individual authenticators may be implemented via
control PL-4 or PS-6 for authenticators in the possession of individuals and by controls AC-3, AC-6 , and SC-28 for
authenticators stored in organizational systems, including passwords stored in hashed or encrypted formats or files containing
encrypted or hashed passwords accessible with administrator privileges.

Systems support authenticator management by organization-defined settings and restrictions for various authenticator
characteristics (e.g., minimum password length, validation time window for time synchronous one-time tokens, and number of
allowed rejections during the verification stage of biometric authentication). Actions can be taken to safeguard individual
authenticators, including maintaining possession of authenticators, not sharing authenticators with others, and immediately
reporting lost, stolen, or compromised authenticators. Authenticator management includes issuing and revoking
authenticators for temporary access when no longer needed.

IA-5(1)(b) Password-Based Authentication FAIL

DISA STIG Rating

Category: CAT-II

Affected Devices
Cisco Catalyst Switch JED-DC-CORE-SW.catrion.local (Fail)

Control Defined Testing Requirements Result Rating

For password-based authentication:

IA-5(1) (b) Verify, when users create or update passwords, that the passwords are not DISA STIG
(b) found on the list of commonly-used, expected, or compromised passwords in Rating : CAT-II
IA-5(1)(a)

Table 195: Test Summary IA-5(1)(b)

Description

For password-based authentication:

(b) Verify, when users create or update passwords, that the passwords are not found on the list of commonly-used,
expected, or compromised passwords in IA-5(1)(a)

Discussion

Password- based authentication applies to passwords regardless of whether they are used in single-factor or multi-factor
authentication. Long passwords or passphrases are preferable over shorter passwords. Enforced composition rules provide
marginal security benefits while decreasing usability. However, organizations may choose to establish certain rules for
password generation (e.g., minimum character length for long passwords) under certain circumstances and can enforce this
requirement in IA-5(1)(h).
Account recovery can occur, for example, in situations when a password is forgotten. Cryptographically protected
passwords include salted one-way cryptographic hashes of passwords. The list of commonly used, compromised, or
expected passwords includes passwords obtained from previous breach corpuses, dictionary words, and repetitive or
sequential characters. The list includes context-specific words, such as the name of the service, username, and derivatives
thereof.

Findings

JED-DC-CORE-SW.catrion.local

Check Description Findings Result

Invictux examined the device configuration

Check See Table: "Users on JED-DC-
to determine if the policy setting related to
Password CORE-SW.catrion.local
character changes when setting a password
Characters minimum password character
was configured to require at least eight
Changed changes policy"
characters to be changed.

Table 196: Findings for JED-DC-CORE-SW.catrion.local

 User Finding Status

test There was no policy applied to the user. FAIL

malmalki There was no policy applied to the user. FAIL

radelarosa There was no policy applied to the user. FAIL

msamir There was no policy applied to the user. FAIL

joey There was no policy applied to the user. FAIL

Table 197: Users on JED-DC-CORE-SW.catrion.local minimum password character changes policy

IA-5(1)(c) Password-Based Authentication PASS

DISA STIG Rating

Category: CAT-I

Affected Devices

Cisco Catalyst Switch JED-DC-CORE-SW.catrion.local (Pass)

Control Defined Testing Requirements Result Rating

For password-based authentication:

IA-5(1) DISA STIG Rating : CAT-
(c) Transmit passwords only over cryptographically-protected
(c) I
channels

Table 198: Test Summary IA-5(1)(c)

Description

For password-based authentication:

(c) Transmit passwords only over cryptographically-protected channels

Discussion

Password- based authentication applies to passwords regardless of whether they are used in single-factor or multi-factor
authentication. Long passwords or passphrases are preferable over shorter passwords. Enforced composition rules provide
marginal security benefits while decreasing usability. However, organizations may choose to establish certain rules for
password generation (e.g., minimum character length for long passwords) under certain circumstances and can enforce this
requirement in IA-5(1)(h). Account recovery can occur, for example, in situations when a password is forgotten.
Cryptographically protected passwords include salted one-way cryptographic hashes of passwords. The list of commonly
used, compromised, or expected passwords includes passwords obtained from previous breach corpuses, dictionary words,
 and repetitive or sequential characters. The list includes context-specific words, such as the name of the service, username,
and derivatives thereof.

Findings

JED-DC-CORE-SW.catrion.local

Check Description Findings Result

Invictux examined the

Check
device configuration to
Password Invictux determined that the storage of encrypted
determine if the device
Encryption Is passwords was enabled on JED-DC-CORE-
was configured to store
Enabled SW.catrion.local.
passwords in an
AND
encrypted form.

Invictux examined the

device configuration to
Check HTTPS
determine if the HTTPS See Table: "Web-based administration service
FIPS Ciphers
server encryption settings"
OR
ciphers were FIPS
compliant.

Invictux determined that the SSH service was disabled

Invictux examined the on JED-DC-CORE-SW.catrion. local. The SSH service is
Check SSH device configuration to configured on administrative lines on Cisco Catalyst
Server FIPS determine if the SSH Switch devices. The following Table describes those
198-1 HMAC server was configured lines. See Table: "SSH administrative line on JED-DC-
Configured to use only FIPS 198-1 CORE-SW.catrion.local" Invictux detemined that the
HMAC. SSH service was configured to only use version 2 of the
protocol on JED-DC-CORE-SW.catrion.local.

Table 199: Findings for JED-DC-CORE-SW.catrion.local

Description Value

Web Administration Service (HTTPS) Disabled

HTTPS TCP Port 443

Web Administration Service (IPv6 HTTPS) Disabled

IPv6 HTTPS TCP Port 443

Table 200: Web-based administration service settings

Line Access Login Level Password Telnet SSH Filter In Filter Out

VTY 0 - 4 Yes Line Password 1 CiscoAdmin No Yes 10

VTY 5 - 15 Yes Line Password 1 CiscoAdmin No Yes 10

Table 201: SSH administrative line on JED-DC-CORE-SW.catrion.local

IA-5(2)(a)(1) Public Key-Based Authentication INVESTIGATE

DISA STIG Rating

Category: CAT-II

Affected Devices

Cisco Catalyst Switch JED-DC-CORE-SW.catrion.local (Investigate)

Control Defined Testing Requirements Result Rating

a) For public key-based authentication:

IA-5(2)(a)(1) DISA STIG Rating : CAT-II
(1) Enforce authorized access to the corresponding private key

Table 202: Test Summary IA-5(2)(a)(1)

Description

a) For public key-based authentication:

(1) Enforce authorized access to the corresponding private key

Findings

JED-DC-CORE-SW.catrion.local

Check Description Findings Result

Invictux examined the device The following trustpoint CA were

configuration to determine if all configured on JED-DC-CORE-
Approved CA
configured Public Key Infrastructure SW.catrion.local: * Trustpoint SLA-
AND
(PKI) trustpoint Certificate Authority TrustPoint - no URL * Trustpoint TP-self-
(CA) were approved. signed-600664820 - no URL

Invictux examined the trustpoint

PKI trustpoint
configuration to determine if the
certificate
certificate path was configured with the No trustpoint were configured.
path
following validation: * Secure Sockets
validation
Layer (SSL) client * IPSec client

Table 203: Findings for JED-DC-CORE-SW.catrion.local

IA-5(2)(a)(2) Public Key-Based Authentication FAIL

 DISA STIG Rating

Category: CAT-II

Affected Devices

Cisco Catalyst Switch JED-DC-CORE-SW.catrion.local (Fail)

Control Defined Testing Requirements Result Rating

a) For public key-based authentication:

IA-5(2)(a) DISA STIG Rating :
(2) Map the authenticated identity to the account of the individual
(2) CAT-II
or group

Table 204: Test Summary IA-5(2)(a)(2)

Description

a) For public key-based authentication:

(2) Map the authenticated identity to the account of the individual or group

Findings

JED-DC-CORE-SW.catrion.local

Check Description Findings Result

Invictux examined the device configuration Invictux determined there were

Check Remote
to determine if authentication against a no remote authentication systems
Auth Is
remote authentication system, such as configured on JED-DC-CORE-
Configured
TACACS+, RADIUS or LDAP, was configured. SW.catrion.local.

Table 205: Findings for JED-DC-CORE-SW.catrion.local

IA-7 Cryptographic Module Authentication

Control

Implement mechanisms for authentication to a cryptographic module that meet the requirements of applicable laws, executive
orders, directives, policies, regulations, standards, and guidelines for such authentication.

Discussion
 Authentication mechanisms may be required within a cryptographic module to authenticate an operator accessing the module
and to verify that the operator is authorized to assume the requested role and perform services within that role.

IA-7 Cryptographic Module Authentication FAIL

DISA STIG Rating

Category: CAT-II

Affected Devices

Cisco Catalyst Switch JED-DC-CORE-SW.catrion.local (Fail)

Control Defined Testing Requirements Result Rating

Implement mechanisms for authentication to a cryptographic module that meet DISA STIG
IA-7 the requirements of applicable laws, executive orders, directives, policies, Rating :
regulations, standards, and guidelines for such authentication. CAT-II

Table 206: Test Summary IA-7

Description

Implement mechanisms for authentication to a cryptographic module that meet the requirements of applicable laws,
executive orders, directives, policies, regulations, standards, and guidelines for such authentication.

Findings

JED-DC-CORE-SW.catrion.local

Check Description Findings Result

Check all BGP Invictux examined the device Invictux did not identify any BGP
neighbors configuration to determine if all configuration on JED-DC-CORE-
authenticate BGP neighbors were configured SW.catrion.local. Invictux identified no BGP
AND to authenticate. routing on JED-DC-CORE-SW.catrion.local.

Check all EIGRP Invictux examined the device

routing updates configuration to determine if Invictux identified that no EIGRP was
are authenticated EIGRP was configured to defined on JED-DC-CORE-SW.catrion.local.
AND authenticate all routing updates.

Check IS-IS Invictux examined the device Invictux did not identify any IS-IS
authentication configuration to determine if all configuration on JED-DC-CORE-
AND IS-IS routing updates were SW.catrion.local.
Check Description Findings Result
configured to provide
authentication.

