The network element must have the Maintenance Operation Protocol (MOP) service disabled.

From Perimeter L3 Switch Security Technical Implementation Guide - Cisco

Part of Disable Maintenance Operation Protocol (MOP)

Associated with: CCI-000381

SV-79295r1_rule The network element must have the Maintenance Operation Protocol (MOP) service disabled.

Vulnerability discussion

The Maintenance Operations Protocol (MOP) was developed by Digital Equipment Corporation to be used for remote communications. Cisco IOS software routers implement MOP to gather configuration information when communicating with DECNet networks. By default, MOP is enabled on all Ethernet, FastEthernet, and GigabitEthernet interfaces, and disabled on all other type of interfaces. The MOP RC data is carried directly over L2 frames, with no L3 addressing at all, so any RC session is limited to devices that are either on the same physical network segment or in separate network segments that are bridged. It is possible to connect to a Cisco IOS device using a MOP RC client and, with a valid set of credentials, establish an interactive remote session. Since this is a Cisco default setting, it will not display in the configuration when enabled. The MOP service must be disabled on each interface by using the "no mop enabled" interface configuration command.

Check content

Review the device configuration; if the statement "no mop enabled" is not present on every enabled Ethernet, FastEthernet, and GigabitEthernet interface, this is a finding. Not all releases of Cisco IOS support this capability and this does not apply to Cisco NX OS. If the "no mop enabled" statement is not present in the device configuration, determine if the IOS version and feature set support Maintenance Operations Protocol. If it does not, this is not a finding.

Fix text

Configure the device to disable Maintenance Operation Protocol (MOP). Issue the following command on all Ethernet, FastEthernet, and GigabitEthernet interfaces: (config-if) no mop enable Not all releases of Cisco IOS support this capability and this does not apply to Cisco NX OS. Document the IOS release and feature set; if the device IOS does not support Maintenance Operation Protocol, no configuration change is necessary.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer