Update tables and lists of mitigations for consistency (27ed020c) · Commits · STAN4CRA / EN 304 620 Virtual Private Networks Part 1

EN-304-620-1.md

+25 −24

Original line number	Diff line number	Diff line
		@@ -501,18 +501,18 @@ Once the present document is cited in the Official Journal of the European Union

		\| CRA requirement \| Technical security requirements(s) \|
		\|-------------------------------------------------\|-------------------------------------\|
		\| No known exploitable vulnerabilities \| NKEV \|
		\| No known exploitable vulnerabilities \| NKEV, SSSD, SCUD, NUTI, LOGG \|
		\| Secure design, development, production \| SSDD \|
		\| Secure by default configuration \| ROUT, DNSL, EISO, TRAF \|
		\| Secure updates \| SCUD \|
		\| Authentication and access control mechanisms \| AUTH, TRAF \|
		\| Authentication and access control mechanisms \| AUTH \|
		\| Confidentiality protection \| AUTH, ROUT, DNSL, EISO, IPV6, CRYPT \|
		\| Integrity protection for data and configuration \| CONF, DNSL \|
		\| Data minimisation \| DMIN \|
		\| Availability protection \| AVAI \|
		\| Minimise impact on other devices or services \| NUTI \|
		\| Limit attack surface \| EISO, NUTI \|
		\| Exploit mitigation by limiting incident impact \| EISO, NUTI \|
		\| Exploit mitigation by limiting incident impact \| SSD, EISO, NUTI \|
		\| Logging and monitoring mechanisms \| LOGG \|
		\| Secure deletion and data transfer \| SCDL, SDTR \|
		\| Vulnerability handling \| VULH \|
		@@ -930,7 +930,7 @@ Table: _Table C.13_

		Table: _Table C.14_

		Requirements that mitigate this threat: CRYPT, AUTH, ROUT, DNSL
		Requirements that mitigate this threat: EISO, CRYPT, AUTH, ROUT, DNSL

		Mitigations for Likelihood:

		@@ -964,13 +964,13 @@ Table: _Table C.13_

		Table: _Table C.14_

		Requirements that mitigate this threat: NUTI, CRYPT, AUTH, ROUT, DNSL
		Requirements that mitigate this threat: CRYPT, AUTH, ROUT, DNSL

		Mitigations for Likelihood:

		* Medium to Low: NUTI-1, CRYPT-2, ROUT-1, AUTH-1, AUTH-2
		* Medium to Low: CRYPT-2, ROUT-1, AUTH-1, AUTH-2

		* High to Low: NUTI-1, NUTI-2, DNSL-6, CRYPT-1, CRYPT-2, ROUT-1, ROUT-2, ROUT-3, AUTH-1, AUTH-2, AUTH-3, AUTH-4, AUTH-5, AUTH-6
		* High to Low: DNSL-6, CRYPT-1, CRYPT-2, ROUT-1, ROUT-2, ROUT-3, AUTH-1, AUTH-2, AUTH-3, AUTH-4, AUTH-5, AUTH-6

		Mitigations for Impact:

		@@ -1043,7 +1043,7 @@ Mitigations for Impact:

		* High to Low: CDST

		### C.4.12 TH-CONF: Access to assets via configuration errors in single endpoint VPN
		### C.4.12 TH-CNFS: Access to assets via configuration errors in single endpoint VPN

		Attacker may use configuration errors to get unauthorised access to product assets in a single endpoint VPN.

		@@ -1077,7 +1077,7 @@ Mitigations for Impact:

		* High to Low: AUTH-3, AUTH-4, AUTH-5, LOGG-1, LOGG-2, CDST

		### C.4.12 TH-CONF: Access to assets via configuration errors in a multi-endpoint VPN
		### C.4.12 TH-CNFM: Access to assets via configuration errors in a multi-endpoint VPN

		Attacker may use configuration errors to get unauthorised access to product assets in a multi-endpoint VPN.

		@@ -1097,7 +1097,7 @@ Table: _Table C.19_

		Table: _Table C.20_

		Requirements that mitigate this threat: CONF, TRAF, IPv6, CDST, DMIN, LOGG
		Requirements that mitigate this threat: CONF, TRAF, IPv6, CDST, LOGG

		Mitigations for Likelihood:

		@@ -1182,18 +1182,18 @@ Mitigations for Impact:
		Attacker may get unauthorised access to confidential data stored on the product through access to or acquisition of a device containing the used product.