Invictux identified the following OSPF

Invictux examined the device
routing configuration, applied to network
configuration to determine if all
interfaces, on JED-DC-CORE-
OSPF routing interfaces were
Check all OSPF SW.catrion.local: See Table: "OSPF
configured to provide
routing interfaces authentication on interfaces" See Table:
authentication. The scope was
authenticate "OSPF authentication on interfaces" See
further limited to those network
Table: "OSPF authentication on
interfaces with a OSPF routing
interfaces" See Table: "OSPF
configuration.
authentication on interfaces"

Table 207: Findings for JED-DC-CORE-SW.catrion.local

Auth Route Hello Dead

Interface Active Passive Area Priority Type SPI Key
Mode Cost Interval Interval

Port-
Yes Yes 1 Broadcast None N/A Default 0 seconds 0 seconds
channel1

Port-
Yes Yes 1 Broadcast None N/A Default 0 seconds 0 seconds
channel2

Port-
Yes Yes 1 Broadcast None N/A Default 0 seconds 0 seconds
channel3

Port-
Yes Yes 1 Broadcast None N/A Default 0 seconds 0 seconds
channel4

Port-
Yes Yes 1 Broadcast None N/A Default 0 seconds 0 seconds
channel5

Port-
Yes Yes 1 Broadcast None N/A Default 0 seconds 0 seconds
channel6

Port-
Yes Yes 1 Broadcast None N/A Default 0 seconds 0 seconds
channel7

Port-
Yes Yes 1 Broadcast None N/A Default 0 seconds 0 seconds
channel8

Port-
Yes Yes 1 Broadcast None N/A Default 0 seconds 0 seconds
channel9

Port-
Yes Yes 1 Broadcast None N/A Default 0 seconds 0 seconds
channel10

Port-
Yes Yes 1 Broadcast None N/A Default 0 seconds 0 seconds
channel11

Port-
Yes Yes 1 Broadcast None N/A Default 0 seconds 0 seconds
channel12

Port-
Yes Yes 1 Broadcast None N/A Default 0 seconds 0 seconds
channel13

Port-
Yes Yes 1 Broadcast None N/A Default 0 seconds 0 seconds
channel14
 Auth Route Hello Dead
Interface Active Passive Area Priority Type SPI Key
Mode Cost Interval Interval

Port-
Yes Yes 1 Broadcast None N/A Default 0 seconds 0 seconds
channel15

Port-
Yes Yes 1 Broadcast None N/A Default 0 seconds 0 seconds
channel16

Port-
Yes Yes 1 Broadcast None N/A Default 0 seconds 0 seconds
channel17

Port-
Yes Yes 1 Broadcast None N/A Default 0 seconds 0 seconds
channel18

Port-
Yes Yes 1 Broadcast None N/A Default 0 seconds 0 seconds
channel19

Port-
Yes Yes 1 Broadcast None N/A Default 0 seconds 0 seconds
channel20

Port-
Yes Yes 1 Broadcast None N/A Default 0 seconds 0 seconds
channel21

Port-
Yes Yes 1 Broadcast None N/A Default 0 seconds 0 seconds
channel22

Port-
Yes Yes 1 Broadcast None N/A Default 0 seconds 0 seconds
channel25

Port-
Yes Yes 1 Broadcast None N/A Default 0 seconds 0 seconds
channel26

Port-
Yes Yes 1 Broadcast None N/A Default 0 seconds 0 seconds
channel27

Port-
Yes Yes 1 Broadcast None N/A Default 0 seconds 0 seconds
channel28

Port-
Yes Yes 1 Broadcast None N/A Default 0 seconds 0 seconds
channel30

Port-
Yes Yes 1 Broadcast None N/A Default 0 seconds 0 seconds
channel31

Port-
Yes Yes 1 Broadcast None N/A Default 0 seconds 0 seconds
channel100

Port-
Yes Yes 1 Broadcast None N/A Default 0 seconds 0 seconds
channel101

Table 208: OSPF authentication on interfaces

Auth Route Hello Dead

Interface Active Passive Area Priority Type SPI Key
Mode Cost Interval Interval

0 0
TwentyFiveGigE1/0/1 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE1/0/2 Yes Yes 1 Broadcast None N/A Default
seconds seconds
 Auth Route Hello Dead
Interface Active Passive Area Priority Type SPI Key
Mode Cost Interval Interval

0 0
TwentyFiveGigE1/0/3 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE1/0/4 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE1/0/5 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE1/0/6 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE1/0/7 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE1/0/8 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE1/0/9 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE1/0/10 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE1/0/11 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE1/0/12 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE1/0/13 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE1/0/14 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE1/0/15 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE1/0/16 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE1/0/17 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE1/0/18 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE1/0/19 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE1/0/20 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE1/0/21 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE1/0/22 Yes Yes 1 Broadcast None N/A Default
seconds seconds
 Auth Route Hello Dead
Interface Active Passive Area Priority Type SPI Key
Mode Cost Interval Interval

0 0
TwentyFiveGigE1/0/23 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE1/0/24 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE1/0/25 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE1/0/26 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE1/0/27 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE1/0/28 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE1/0/29 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE1/0/30 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE1/0/31 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE1/0/32 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE1/0/33 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE1/0/34 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE1/0/35 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE1/0/36 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE1/0/37 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE1/0/38 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE1/0/39 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE1/0/40 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE1/0/41 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE1/0/42 Yes Yes 1 Broadcast None N/A Default
seconds seconds
 Auth Route Hello Dead
Interface Active Passive Area Priority Type SPI Key
Mode Cost Interval Interval

0 0
TwentyFiveGigE1/0/43 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE1/0/44 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE1/0/45 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE1/0/46 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE1/0/47 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE1/0/48 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE2/0/1 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE2/0/2 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE2/0/3 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE2/0/4 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE2/0/5 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE2/0/6 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE2/0/7 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE2/0/8 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE2/0/9 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE2/0/10 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE2/0/11 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE2/0/12 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE2/0/13 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE2/0/14 Yes Yes 1 Broadcast None N/A Default
seconds seconds
 Auth Route Hello Dead
Interface Active Passive Area Priority Type SPI Key
Mode Cost Interval Interval

0 0
TwentyFiveGigE2/0/15 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE2/0/16 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE2/0/17 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE2/0/18 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE2/0/19 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE2/0/20 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE2/0/21 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE2/0/22 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE2/0/23 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE2/0/24 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE2/0/25 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE2/0/26 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE2/0/27 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE2/0/28 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE2/0/29 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE2/0/30 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE2/0/31 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE2/0/32 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE2/0/33 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE2/0/34 Yes Yes 1 Broadcast None N/A Default
seconds seconds
 Auth Route Hello Dead
Interface Active Passive Area Priority Type SPI Key
Mode Cost Interval Interval

0 0
TwentyFiveGigE2/0/35 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE2/0/36 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE2/0/37 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE2/0/38 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE2/0/39 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE2/0/40 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE2/0/41 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE2/0/42 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE2/0/43 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE2/0/44 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE2/0/45 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE2/0/46 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE2/0/47 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
TwentyFiveGigE2/0/48 Yes Yes 1 Broadcast None N/A Default
seconds seconds

Table 209: OSPF authentication on interfaces

Auth Route Hello Dead

Interface Active Passive Area Priority Type SPI Key
Mode Cost Interval Interval

0 0
HundredGigE1/0/49 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
HundredGigE1/0/50 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
HundredGigE1/0/51 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
HundredGigE1/0/52 Yes Yes 1 Broadcast None N/A Default
seconds seconds
 Auth Route Hello Dead
Interface Active Passive Area Priority Type SPI Key
Mode Cost Interval Interval

0 0
HundredGigE2/0/49 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
HundredGigE2/0/50 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
HundredGigE2/0/51 Yes Yes 1 Broadcast None N/A Default
seconds seconds

0 0
HundredGigE2/0/52 Yes Yes 1 Broadcast None N/A Default
seconds seconds

Table 210: OSPF authentication on interfaces

Auth Route Hello Dead

Interface Active Passive Area Priority Type SPI Key
Mode Cost Interval Interval

Vlan1 Yes Yes 1 Broadcast None N/A Default 0 seconds 0 seconds

Vlan2 Yes Yes 1 Broadcast None N/A Default 0 seconds 0 seconds

Vlan99 Yes Yes 1 Broadcast None N/A Default 0 seconds 0 seconds

Vlan106 Yes Yes 1 Broadcast None N/A Default 0 seconds 0 seconds

Vlan276 Yes Yes 1 Broadcast None N/A Default 0 seconds 0 seconds

Vlan302 Yes Yes 1 Broadcast None N/A Default 0 seconds 0 seconds

Vlan306 Yes Yes 1 Broadcast None N/A Default 0 seconds 0 seconds

Vlan308 Yes Yes 1 Broadcast None N/A Default 0 seconds 0 seconds

Vlan310 Yes Yes 1 Broadcast None N/A Default 0 seconds 0 seconds

Vlan312 Yes Yes 1 Broadcast None N/A Default 0 seconds 0 seconds

Vlan313 Yes Yes 1 Broadcast None N/A Default 0 seconds 0 seconds

Vlan314 Yes Yes 1 Broadcast None N/A Default 0 seconds 0 seconds

Vlan316 Yes Yes 1 Broadcast None N/A Default 0 seconds 0 seconds

Vlan317 Yes Yes 1 Broadcast None N/A Default 0 seconds 0 seconds

Vlan728 Yes Yes 1 Broadcast None N/A Default 0 seconds 0 seconds

Vlan729 Yes Yes 1 Broadcast None N/A Default 10 seconds 40 seconds

Vlan730 Yes Yes 1 Broadcast None N/A Default 10 seconds 40 seconds

Point to
Vlan1800 Yes Yes 1 None N/A Default 10 seconds 40 seconds
Point

Vlan874 Yes No 1 Broadcast None N/A Default 0 seconds 0 seconds

Vlan870 Yes No 1 Broadcast None N/A Default 0 seconds 0 seconds

Vlan862 Yes No 1 Broadcast None N/A Default 0 seconds 0 seconds

Table 211: OSPF authentication on interfaces

IA-11 Re-authentication

Control

Require users to re-authenticate when circumstances or situations.

