6.10.3.1 Ensure XNM-Clear-Text Service is Not Set

Information

Cleartext Management Services should be disabled.

Rationale:

JUNOScript Clients can access the router using a variety of transport modes including Clear-Text, Telnet, SSH and SSL.

When Clear-Text is used the JUNOScript Client connects to the JUNOS Device on port TCP/3221.

As the name suggests Authentication information, commands and router configuration are all transported across the network in Clear (unencrypted) Text form, making it trivial for an attacker to steal login credentials, learn configuration or hijack the session to execute their own commands.

Because of this, Clear Text mode should never be used to manage JUNOS Devices.

Impact:

Ensure that JUNOSCript Clients using the Clear Text interface are not being used to manage the JUNOS Device before disabling the service in a production environment.

NOTE: XNM does not appear to be configured on the target. This check is not applicable.

Solution

The XNM-Clear-Text service is not enabled by default, however if it has been configured on your router it can by disabled by issuing the following command from the [edit system] hierarchy;

[edit system]
[email protected]#delete services xnm-clear-text

Default Value:

The XNM-Clear-Text Service is disabled by default and cannot be enabled on JUNOS FIPS Mode.

See Also

https://workbench.cisecurity.org/files/3069

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-2(1), CSCv7|11.5

Plugin: Juniper

Control ID: 9354ab5fdb54460bbc36d4e1faa3ab939772fa75494d3bef4b7eb1524ca89a2e