The Juniper router must be configured with a master password that is used to generate encrypted keys for shared secrets.

An XCCDF Rule

Description

<VulnDiscussion>By default, shared secrets in a Junos configuration only use an obfuscation algorithm ($9$ format), which is not very strong and can easily be decrypted. Strong encryption for configured secrets can be enabled by configuring a master password to be used as input to the password based key derivation function (PBKDF2) to generate an encryption key. The key is used as input to the Advanced Encryption Standard in Galois/Counter Mode (AES256-GCM).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-220142r961863_rule
Severity: Medium
References: CCI-000366
Updated: 17 days ago

Configure the master password to be used to generate encrypted keys for shared secrets as shown in the example below.

[edit]
set system master-password plain-text-password    
Master password: xxxxxxxxxx
Repeat master password: xxxxxxxxxx

The Juniper router must be configured with a master password that is used to generate encrypted keys for shared secrets.

Description

Remediation - Manual Procedure