Discussion

In addition to the re-authentication requirements associated with device locks, organizations may require re-authentication of
individuals in certain situations, including when roles, authenticators or credentials change, when security categories of systems
change, when the execution of privileged functions occurs, after a fixed time period, or periodically.

IA-11 Re-authentication PASS

DISA STIG Rating

Category: CAT-II

Affected Devices

Cisco Catalyst Switch JED-DC-CORE-SW.catrion.local (Pass)

Control Defined Testing Requirements Result Rating

IA-11 Require users to re-authenticate when circumstances or situations. DISA STIG Rating : CAT-II

Table 212: Test Summary IA-11

Description

Require users to re-authenticate when circumstances or situations.

Findings

JED-DC-CORE-SW.catrion.local

Check Description Findings Result

Check IPSec Invictux examined the device configuration to Invictux did not identify any
Phase-1 determine if IPSec phase-1 had been configured IPSec phase-1 configuration on
 Check Description Findings Result
lifetime to expire the negotiated encryption keys no later JED-DC-CORE-SW. catrion.local.
than 1440 minutes.

Table 213: Findings for JED-DC-CORE-SW.catrion.local

Maintenance (MA)

Control

(a) Approve and monitor nonlocal maintenance and diagnostic activities;

(b) Allow the use of nonlocal maintenance and diagnostic tools only as consistent with organizational policy and documented in
the security plan for the system;
(c) Employ strong authentication in the establishment of nonlocal maintenance and diagnostic sessions;
(d) Maintain records for nonlocal maintenance and diagnostic activities; and
(e) Terminate session and network connections when nonlocal maintenance is completed.

Discussion

Nonlocal maintenance and diagnostic activities are conducted by individuals who communicate through either an external or
internal network. Local maintenance and diagnostic activities are carried out by individuals who are physically present at the
system location and not communicating across a network connection. Authentication techniques used to establish nonlocal
maintenance and diagnostic sessions reflect the network access requirements in IA-2 . Strong authentication requires
authenticators that are resistant to replay attacks and employ multi-factor authentication. Strong authenticators include PKI where
certificates are stored on a token protected by a password, passphrase, or biometric. Enforcing requirements in MA-4 is
accomplished, in part, by other controls. SP 800-63B provides additional guidance on strong authentication and authenticators.

MA-4(e) Terminate session & network connections when nonlocal PASS

maintenance is complete

DISA STIG Rating

Category: CAT-II

Affected Devices

Cisco Catalyst Switch JED-DC-CORE-SW.catrion.local (Pass)

Control Defined Testing Requirements Result Rating

MA- Terminate session and network connections when nonlocal maintenance DISA STIG Rating :
4(e) is completed CAT-II

Table 214: Test Summary MA-4(e)

Description

Terminate session and network connections when nonlocal maintenance is completed

Findings

JED-DC-CORE-SW.catrion.local

Check Description Findings Result

Invictux determined that the SSH service was disabled on

Invictux examined the
Check that JED-DC-CORE-SW.catrion. local. The SSH service is
device configuration to
SSH Keep configured on administrative lines on Cisco Catalyst
determine if the SSH
Alives are Switch devices. The following Table describes those lines.
service keep alives option
enabled See Table: "SSH administrative line on JED-DC-CORE-
was enabled.
SW.catrion.local"

Table 215: Findings for JED-DC-CORE-SW.catrion.local

Line Access Login Level Password Telnet SSH Filter In Filter Out

VTY 0 - 4 Yes Line Password 1 CiscoAdmin No Yes 10

VTY 5 - 15 Yes Line Password 1 CiscoAdmin No Yes 10

Table 216: SSH administrative line on JED-DC-CORE-SW.catrion.local

MA-4(6) Cryptographic Protection INVESTIGATE

DISA STIG Rating

Category: CAT-I

Affected Devices

Cisco Catalyst Switch JED-DC-CORE-SW.catrion.local (Investigate)

Control Defined Testing Requirements Result Rating

Implement the following cryptographic mechanisms to protect the integrity and

MA- DISA STIG
confidentiality of nonlocal maintenance and diagnostic communications:
4(6) Rating : CAT-I
cryptographic mechanisms.

Table 217: Test Summary MA-4(6)

Description
 Implement the following cryptographic mechanisms to protect the integrity and confidentiality of nonlocal maintenance and
diagnostic communications: cryptographic mechanisms.

Discussion

Failure to protect nonlocal maintenance and diagnostic communications can result in unauthorized individuals gaining access
to organizational information. Unauthorized access during remote maintenance sessions can result in a variety of hostile
actions, including malicious code insertion, unauthorized changes to system parameters, and exfiltration of organizational
information. Such actions can result in the loss or degradation of mission or business capabilities.

Findings

JED-DC-CORE-SW.catrion.local

Check Description Findings Result

Invictux determined that the Telnet service was

Invictux examined the disabled on JED-DC-CORE-SW. catrion.local. The
device configuration to Telnet service is configured on administrative lines on
Telnet Disabled
determine if the Telnet Cisco Catalyst Switch devices. The following Table
AND
service had been describes those lines. See Table: "Telnet
disabled. administrative line on JED-DC-CORE-
SW.catrion.local"

Invictux examined the

Check HTTP device configuration to
See Table: "Web-based administration service
Server Disabled determine if the clear-
settings"
AND text administrative HTTP
server was disabled.

Invictux determined that the SSH service was disabled

Invictux examined the on JED-DC-CORE-SW.catrion. local. The SSH service is
Check SSH Server
device configuration to configured on administrative lines on Cisco Catalyst
FIPS 140-2
determine if the SSH Switch devices. The following Table describes those
Encryption
server was configured to lines. See Table: "SSH administrative line on JED-
Configured
use only FIPS 140-2 DC-CORE-SW.catrion.local" Invictux detemined that
AND
encryption. the SSH service was configured to only use version 2
of the protocol on JED-DC-CORE-SW.catrion.local.

Invictux examined the

Check HTTPS FIPS device configuration to
See Table: "Web-based administration service
Ciphers determine if the HTTPS
settings"
AND server encryption ciphers
were FIPS compliant.

Invictux examined the

Check SNMP FIPS Invictux determined that no SNMP community strings
device configuration to
Encryption were defined on JED-DC-CORE-SW. catrion.local.
determine if SNMP was
Configured Invictux determined that SNMP versions 1/2c were
configured to use only
AND disabled on JED-DC-CORE-SW. catrion.local.
FIPS 140-2 encryption.
 Check Description Findings Result

Invictux examined the

Check User FIPS device configuration to
Authentication determine if SNMP users
Invictux was unable to automate this check.
Configured were configured to use
AND only FIPS 140-2
authentication hashes.

Invictux examined the

device configuration to
Check User FIPS
determine if SNMP users
Privacy Invictux was unable to automate this check.
were configured to use
Configured
only FIPS 140-2 privacy
encryption algorithms.

Table 218: Findings for JED-DC-CORE-SW.catrion.local

Line Access Login Level Password Telnet SSH Filter In Filter Out

VTY 0 - 4 Yes Line Password 1 CiscoAdmin No Yes 10

VTY 5 - 15 Yes Line Password 1 CiscoAdmin No Yes 10

Table 219: Telnet administrative line on JED-DC-CORE-SW.catrion.local

Description Value

Web Administration Service (HTTP) Disabled

HTTP TCP Port 80

Web Administration Service (IPv6 HTTP) Disabled

IPv6 HTTP TCP Port 80

Table 220: Web-based administration service settings

Line Access Login Level Password Telnet SSH Filter In Filter Out

VTY 0 - 4 Yes Line Password 1 CiscoAdmin No Yes 10

VTY 5 - 15 Yes Line Password 1 CiscoAdmin No Yes 10

Table 221: SSH administrative line on JED-DC-CORE-SW.catrion.local

Description Value

Web Administration Service (HTTPS) Disabled

HTTPS TCP Port 443

Web Administration Service (IPv6 HTTPS) Disabled

IPv6 HTTPS TCP Port 443

Table 222: Web-based administration service settings

System and Communications Protection (SC)

SC-5 Denial-of-service Protection

Control

(a) protect against; limit the effects of the following types of denial-of-service events: types of denial-of-service events ; and
(b) Employ the following controls to achieve the denial-of-service objective: controls by type of denial-of-service event.

Discussion

Denial- of-service events may occur due to a variety of internal and external causes, such as an attack by an adversary or a lack
of planning to support organizational needs with respect to capacity and bandwidth. Such attacks can occur across a wide
range of network protocols (e.g., IPv4, IPv6). A variety of technologies are available to limit or eliminate the origination and
effects of denial-of-service events. For example, boundary protection devices can filter certain types of packets to protect
system components on internal networks from being directly affected by or the source of denial-of-service attacks. Employing
increased network capacity and bandwidth combined with service redundancy also reduces the susceptibility to denial-of-
service events.

SC-5 Denial-of-service Protection INVESTIGATE

DISA STIG Rating

Category: CAT-I

Affected Devices

Cisco Catalyst Switch JED-DC-CORE-SW.catrion.local (Investigate)

Control Defined Testing Requirements Result Rating

Manage capacity, bandwidth, or other redundancy to limit the effects of DISA STIG Rating
SC-5
information flooding denial-of-service attacks. : CAT-I

Table 223: Test Summary SC-5

Description

Manage capacity, bandwidth, or other redundancy to limit the effects of information flooding denial-of-service attacks.

Discussion

Managing capacity ensures that sufficient capacity is available to counter flooding attacks. Managing capacity includes
establishing selected usage priorities, quotas, partitioning, or load balancing.
Findings

JED-DC-CORE-SW.catrion.local

Check Description Findings Result

Invictux examined the device

Check PIM There was no PIM configuration
configuration to determine if the
register rate limit identified on JED-DC-CORE-
device was configured to rate limit
OR SW.catrion.local.
PIM register messages.

