Cisco Security Audit Report

CORE-RTR-01 | Cisco IOS Router | 15.7(3)M5

Generated: 2024-12-02T14:32:18

Compliance Score

73.2%
Overall Score
82
Passed
30
Failed
112
Total Checks
45/52
Level 1 Compliance
37/60
Level 2 Compliance
3
Critical Findings
8
High Findings

Vulnerability Assessment

CVE-2023-20198: Cisco IOS XE Web UI Privilege Escalation CRITICAL
CVSS: 10.0

A vulnerability in the web UI feature of Cisco IOS XE Software could allow an unauthenticated, remote attacker to create an account...

Device Version: 15.7(3)M5 | Fixed in: 17.9.4a, 17.6.6a, 17.3.8a

CVE-2023-20109: Cisco GET VPN Out-of-Bounds Write HIGH
CVSS: 8.1

A vulnerability in the Cisco Group Encrypted Transport VPN feature could allow an authenticated attacker to execute arbitrary code...

Device Version: 15.7(3)M5 | Fixed in: 15.9(3)M7, 16.12.10a

CVE-2023-20231: Cisco IOS XE Software Information Disclosure MEDIUM
CVSS: 5.3

A vulnerability in the web-based management interface could allow an authenticated remote attacker to obtain sensitive information...

Device Version: 15.7(3)M5 | Fixed in: 17.6.5, 17.9.3

Detailed Findings

Control ID Title Level Severity Status
1.1.1 Enable Secret Password Level 1 CRITICAL PASS
1.1.2 Service Password Encryption Level 1 HIGH PASS
1.2.1 SSH Timeout Configuration Level 1 MEDIUM FAIL
1.2.2 SSH Version 2 Level 1 HIGH PASS
2.1.1 Disable Telnet Level 1 CRITICAL FAIL
2.1.2 VTY Access Class Level 1 HIGH FAIL
2.2.1 SNMP Community Strings Level 1 CRITICAL PASS
3.1.1 NTP Authentication Level 2 MEDIUM FAIL
3.2.1 Logging Buffer Size Level 2 LOW PASS
3.2.2 Syslog Server Configuration Level 2 MEDIUM PASS

Password Analysis

Type Location Severity Issue Recommendation
Type 7 Line 45 CRITICAL Reversible password encryption (easily decoded) Use Type 8 or Type 9 encryption
Type 5 Line 23 MEDIUM MD5-based encryption (considered weak) Upgrade to Type 8 (PBKDF2) or Type 9 (scrypt)
Type 0 Line 112 CRITICAL Cleartext password detected Enable service password-encryption immediately

ACL/Firewall Analysis

ACL Name Finding Type Risk Issue Recommendation
OUTSIDE-IN any-any-permit CRITICAL Permit any any rule allows all traffic Replace with specific permit rules
MGMT-ACCESS shadowed-rule MEDIUM Rule on line 15 is shadowed by rule on line 8 Review and reorder ACL entries
DMZ-OUT excessive-permit HIGH Overly permissive rule permits entire /8 network Restrict to specific subnets

Compliance Framework Mapping

68.5%
PCI-DSS
24/35 controls
71.2%
NIST 800-53
42/59 controls
82.1%
ISO 27001
32/39 controls
54.3%
DISA STIG
38/70 controls
76.9%
HIPAA
20/26 controls
85.0%
SOC 2
17/20 controls

Remediation Guide

1.2.1: SSH Timeout Configuration

SSH session timeout not configured - sessions may remain open indefinitely

ip ssh time-out 60 ip ssh authentication-retries 3

2.1.1: Disable Telnet

Telnet is enabled on VTY lines - unencrypted management access

line vty 0 15 transport input ssh transport output ssh

2.1.2: VTY Access Class

No access-class configured on VTY lines - management access from any IP

ip access-list standard VTY-ACCESS permit 10.0.0.0 0.255.255.255 deny any log ! line vty 0 15 access-class VTY-ACCESS in

3.1.1: NTP Authentication

NTP authentication not enabled - vulnerable to time spoofing attacks

ntp authenticate ntp authentication-key 1 md5 <secure-key> ntp trusted-key 1 ntp server 10.1.1.1 key 1

Generated by NetworkParseScanner v2.0 | SecurityCoderz