The VTC system and components must not have default or factory passwords.

Part of RTS-VTC 2020

SV-18861r2_rule The VTC system and components must not have default or factory passwords.

Vulnerability discussion

Factory default, well-known, and manufacturer backdoor accounts and their associated passwords provide easy unauthorized access to systems and devices. Leaving such accounts and passwords active on a system or device makes it extremely vulnerable to attack and unauthorized access. As such, they must be removed, changed, renamed, or otherwise disabled.Also covered by this policy are “community strings”, which act as passwords for monitoring and management of network devices and attached systems via SNMP. The universal default SNMP community strings are “public” and private” and are well known. Default access for VTC operation, local and remote control, management, and configuration purposes is typically unrestricted or minimally protected by well-known default passwords. It has been demonstrated that not changing these passwords is the most common cause of VTC system compromise.

Check content

Review site documentation to confirm VTC system and component default and factory passwords have been changed. This includes SNMP community strings must be changed or replaced prior to the VTU being placed into service. If the VTC system and component default and factory passwords are not changed, this is a finding. Note: During APL testing, this is a finding in the event default passwords cannot be changed on VTC or VTU.

Fix text

Implement changing all VTC system and component default and factory passwords.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.