Check PIM SPT Invictux examined the device

There was no PIM configuration
Threshold configuration to determine that the
identified on JED-DC-CORE-
Configuration PIM SPT threshold has been
SW.catrion.local.
OR configured.

Check setting
value Determine that "" matches "". This check returned an error.
OR

Invictux examined the device

Gratuitous ARP configuration to determine if the Invictux determined that the sending
Disabled sending of Gratuitous Address of Gratuitous ARP packets was
OR Resolution Protocol (ARP) packets unknown on JED-DC-CORE-
had been disabled. SW.catrion.local.

Invictux examined the device

Check IP
configuration to determine if the
Unreachables
Internet Control Message Protocol Invictux determined that JED-DC-
don't fragment
(ICMP) IP unreachables option had CORE-SW.catrion.local was configured
rate limit
been rate limited at 1 packet per to limit the ICMP IP don't fragment
OR
0milliseconds. packets to 1 every 500ms.

Invictux examined the device

Check IP
configuration to determine if the
Unreachables rate Invictux determined that JED-DC-
ICMP IP unreachables option had
limit CORE-SW.catrion.local was configured
been rate limited at 1 packet per
OR to limit the ICMP IP packets to 1 every
0milliseconds.
500ms.

Invictux examined the device Invictux determined that JED-DC-

No IP Mask Reply
configuration to determine if ICMP IP CORE-SW.catrion.local was configured
OR
Mask Reply had been disabled. to not send ICMP IP Mask Reply
messages. See Table: "Interfaces with
ICMP IP Mask Reply disabled"

Invictux examined the device Invictux determined that JED-DC-

No IP Redirects
configuration to determine if ICMP IP CORE-SW.catrion.local was configured
OR
Redirects had been disabled. to send ICMP IP Redirects messages.
See Table: "Interfaces with ICMP IP
Redirects enabled"
No IP Invictux examined the device
Unreachables configuration to determine if IP Invictux determined that JED-DC-
CORE-SW.catrion.local was configured
to
Check Description Findings Result
OR Unreachables had been disabled. send ICMP IP Unreachables messages.
See Table: "Interfaces with ICMP IP
Unreachables enabled"

Invictux determined that JED-DC-

Invictux examined the device
No IP Directed CORE-SW.catrion.local was configured
configuration to determine if IPv4
Broadcasts to disable IP Directed Broadcasts. See
Directed Broadcasts had been
OR Table: "Interfaces with IP Directed
disabled.
Broadcasts disabled"

Check BGP Invictux examined the device

Invictux did not identify any BGP
Neighbor configuration to determine if routing
configuration on JED-DC-CORE-
Maximum Prefix updates from BGP neighbors had a
SW.catrion.local.
OR configured maximum prefix limit.

Check BGP
Invictux examined the device
Neighbors Invictux did not identify any BGP
configuration to determine if the
Minimum Prefix configuration on JED-DC-CORE-
prefix list entries allowed only a CIDR
CIDR SW.catrion.local.
of 24 or more.
OR

Invictux examined the device

Invictux did not identify any BGP
Check BGP configuration to determine if BGP
configuration on JED-DC-CORE-
Neighbor TTL neighbors had a configured
SW.catrion.local.
maximum Time To Live (TTL) value.

Table 224: Findings for JED-DC-CORE-SW.catrion.local

Interface Active Address Unreachables Redirects Mask Reply Info Reply

Vlan2 Yes 192.168.102.10 On On Off Off

Vlan99 Yes 192.168.99.101 On On Off Off

Vlan106 Yes 10.240.16.10 On On Off Off

Vlan276 Yes 10.240.176.10 On On Off Off

Vlan302 Yes 10.10.102.10 On On Off Off

Vlan306 Yes 10.10.105.10 On On Off Off

Vlan308 Yes 10.10.107.10 On On Off Off

Vlan310 Yes 10.10.109.10 On On Off Off

Vlan312 Yes 10.10.12.10 On On Off Off

Vlan313 Yes 10.10.100.10 On On Off Off

Vlan314 Yes 10.10.20.10 On On Off Off

Vlan317 Yes 10.10.152.10 On On Off Off

Vlan728 Yes 10.50.0.1 On On Off Off

Vlan729 Yes 10.50.0.117 On On Off Off

Vlan730 Yes 10.50.0.121 On On Off Off

Vlan1800 Yes 10.50.2.221 On On Off Off

 Table 225: Interfaces with ICMP IP Mask Reply disabled

Interface Active Address Unreachables Redirects Mask Reply Info Reply

Vlan2 Yes 192.168.102.10 On On Off Off

Vlan99 Yes 192.168.99.101 On On Off Off

Vlan106 Yes 10.240.16.10 On On Off Off

Vlan276 Yes 10.240.176.10 On On Off Off

Vlan302 Yes 10.10.102.10 On On Off Off

Vlan306 Yes 10.10.105.10 On On Off Off

Vlan308 Yes 10.10.107.10 On On Off Off

Vlan310 Yes 10.10.109.10 On On Off Off

Vlan312 Yes 10.10.12.10 On On Off Off

Vlan313 Yes 10.10.100.10 On On Off Off

Vlan314 Yes 10.10.20.10 On On Off Off

Vlan317 Yes 10.10.152.10 On On Off Off

Vlan728 Yes 10.50.0.1 On On Off Off

Vlan729 Yes 10.50.0.117 On On Off Off

Vlan730 Yes 10.50.0.121 On On Off Off

Vlan1800 Yes 10.50.2.221 On On Off Off

Table 226: Interfaces with ICMP IP Redirects enabled

Interface Active Address Unreachables Redirects Mask Reply Info Reply

Vlan2 Yes 192.168.102.10 On On Off Off

Vlan99 Yes 192.168.99.101 On On Off Off

Vlan106 Yes 10.240.16.10 On On Off Off

Vlan276 Yes 10.240.176.10 On On Off Off

Vlan302 Yes 10.10.102.10 On On Off Off

Vlan306 Yes 10.10.105.10 On On Off Off

Vlan308 Yes 10.10.107.10 On On Off Off

Vlan310 Yes 10.10.109.10 On On Off Off

Vlan312 Yes 10.10.12.10 On On Off Off

Vlan313 Yes 10.10.100.10 On On Off Off

Vlan314 Yes 10.10.20.10 On On Off Off

Vlan317 Yes 10.10.152.10 On On Off Off

Vlan728 Yes 10.50.0.1 On On Off Off

Vlan729 Yes 10.50.0.117 On On Off Off

Vlan730 Yes 10.50.0.121 On On Off Off

 Interface Active Address Unreachables Redirects Mask Reply Info Reply

Vlan1800 Yes 10.50.2.221 On On Off Off

Table 227: Interfaces with ICMP IP Unreachables enabled

Interface Active Address Proxy-ARP Directed ACL In ACL Out

Vlan2 Yes 192.168.102.10 On Off

Vlan99 Yes 192.168.99.101 On Off

Vlan106 Yes 10.240.16.10 On Off

Vlan276 Yes 10.240.176.10 On Off

Vlan302 Yes 10.10.102.10 On Off

Vlan306 Yes 10.10.105.10 On Off

Vlan308 Yes 10.10.107.10 On Off

Vlan310 Yes 10.10.109.10 On Off

Vlan312 Yes 10.10.12.10 On Off

Vlan313 Yes 10.10.100.10 On Off

Vlan314 Yes 10.10.20.10 On Off

Vlan317 Yes 10.10.152.10 On Off

Vlan728 Yes 10.50.0.1 On Off

Vlan729 Yes 10.50.0.117 On Off

Vlan730 Yes 10.50.0.121 On Off

Vlan1800 Yes 10.50.2.221 On Off

Table 228: Interfaces with IP Directed Broadcasts disabled

SC-5 (2) Capacity, Bandwidth, and Redundancy PASS

DISA STIG Rating

Category: CAT-II

Affected Devices

Cisco Catalyst Switch JED-DC-CORE-SW.catrion.local (Pass)

Control Defined Testing Requirements Result Rating

SC-5 (2) No Test Description DISA STIG Rating : CAT-II

Table 229: Test Summary SC-5 (2)

 Findings

JED-DC-CORE-SW.catrion.local

Check Description Findings Result

Check MPLS
Invictux examined the device
traffic engine Invictux determined that MPLS was not
configuration to determine if
tunnel signaling configured on JED-DC-CORE-
MPLS traffic engine tunnel
is enabled SW.catrion.local.
signaling had been enabled.
OR

Invictux examined the device Invictux determined that QoS RSVP

Check QoS RSVP
configuration to determine if signaling rate limits were configured on
Signaling Rate
Quality of Service (QoS) RSVP JED-DC-CORE-SW.catrion.local as follows:
Limit
signaling rate limiting had been See Table: "QoS RSVP signaling rate
OR
configured. limits"

Check QoS is Invictux examined the device Invictux determined that QoS was
enabled device- configuration to determine if QoS disabled device-wide on JED-DC-CORE-
wide had been enabled device-wide. SW.catrion. local.

Table 230: Findings for JED-DC-CORE-SW.catrion.local

Description Value

Signaling Rate Limit - Burst Rate (Max Messages Per Interval) 8

Signaling Rate Limit - Message Queue Limit 37

Signaling Rate Limit - Max Queue Size 2 KiB

Signaling Rate Limit - Time Interval 20ms

Table 231: QoS RSVP signaling rate limits

SC-7 Boundary Protection

Control

(a) Monitor and control communications at the external managed interfaces to the system and at key internal managed
interfaces within the system;
(b) Implement subnetworks for publicly accessible system components that are physically; logically separated from internal
organizational networks; and
(c) Connect to external networks or systems only through managed interfaces consisting of boundary protection devices
arranged in accordance with an organizational security and privacy architecture.

Discussion
 Managed interfaces include gateways, routers, firewalls, guards, network-based malicious code analysis, virtualization systems,
or encrypted tunnels implemented within a security architecture. Subnetworks that are physically or logically separated from
internal networks are referred to as demilitarized zones or DMZs. Restricting or prohibiting interfaces within organizational
systems includes restricting external web traffic to designated web servers within managed interfaces, prohibiting external
traffic that appears to be spoofing internal addresses, and prohibiting internal traffic that appears to be spoofing external
addresses. Commercial telecommunications services are provided by network components and consolidated management
systems shared by customers. These services may also include third party-provided access lines and other service elements.
Such services may represent sources of increased risk despite contract security provisions. Boundary protection may be
implemented as a common control for all or part of an organizational network such that the boundary to be protected is
greater than a system-specific boundary (i.e., an authorization boundary).

SC-7 (a) Monitor & control communications at the external FAIL

managed interfaces

DISA STIG Rating

Category: CAT-II

Affected Devices

Cisco Catalyst Switch JED-DC-CORE-SW.catrion.local (Fail)

Control Defined Testing Requirements Result Rating

SC-7 (a) No Test Description DISA STIG Rating : CAT-II

Table 232: Test Summary SC-7 (a)

Findings

JED-DC-CORE-SW.catrion.local

Check Description Findings Result

Invictux examined the device configuration to

Check network See Table: "Network
determine if inbound filtering had been configured. The
interfaces have interfaces with
scope of this check was restricted to those Open
filtering inadequate filtering
Systems Interconnection (OSI) layer 3 interfaces
configured assigned"
classified as: * external; * DMZ; * guest; * partner; *
remote.
Table 233: Findings for JED-DC-CORE-SW.catrion.local

Interface Class Active Unsecure Address Filtering Description

Vlan1 None Yes N/A

 Interface Class Active Unsecure Address Filtering Description

Vlan2 None Yes N/A --- Network-102 ---

192.168.102.10

Vlan99 None Yes N/A --- Network-99 ---

192.168.99.101

Vlan106 None Yes N/A 10.240.16.10

Vlan276 None Yes N/A 10.240.176.10 --- LAN-276-Infra-ArubaNetwork ---

Vlan302 None Yes N/A 10.10.102.10 --- WiFi_SACC_IPPhone ---

Vlan306 None Yes N/A 10.10.105.10 --- WiFi_SACC_CEO ---

Vlan308 None Yes N/A 10.10.107.10 --- WiFi_SACC_Executives ---

Vlan310 None Yes N/A 10.10.109.10 --- WiFi_SACC_System ---

Vlan312 None Yes N/A 10.10.12.10 --- WiFi_SACC_Guest ---

Vlan313 None Yes N/A 10.10.100.10 --- WiFi_SACC_IT-VIPGuest ---

Vlan314 None Yes N/A 10.10.20.10 --- WiFi_Alfursan ---

Vlan316 None Yes N/A --- WiFi_Airfi ---

Vlan317 None Yes N/A 10.10.152.10 --- Wifi_TMS ---

Vlan728 None Yes N/A 10.50.0.1

---Point to Point to Primary-FW-for-USER-VRF -

Vlan729 None Yes N/A 10.50.0.117
--

---Point to Point to Primary-FW-for-WIFI-VRF --

Vlan730 None Yes N/A 10.50.0.121
-

---Point to Point to Distribution-SW-for-USER-

Vlan1800 None Yes N/A 10.50.2.221
VRF ---

Vlan874 None Yes N/A

Vlan870 None Yes N/A

Vlan862 None Yes N/A

Table 234: Network interfaces with inadequate filtering assigned

SC-7(5) Deny By Default — Allow By Exception INVESTIGATE

DISA STIG Rating

Category: CAT-I

Affected Devices

Cisco Catalyst Switch JED-DC-CORE-SW.catrion.local (Investigate)

 Control Defined Testing Requirements Result Rating

SC-7(5) No Test Description DISA STIG Rating : CAT-I

Table 235: Test Summary SC-7(5)

Findings

JED-DC-CORE-SW.catrion.local

Check Description Findings Result

Check filtering on
network interfaces This check returned an error.
AND

Check network Invictux examined the device See Table: "Network

interfaces have configuration to determine if inbound and interfaces with inadequate
filtering configured outbound filtering had been configured. filtering assigned"

Table 236: Findings for JED-DC-CORE-SW.catrion.local

Interface Class Active Unsecure Address Filtering Description

--- Uplink Port - Sophos Perimeter

Port-channel1 None Yes Unknown
FW1 ---

--- Uplink Port - Sophos Perimeter

Port-channel2 None Yes Unknown
FW2 ---

--- Uplink Port - Sophos B2B (XGS

Port-channel3 None Yes Unknown
2100) FW1 ---

--- Uplink Port - Sophos B2B (XGS

Port-channel4 None Yes Unknown
2100) FW2 ---

--- Uplink Port - Sophos Primary

Port-channel5 None Yes Unknown
FW1 XGS 4500 ---

--- Uplink Port - Sophos Primary

Port-channel6 None Yes Unknown
FW1 XGS 4500 ---

--- Uplink Port - Sophos Primary

Port-channel7 None Yes Unknown
FW2 XGS 4500 ---

--- Uplink Port - Sophos Primary

Port-channel8 None Yes Unknown
FW2 XGS 4500 ---

--- Uplink Port - Sophos B2B (XGS

Port-channel9 None Yes Unknown
2100) FW1 ---

--- Uplink Port - Sophos B2B (XGS

Port-channel10 None Yes Unknown
2100) FW2 ---

--- Connected to NAC-EM-

Port-channel11 None Yes Unknown
(Enterprise-Manager) ---
Interface Class Active Unsecure Address Filtering Description

Port-channel12 None Yes Unknown --- Connected to nac-jed-SPAN ---

Port-channel13 None Yes Unknown --- Connected to nac-jed ---

--- Connected to LAN-870-Infra-

Port-channel14 None Yes Unknown
SIEM-Server-1 ---

--- Connected to LAN-870-Infra-

Port-channel15 None Yes Unknown
SIEM-Server-2 ---

--- Connected to LAN-870-Infra-

Port-channel16 None Yes Unknown
SIEM-Server-3 ---

Port-channel17 None Yes Unknown --- Connected to JED-SIEMXM1 ---

Port-channel18 None Yes Unknown --- Connected to jed-siempdih1 ---

--- Connected to Aruba-Controller-1

Port-channel19 None Yes Unknown
---

--- Connected to Aruba-Controller-2

Port-channel20 None Yes Unknown
---

--- Connected to Aruba-Controller-3

Port-channel21 None Yes Unknown
---

--- Connected to Aruba-Conductor -

Port-channel22 None Yes Unknown
--

Port-channel25 None Yes Unknown --- Connected to Jed-CS-MISC ---

Port-channel26 None Yes Unknown --- Connected to WAN-Server ---

Port-channel27 None Yes Unknown --- Connected to JEDGIGMON ---

--- Core Switch Extension Catalyst

Port-channel28 None Yes Unknown 9200L 24-port PoE+ x 2 for system
with 1GB-TX interface ---

--- Connected to JED-CORE-MGM-

Port-channel30 None Yes Unknown
SW1 ---

Port-channel31 None Yes Unknown --- Connected to JED-DC-ISP-SW ---

--- Uplink Port - Distribution Switch -

Port-channel100 None Yes Unknown
--

Port-channel101 None Yes Unknown --- Uplink Port - Service Switch ---

--- Uplink Port - Sophos Perimeter

TwentyFiveGigE1/0/1 None Yes Unknown
FW1 ---

--- Uplink Port - Sophos Perimeter

TwentyFiveGigE1/0/2 None Yes Unknown
FW2 ---

--- Uplink Port - Sophos B2B (XGS

TwentyFiveGigE1/0/3 None Yes Unknown
2100) FW1 ---

--- Uplink Port - Sophos B2B (XGS

TwentyFiveGigE1/0/4 None Yes Unknown
2100) FW2 ---

--- Uplink Port - Sophos Primary

TwentyFiveGigE1/0/5 None Yes Unknown
FW1 XGS 4500 ---
Interface Class Active Unsecure Address Filtering Description

--- Uplink Port - Sophos Primary

TwentyFiveGigE1/0/6 None Yes Unknown
FW1 XGS 4500 ---

--- Uplink Port - Sophos Primary

TwentyFiveGigE1/0/7 None Yes Unknown
FW2 XGS 4500 ---

--- Uplink Port - Sophos Primary

TwentyFiveGigE1/0/8 None Yes Unknown
FW2 XGS 4500 ---

TwentyFiveGigE1/0/9 None Yes Unknown

TwentyFiveGigE1/0/10 None Yes Unknown

TwentyFiveGigE1/0/11 None Yes Unknown --- Old Sophos B2B 3100 - Temp ---

TwentyFiveGigE1/0/12 None Yes Unknown

TwentyFiveGigE1/0/13 None Yes Unknown

TwentyFiveGigE1/0/14 None Yes Unknown

TwentyFiveGigE1/0/15 None Yes Unknown --- LAN Probe - Blue Moon ---

TwentyFiveGigE1/0/16 None Yes Unknown

TwentyFiveGigE1/0/17 None Yes Unknown

TwentyFiveGigE1/0/18 None Yes Unknown

--- Connected to Aruba-Controller-1

TwentyFiveGigE1/0/19 None Yes Unknown
---

--- Connected to Aruba-Controller-2

TwentyFiveGigE1/0/20 None Yes Unknown
---

--- Connected to AlFurfan-Aruba-

TwentyFiveGigE1/0/21 None Yes Unknown
Controller-3 ---

--- Connected to Aruba-Conductor -

TwentyFiveGigE1/0/22 None Yes Unknown
--

TwentyFiveGigE1/0/23 None Yes Unknown --- Jed-CS-CL01-ESXi02 ---

TwentyFiveGigE1/0/24 None Yes Unknown --- Jed-CS-CL01-ESXi03 ---

TwentyFiveGigE1/0/25 None Yes Unknown --- Jed-CS-MISC ---

TwentyFiveGigE1/0/26 None Yes Unknown --- Connected to WAN-Server ---

TwentyFiveGigE1/0/27 None Yes Unknown --- Connected to JEDGIGMON ---

--- Core Switch Extension Catalyst

TwentyFiveGigE1/0/28 None Yes Unknown 9200L 24-port PoE+ x 2 for system
with 1GB-TX interface ---

TwentyFiveGigE1/0/29 None Yes Unknown

--- Connected to JED-CORE-MGM-

TwentyFiveGigE1/0/30 None Yes Unknown
SW1 ---

TwentyFiveGigE1/0/31 None Yes Unknown --- Connected to JED-DC-ISP-SW ---

TwentyFiveGigE1/0/32 None Yes Unknown

TwentyFiveGigE1/0/33 None Yes Unknown

Interface Class Active Unsecure Address Filtering Description

--- Uplink Port - Distribution Switch -

TwentyFiveGigE1/0/34 None Yes Unknown
--

--- Uplink Port - Distribution Switch -

TwentyFiveGigE1/0/35 None Yes Unknown
--

TwentyFiveGigE1/0/36 None Yes Unknown

TwentyFiveGigE1/0/37 None Yes Unknown

TwentyFiveGigE1/0/38 None Yes Unknown --- Uplink Port - Service Switch ---

TwentyFiveGigE1/0/39 None Yes Unknown --- Uplink Port - Service Switch ---

TwentyFiveGigE1/0/40 None Yes Unknown

--- MICROWAVE-AMAZNET-ISP-SW
TwentyFiveGigE1/0/41 None Yes Unknown
---

TwentyFiveGigE1/0/42 None Yes Unknown

TwentyFiveGigE1/0/43 None Yes Unknown

TwentyFiveGigE1/0/44 None Yes Unknown

TwentyFiveGigE1/0/45 None Yes Unknown

TwentyFiveGigE1/0/46 None Yes Unknown

TwentyFiveGigE1/0/47 None Yes Unknown

TwentyFiveGigE1/0/48 None Yes Unknown

--- Uplink Port - Sophos Perimeter

TwentyFiveGigE2/0/1 None Yes Unknown
FW1 ---

--- Uplink Port - Sophos Perimeter

TwentyFiveGigE2/0/2 None Yes Unknown
FW2 ---

--- Uplink Port - Sophos B2B (XGS

TwentyFiveGigE2/0/3 None Yes Unknown
2100) FW1 ---

--- Uplink Port - Sophos B2B (XGS

TwentyFiveGigE2/0/4 None Yes Unknown
2100) FW2 ---

--- Uplink Port - Sophos Primary

TwentyFiveGigE2/0/5 None Yes Unknown
FW1 XGS 4500 ---

--- Uplink Port - Sophos Primary

TwentyFiveGigE2/0/6 None Yes Unknown
FW1 XGS 4500 ---

--- Uplink Port - Sophos Primary

TwentyFiveGigE2/0/7 None Yes Unknown
FW2 XGS 4500 ---

--- Uplink Port - Sophos Primary

TwentyFiveGigE2/0/8 None Yes Unknown
FW2 XGS 4500 ---

TwentyFiveGigE2/0/9 None Yes Unknown

TwentyFiveGigE2/0/10 None Yes Unknown

TwentyFiveGigE2/0/11 None Yes Unknown --- Old Sophos B2B 3100 - Temp ---

TwentyFiveGigE2/0/12 None Yes Unknown

Interface Class Active Unsecure Address Filtering Description

TwentyFiveGigE2/0/13 None Yes Unknown

TwentyFiveGigE2/0/14 None Yes Unknown

TwentyFiveGigE2/0/15 None Yes Unknown --- LAN Probe - Blue Moon ---

TwentyFiveGigE2/0/16 None Yes Unknown

TwentyFiveGigE2/0/17 None Yes Unknown

TwentyFiveGigE2/0/18 None Yes Unknown

--- Connected to Aruba-Controller-1

TwentyFiveGigE2/0/19 None Yes Unknown
---

--- Connected to Aruba-Controller-2

TwentyFiveGigE2/0/20 None Yes Unknown
---

--- Connected to AlFurfan-Aruba-

TwentyFiveGigE2/0/21 None Yes Unknown
Controller-3 ---

--- Connected to Aruba-Conductor -

TwentyFiveGigE2/0/22 None Yes Unknown
--

TwentyFiveGigE2/0/23 None Yes Unknown --- Jed-CS-CL01-ESXi02 ---

TwentyFiveGigE2/0/24 None Yes Unknown --- Jed-CS-CL01-ESXi03 ---

TwentyFiveGigE2/0/25 None Yes Unknown --- Jed-CS-MISC ---

TwentyFiveGigE2/0/26 None Yes Unknown --- Connected to WAN-Server ---

TwentyFiveGigE2/0/27 None Yes Unknown --- Connected to JEDGIGMON ---

--- Core Switch Extension Catalyst

TwentyFiveGigE2/0/28 None Yes Unknown 9200L 24-port PoE+ x 2 for system
with 1GB-TX interface ---

TwentyFiveGigE2/0/29 None Yes Unknown

--- Connected to JED-CORE-MGM-

TwentyFiveGigE2/0/30 None Yes Unknown
SW1 ---

TwentyFiveGigE2/0/31 None Yes Unknown --- Connected to JED-DC-ISP-SW ---

TwentyFiveGigE2/0/32 None Yes Unknown

TwentyFiveGigE2/0/33 None Yes Unknown

--- Uplink Port - Distribution Switch -

TwentyFiveGigE2/0/34 None Yes Unknown
--

--- Uplink Port - Distribution Switch -

TwentyFiveGigE2/0/35 None Yes Unknown
--

TwentyFiveGigE2/0/36 None Yes Unknown

TwentyFiveGigE2/0/37 None Yes Unknown

TwentyFiveGigE2/0/38 None Yes Unknown --- Uplink Port - Service Switch ---

TwentyFiveGigE2/0/39 None Yes Unknown --- Uplink Port - Service Switch ---

TwentyFiveGigE2/0/40 None Yes Unknown

Interface Class Active Unsecure Address Filtering Description

TwentyFiveGigE2/0/41 None Yes Unknown

TwentyFiveGigE2/0/42 None Yes Unknown

TwentyFiveGigE2/0/43 None Yes Unknown

TwentyFiveGigE2/0/44 None Yes Unknown

TwentyFiveGigE2/0/45 None Yes Unknown

TwentyFiveGigE2/0/46 None Yes Unknown

TwentyFiveGigE2/0/47 None Yes Unknown

TwentyFiveGigE2/0/48 None Yes Unknown

HundredGigE1/0/49 None Yes Unknown

HundredGigE1/0/50 None Yes Unknown

HundredGigE1/0/51 None Yes Unknown

HundredGigE1/0/52 None Yes Unknown

HundredGigE2/0/49 None Yes Unknown

HundredGigE2/0/50 None Yes Unknown

HundredGigE2/0/51 None Yes Unknown

HundredGigE2/0/52 None Yes Unknown

Vlan1 None Yes N/A

Vlan2 None Yes N/A --- Network-102 ---

192.168.102.10

Vlan99 None Yes N/A --- Network-99 ---

192.168.99.101

Vlan106 None Yes N/A 10.240.16.10

Vlan276 None Yes N/A --- LAN-276-Infra-ArubaNetwork ---

10.240.176.10

Vlan302 None Yes N/A 10.10.102.10 --- WiFi_SACC_IPPhone ---

Vlan306 None Yes N/A 10.10.105.10 --- WiFi_SACC_CEO ---

Vlan308 None Yes N/A 10.10.107.10 --- WiFi_SACC_Executives ---

Vlan310 None Yes N/A 10.10.109.10 --- WiFi_SACC_System ---

Vlan312 None Yes N/A 10.10.12.10 --- WiFi_SACC_Guest ---

Vlan313 None Yes N/A 10.10.100.10 --- WiFi_SACC_IT-VIPGuest ---

Vlan314 None Yes N/A 10.10.20.10 --- WiFi_Alfursan ---

Vlan316 None Yes N/A --- WiFi_Airfi ---

Vlan317 None Yes N/A 10.10.152.10 --- Wifi_TMS ---

Vlan728 None Yes N/A 10.50.0.1

---Point to Point to Primary-FW-for-

Vlan729 None Yes N/A 10.50.0.117
USER-VRF ---
 Interface Class Active Unsecure Address Filtering Description

---Point to Point to Primary-FW-for-

Vlan730 None Yes N/A 10.50.0.121
WIFI-VRF ---

---Point to Point to Distribution-SW-

Vlan1800 None Yes N/A 10.50.2.221
for-USER-VRF ---

Vlan874 None Yes N/A

Vlan870 None Yes N/A

Vlan862 None Yes N/A

Table 237: Network interfaces with inadequate filtering assigned

SC-10 Network Disconnect

Control

Terminate the network connection associated with a communications session at the end of the session or after time period of
inactivity.

Discussion

Network disconnect applies to internal and external networks. Terminating network connections associated with specific
communications sessions includes de-allocating TCP/IP address or port pairs at the operating system level and de-allocating
the networking assignments at the application level if multiple application sessions are using a single operating system-level
network connection. Periods of inactivity may be established by organizations and include time periods by type of network
access or for specific network accesses.

SC-10 Network Disconnect PASS

DISA STIG Rating

Category: CAT-I

Affected Devices

Cisco Catalyst Switch JED-DC-CORE-SW.catrion.local (Pass)

Control Defined Testing Requirements Result Rating

Terminate the network connection associated with a communications session DISA STIG
SC-10
at the end of the session or after time period of inactivity. Rating : CAT-I

Table 238: Test Summary SC-10

Description

Terminate the network connection associated with a communications session at the end of the session or after time period
of inactivity.

Findings

JED-DC-CORE-SW.catrion.local

Check Description Findings Result

Invictux examined the

Line Exec The configuration of the administrative lines on
administrative line exec timeouts to
Session Idle JED-DC-CORE-SW.catrion.local are detailed in
determine that they set to 10
Timeout Table. See Table: "Administrative line
minutes, or less, on usable
AND settings on JED-DC-CORE-SW.catrion.local"
administrative lines.

Invictux examined the device

HTTP Idle
configuration to determine if the See Table: "Web-based administration
Timeout
HTTP service specific idle timeout service settings"
AND
was set to 10 minutes or less.

Invictux examined the device

HTTPS Idle configuration to determine if the See Table: "Web-based administration
Timeout HTTPS specific idle timeout was set service settings"
to 10 minutes or less.

Table 239: Findings for JED-DC-CORE-SW.catrion.local

Exec Absolute Session Login Session Filter Filter

Line Access Login Callback
Timeout Timeout Timeout Timeout Limit In Out

Line 10 30
Console Yes None None None N/A N/A N/A
Password minutes seconds

VTY 0 - Line 10 30
Yes None None None 10 N/A
4 Password minutes seconds

VTY 5 - Line 10 30
Yes None None None 10 N/A
15 Password minutes seconds

Table 240: Administrative line settings on JED-DC-CORE-SW.catrion.local

Description Value

Web Administration Service (HTTP) Disabled

HTTP TCP Port 80

Web Administration Service (IPv6 HTTP) Disabled

IPv6 HTTP TCP Port 80

Table 241: Web-based administration service settings

 Description Value

Web Administration Service (HTTPS) Disabled

HTTPS TCP Port 443

Web Administration Service (IPv6 HTTPS) Disabled

IPv6 HTTPS TCP Port 443

Table 242: Web-based administration service settings

SC-13 Cryptographic Protection

Control

(a) Determine the [Assignment: organization-defined cryptographic uses]; and

(b) Implement the following types of cryptography required for each specified cryptographic use: [Assignment: organization-
defined types of cryptography for each specified cryptographic use].

Discussion

Cryptography can be employed to support a variety of security solutions, including the protection of classified information and
controlled unclassified information, the provision and implementation of digital signatures, and the enforcement of
information separation when authorized individuals have the necessary clearances but lack the necessary formal access
approvals. Cryptography can also be used to support random number and hash generation. Generally applicable cryptographic
standards include FIPS-validated cryptography and NSA-approved cryptography. For example, organizations that need to
protect classified information may specify the use of NSA-approved cryptography. Organizations that need to provision and
implement digital signatures may specify the use of FIPS-validated cryptography. Cryptography is implemented in accordance
with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines.

SC-13 Cryptographic Protection PASS

DISA STIG Rating

Category: CAT-II

Affected Devices

Cisco Catalyst Switch JED-DC-CORE-SW.catrion.local (Pass)

Control Defined Testing Requirements Result Rating

(a) Determine the cryptographic uses ; and

DISA STIG Rating
SC-13 (b) Implement the following types of cryptography required for each
: CAT-II
specified cryptographic use: types of cryptography.
 Table 243: Test Summary SC-13

Description

(a) Determine the cryptographic uses ; and

(b) Implement the following types of cryptography required for each specified cryptographic use: types of cryptography.

Findings

JED-DC-CORE-SW.catrion.local

Check Description Findings Result

Invictux examined the device

Check IPSec Phase-1 Invictux did not identify any
configuration to determine if IPSec
FIPS 140-2 Hash IPSec phase-1 configuration on
phase-1 was configured to use only FIPS
AND JED-DC-CORE-SW. catrion.local.
140-2 validated hashing algorithm.

Invictux examined the device

Check IPSec Invictux did not identify any
configuration to determine if all IPSec
Transformation Set IPSec transformation set
transformation sets were configured to
FIPS 140-2 Hash configuration on JED-DC-CORE-
use only FIPS 140-2 validated hashing
AND SW.catrion.local.
algorithm.

Invictux examined the device

Check IPSec Invictux did not identify any
configuration to determine if all IPSec
Transformation Set IPSec transformation set
transformation sets were configured to
FIPS 140-2 Hash configuration on JED-DC-CORE-
use only FIPS 140-2 validated hashing
AND SW.catrion.local.
algorithm.

Invictux examined the device

Check IPSec phase-1 Invictux did not identify any
configuration to determine if IPSec
FIPS 140-2 IPSec phase-1 configuration on
phase-1 was configured to use only FIPS
encryption JED-DC-CORE-SW. catrion.local.
140-2 validated encryption.

Table 244: Findings for JED-DC-CORE-SW.catrion.local

SC-17 Public Key Infrastructure Certificates

Control

(a) Issue public key certificates under an certificate policy or obtain public key certificates from an approved service provider;
and
(b) Include only approved trust anchors in trust stores or certificate stores managed by the organization.

Discussion
 Public key infrastructure (PKI) certificates are certificates with visibility external to organizational systems and certificates
related to the internal operations of systems, such as application-specific time services. In cryptographic systems with a
hierarchical structure, a trust anchor is an authoritative source (i.e., a certificate authority) for which trust is assumed and not
derived. A root certificate for a PKI system is an example of a trust anchor. A trust store or certificate store maintains a list of
trusted root certificates.

SC-17 Public Key Infrastructure Certificates INVESTIGATE

DISA STIG Rating

Category: CAT-II

Affected Devices

Cisco Catalyst Switch JED-DC-CORE-SW.catrion.local (Investigate)

Control Defined Testing Requirements Result Rating

(a) Issue public key certificates under an certificate policy or obtain public
key certificates from an approved service provider; and DISA STIG
SC-17
(b) Include only approved trust anchors in trust stores or certificate stores Rating : CAT-II
managed by the organization.

Table 245: Test Summary SC-17

Description

(a) Issue public key certificates under an certificate policy or obtain public key certificates from an approved service
provider; and
(b) Include only approved trust anchors in trust stores or certificate stores managed by the organization.

Findings

JED-DC-CORE-SW.catrion.local

Check Description Findings Result

Invictux examined the device The following trustpoint CA were configured on JED-
Approved
configuration to determine if DC-CORE-SW.catrion.local: * Trustpoint SLA-
CA
all configured PKI trustpoint TrustPoint - no URL * Trustpoint TP-self-signed-
OR
CA were approved. 600664820 - no URL

Has Invictux examined the device Certificate chain SLA-TrustPoint: 1.

Certificates configuration to determine if nvram:CiscoLicensi#1CA.cer
 Check Description Findings Result
PKI certificates had been
configured.

Table 246: Findings for JED-DC-CORE-SW.catrion.local

SC-23 Session Authenticity

Control

Protect the authenticity of communications sessions.

Discussion

Protecting session authenticity addresses communications protection at the session level, not at the packet level. Such
protection establishes grounds for confidence at both ends of communications sessions in the ongoing identities of other
parties and the validity of transmitted information. Authenticity protection includes protecting against "man-in-the-middle"
attacks, session hijacking, and the insertion of false information into sessions.

SC-23(3) Session Authenticity INVESTIGATE

DISA STIG Rating

Category: CAT-II

Affected Devices

Cisco Catalyst Switch JED-DC-CORE-SW.catrion.local (Investigate)

Control Defined Testing Requirements Result Rating

Generate a unique session identifier for each session with randomness

SC- DISA STIG
requirements and recognize only session identifiers that are system-
23(3) Rating : CAT-II
generated.

Table 247: Test Summary SC-23(3)

Description

Generate a unique session identifier for each session with randomness requirements and recognize only session identifiers
that are system-generated.
 Findings

JED-DC-CORE-SW.catrion.local

Check Description Findings Result

Check FIPS Mode Invictux examined the device configuration to Invictux was unable
Is Enabled determine if the device had FIPS mode enabled. to automate this
check.
Table 248: Findings for JED-DC-CORE-SW.catrion.local

SC-45 System Time Synchronization

Control

Synchronize system clocks within and between systems and system components.

Discussion

Time synchronization of system clocks is essential for the correct execution of many system services, including identification
and authentication processes that involve certificates and time-of-day restrictions as part of access control. Denial of service or
failure to deny expired credentials may result without properly synchronized clocks within and between systems and system
components. Time is commonly expressed in Coordinated Universal Time (UTC), a modern continuation of Greenwich Mean
Time (GMT), or local time with an offset from UTC. The granularity of time measurements refers to the degree of
synchronization between system clocks and reference clocks, such as clocks synchronizing within hundreds of milliseconds or
tens of milliseconds. Organizations may define different time granularities for system components. Time service can be critical
to other security capabilities—such as access control and identification and authentication—depending on the nature of the
mechanisms used to support the capabilities.

SC-45(2) System Time Synchronization FAIL

DISA STIG Rating

Category: CAT-II

Affected Devices

Cisco Catalyst Switch JED-DC-CORE-SW.catrion.local (Fail)

Control Defined Testing Requirements Result Rating

SC-45(2) No Test Description DISA STIG Rating : CAT-II

 Table 249: Test Summary SC-45(2)

Findings

JED-DC-CORE-SW.catrion.local

Check Description Findings Result

Invictux examined the device configuration to See Table: "NTP

Check Number of
determine if the NTP client was configured to sync its client time
NTP Time Sources
time against two NTP time sources. sources"

Table 250: Findings for JED-DC-CORE-SW.catrion.local

Address Auth Key Version

192.168.101.101 3

Table 251: NTP client time sources

System and Information Integrity (SI)

SI-11 Error Handling

Control

(a) Generate error messages that provide information necessary for corrective actions without revealing information that could
be exploited; and
(b) Reveal error messages only to personnel or roles.

Discussion

Organizations consider the structure and content of error messages. The extent to which systems can handle error conditions
is guided and informed by organizational policy and operational requirements. Exploitable information includes stack traces
and implementation details; erroneous logon attempts with passwords mistakenly entered as the username; mission or
business information that can be derived from, if not stated explicitly by, the information recorded; and personally identifiable
information, such as account numbers, social security numbers, and credit card numbers. Error messages may also provide a
covert channel for transmitting information.

SI-11(b) Error Handling FAIL

DISA STIG Rating

 Category: CAT-II

Affected Devices

Cisco Catalyst Switch JED-DC-CORE-SW.catrion.local (Fail)

Control Defined Testing Requirements Result Rating

SI-11(b) Reveal error messages only to personnel or roles. DISA STIG Rating : CAT-II

Table 252: Test Summary SI-11(b)

Description

Reveal error messages only to personnel or roles.

Findings

JED-DC-CORE-SW.catrion.local

Check Description Findings Result

Check Syslog Invictux examined the device configuration to The check has failed on
Facility & determine if the Syslog message logging severity level the device. No finding
Severity was at least Information severity level with "change-log" available at present.
facility.
Table 253: Findings for JED-DC-CORE-SW.catrion.local

Appendix

Protocols
This section lists and describes Internet Assigned Number Authority (IANA) registered protocols referenced within this report.

Name Description Protocol IPv6 RFC

TCP Transmission Control 6 No RFC 793

UDP User Datagram 17 No RFC 768

ICMP Internet Control Message Protocol 1 No RFC 792

 Name Description Protocol IPv6 RFC

SCTP Stream Control Transmission Protocol 132 No

DCCP Datagram Congestion Control Protocol 33 No RFC 4340

Table 254: Protocols referenced in this report

IP Options
IP Options were referenced during this audit. This section lists and describes all the IANA registered IP Options.

Description Value RFC

EOOL - End of Options List 0 RFC 791

NOP - No Operation 1 RFC 791

SEC - Security 130 RFC 1108

LSR - Loose Source Route 131 RFC 791

TS - Time Stamp 68 RFC 791

E-SEC - Extended Security 133 RFC 1108

CIPSO - Commercial Security 134

RR - Record Route 7 RFC 791

RFC 791
SID - Stream ID 136
RFC 6814

SSR - Strict Source Route 137 RFC 791

ZSU - Experimental Measurement 10

RFC 1063
MTUP - MTU Probe 11
RFC 1191

RFC 1063
MTUR - MTU Reply 12
RFC 1191

FINN - Experimental Flow Control 205

VISA - Experimental Access Control 142 RFC 6814

ENCODE - ??? 15 RFC 6814

IMITD - IMI Traffic Descriptor 144

RFC 1385
EIP - Extended Internet Protocol 145
RFC 6814

RFC 1393
TR - Traceroute 82
RFC 6814

ADDEXT - Address Extension 147 RFC 6814

RTRALT - Router Alert 148 RFC 2113

SDB - Selective Directed Broadcast 149 RFC 6814

- Unassigned (Released 18 October 2005) 150

 Description Value RFC

DPS - Dynamic Packet State 151 RFC 6814

UMP - Upstream Multicast Pkt. 152 RFC 6814

QS - Quick-Start 25 RFC 4782

EXP - RFC3692-style Experiment 30 RFC 4727

EXP - RFC3692-style Experiment 94 RFC 4727

EXP - RFC3692-style Experiment 158 RFC 4727

EXP - RFC3692-style Experiment 222 RFC 4727

Table 255: IP Options

Services
This section lists and describes IANA registered network services referenced within this report.

Name Description Protocol Port(s) RFC

ssh The Secure Shell (SSH) Protocol TCP 22 RFC 4251

ssh The Secure Shell (SSH) Protocol UDP 22 RFC 4251

ssh SSH SCTP 22 RFC 9260

http World Wide Web HTTP TCP 80 RFC 9110

http World Wide Web HTTP UDP 80 RFC 9110

http HTTP SCTP 80 RFC 9260

https http protocol over TLS/SSL TCP 443 RFC 9110

https http protocol over TLS/SSL UDP 443 RFC 9110

https HTTPS SCTP 443 RFC 9260

telnet Telnet TCP 23 RFC 854

telnet Telnet UDP 23 RFC 854

bootp Bootstrap Protocol -1

finger Finger TCP 79

finger Finger UDP 79

l2tp l2tp TCP 1701

l2tp l2tp UDP 1701

Table 256: Services referenced in this report

Logging Severity Level

Logging message severity levels provides a way of tagging log messages with an indication of how significant the message is. Table
257 lists the various standard logging severity levels that can be configured.
 Level Name Description

0 Emergencies The system is unusable

1 Alerts Immediate action is required

2 Critical Critical conditions

3 Errors Error conditions

4 Warnings Warning conditions

5 Notifications Significant conditions

6 Informational Informational messages

7 Debugging Debugging messages

Table 257: Logging message severity levels

OSPF LSA Message Types

OSPF is a routing protocol which is designed to dynamically adjust to network topology changes, updating its own routing tables
and notifying other network devices of the changes. OSPF routers exchange information using LSA messages. This section details the
different OSPF LSA message types.

Type Brief Description

These messages are sent only within the defined area and lists the routers, the networks and their
1 Router LSA
metrics.

The designated router sends these messages containing a list of routers on a segment. These
2 Network LSA
messages are sent only within the defined area.

An ABR sends a routing summary LSA messages for its attached areas to other area routers. These
3 Summary LSA messages enable scalability with other OSPF area routers being sent summary information about other
areas.

ASBR Summary
4 This message type contains additional route summary information for ASBR.
LSA

These messages contain routing information extracted from alternative routing processes. These
5 External LSA
messages are sent to all areas, except stubs.

Group Message
6 This message type relates to MOSPF and is not in general use.
LSA

Routers in NSSA will not receive updates from ABR as external LSA are not permitted. Instead this type
7 NSSA Routers
of message is used to summarize external routes to ABR.

8 IPv6 LSA These messages contain information IPv6 addressing and internetworking BGP.

Link Local
9 These messages contain prefixes for stub and transit networks.
Opaque LSA

Area Local These messages contain information that should be sent to other routers even if the routers are unable
10
Opaque LSA to understand the information.

11 Opaque LSA These messages contain information that should be sent to other routers, except stub areas.

Table 258: OSPF LSA message types

Common Time Zones
When synchronizing time from a central source, time zones can configured in order to offset the time information for a specific
locality. This section details the most common time zones.

Region Acronym Time Zone UTC Offset

Australia CST Central Standard Time +9.5 hours

Australia EST Eastern Standard/Summer Time +10 hours

Australia WST Western Standard Time +8 hours

Europe BST British Summer Time +1 hour

Europe CEST Central Europe Summer Time +2 hours

Europe CET Central Europe Time +1 hour

Europe EEST Eastern Europe Summer Time +3 hours

Europe EST Eastern Europe Time +2 hours

Europe GMT Greenwich Mean Time

Europe IST Irish Summer Time +1 hour

Europe MSK Moscow Time +3 hours

Europe WEST Western Europe Summer Time +1 hour

Europe WET Western Europe Time +1 hour

USA and Canada ADT Atlantic Daylight Time -3 hours

USA and Canada AKDT Alaska Standard Daylight Saving Time -8 hours

USA and Canada AKST Alaska Standard Time -9 hours

USA and Canada AST Atlantic Standard Time -4 hours

USA and Canada CDT Central Daylight Saving Time -5 hours

USA and Canada CST Central Standard Time -6 hours

USA and Canada EDT Eastern Daylight Time -4 hours

USA and Canada EST Eastern Standard Time -5 hours

USA and Canada HST Hawaiian Standard Time -10 hours

USA and Canada MDT Mountain Daylight Time -6 hours

USA and Canada MST Mountain Standard Time -7 hours

USA and Canada PDT Pacific Daylight Time -7 hours

USA and Canada PST Pacific Standard Time -3 hours

Table 259: Common time zones

Abbreviations

This section describes the abbreviations used within this report.

Abbreviation Description

ABR Area Border Router

ACE Access Control Entry

ACL Access Control List

ARP Address Resolution Protocol

AS Autonomous Systems

ASBR Autonomous System Boundry Router

BGP Border Gateway Protocol

BOOTP BOOTstrap Protocol

BPDU Bridge Protocol Data Unit

CA Certificate Authority

CDP Cisco Discovery Protocol

CIDR Classless Inter-Domain Routing

CPU Central Processing Unit

CVSS Common Vulnerabilities Scoring System

CWE Common Weakness Enumeration

DH Diffie-Hellman

DHCP Dynamic Host Configuration Protocol

DNS Domain Name System

DTP Dynamic Trunking Protocol

DoS Denial of Service

EIGRP Enhanced Interior Gateway Routing Protocol

FIPS Federal Information Processing Standard

HMAC Hashed Message Authentication Code or keyed-Hash Message Authentication Code

HTTP Hypertext Transfer Protocol

HTTPS Hypertext Transfer Protocol over SSL

IANA Internet Assigned Number Authority

ICMP Internet Control Message Protocol

ID Identifier

IDS Intrusion Detection System

IEEE Institute of Electrical and Electronics Engineers

IGP Interior Gateway Protocol

IOS Internet Operating System

IP Internet Protocol

IPv4 Internet Protocol version 4

Abbreviation Description

IPv6 Internet Protocol version 6

IS-IS Intermediate System-to-Intermediate System

LDAP Lightweight Directory Access Protocol

LLDP Link Layer Discovery Protocol

LSA Link State Advertisement

LSDB Link State Database

MAC Media Access Control

MD5 Message Digest 5

MIB Management Information Base

MITM Man-In-The-Middle

MOSPF Multicast Open Shortest Path First

MPLS Multi Protocol Label Switching

NSSA Not So Stubby Area

NTP Network Time Protocol

NVD National Vulnerability Database

NIST National Institute of Standards and Technology

OS Operating System

OSI Open Systems Interconnection

OSPF Open Shortest Path First

PAD Packet Assembler / Disassembler

PIM Protocol Independent Multicast

PKI Public Key Infrastructure

QoS Quality of Service

RADIUS Remote Authentication Dial-In User Service

RFC Request For Change

RPF Reverse Path Forwarding

SNMP Simple Network Management Protocol

SPI Security Policy Index

SSH Secure Shell

SSL Secure Sockets Layer

STIG Security Technical Implementation Guide

STP Spanning Tree Protocol

TACACS+ Terminal Access Controller Access Control System Plus

TCN Topology Change Notification

Abbreviation Description

TCP Transmission Control Protocol

TFTP Trivial File Transfer Protocol

TTL Time To Live

UDP User Datagram Protocol

URL Uniform Resource Locator

UTC Coordinated Universal Time

VLAN Virtual Local Area Network

VTY Virtual Teletype

Table 260: Abbreviations