		\| Risk factors \| Likelihood \| Security profiles \|
		\|------------------------------\|------------\|-------------------\|
		\| ADM > 0 & DAT = 2 & FUN = 2 \| High \| SP-3 \|
		\| all others \| Medium \| SP-2, SP-4 \|
		\| ADM = 0 or DAT = 0 & FUN = 0 \| Low \| SP-1, SP-5 \|
		\|-------------------\|------------\|-------------------\|
		\| ADM > 0 & DAT = 2 \| High \| SP-3, SP-4 \|
		\| all others \| Medium \| SP-2, SP-5 \|
		\| DAT = 0 \| Low \| SP-1 \|

		Table: _Table C.25_

		\| Risk factors \| Impact \| Security profiles \|
		\|-------------------\|--------\|-------------------\|
		\| DAT = 2 & FUN = 2 \| High \| SP-3, SP-5 \|
		\| all others \| Medium \| SP-2, SP-4 \|
		\| DAT = 0 & FUN = 0 \| Low \| SP-1 \|
		\|--------------\|--------\|-------------------\|
		\| DAT = 2 \| High \| SP-3, SP-4, SP-5 \|
		\| all others \| Medium \| SP-2, \|
		\| DAT = 0 \| Low \| SP-1 \|

		Table: _Table C.26_

		@@ -1295,8 +1295,8 @@ This clause describes the methodology followed in the current text.

		\| Threat \| Requirements \|
		\|--------\|-------------------------------------------------------------\|
		\| UEVU \| SSDD, LOGG, VULH \|
		\| KEVU \| NKEV, SSDD, LOGG, VULH \|
		\| UEVU \| SSDD, NUTI, LOGG \|
		\| KEVU \| NKEV, SSDD, SCUD, NUTI, LOGG, VULH \|
		\| UEAC \| AUTH, DMIN \|
		\| RDOS \| AVAI \|
		\| MITM \| CRYPT, LOGG \|
		@@ -1305,7 +1305,8 @@ This clause describes the methodology followed in the current text.
		\| PLNM \| CRYPT, AUTH, ROUT, DNSL \|
		\| UNAA \| AUTH, LOGG \|
		\| LDEL \| LOGG \|
		\| CONF \| CONF, TRAF, IPv6, CDST, DMIN, LOGG \|
		\| CNFS \| CONF, TRAF, IPv6, CDST, LOGG \|
		\| CNFM \| CONF, TRAF, IPv6, CDST, LOGG \|
		\| META \| TODO \|
		\| RCOM \| TODO \|
		\| USED \| AUTH, CDST, SCDL, SDEF \|

Original line number	Diff line number	Diff line
		@@ -501,18 +501,18 @@ Once the present document is cited in the Official Journal of the European Union

		\| CRA requirement \| Technical security requirements(s) \|
		\|-------------------------------------------------\|-------------------------------------\|
		\| No known exploitable vulnerabilities \| NKEV \|
		\| No known exploitable vulnerabilities \| NKEV, SSSD, SCUD, NUTI, LOGG \|
		\| Secure design, development, production \| SSDD \|
		\| Secure by default configuration \| ROUT, DNSL, EISO, TRAF \|
		\| Secure updates \| SCUD \|
		\| Authentication and access control mechanisms \| AUTH, TRAF \|
		\| Authentication and access control mechanisms \| AUTH \|
		\| Confidentiality protection \| AUTH, ROUT, DNSL, EISO, IPV6, CRYPT \|
		\| Integrity protection for data and configuration \| CONF, DNSL \|
		\| Data minimisation \| DMIN \|
		\| Availability protection \| AVAI \|
		\| Minimise impact on other devices or services \| NUTI \|
		\| Limit attack surface \| EISO, NUTI \|
		\| Exploit mitigation by limiting incident impact \| EISO, NUTI \|
		\| Exploit mitigation by limiting incident impact \| SSD, EISO, NUTI \|
		\| Logging and monitoring mechanisms \| LOGG \|
		\| Secure deletion and data transfer \| SCDL, SDTR \|
		\| Vulnerability handling \| VULH \|
		@@ -930,7 +930,7 @@ Table: _Table C.13_

		Table: _Table C.14_

		Requirements that mitigate this threat: CRYPT, AUTH, ROUT, DNSL
		Requirements that mitigate this threat: EISO, CRYPT, AUTH, ROUT, DNSL

		Mitigations for Likelihood:

		@@ -964,13 +964,13 @@ Table: _Table C.13_

		Table: _Table C.14_

		Requirements that mitigate this threat: NUTI, CRYPT, AUTH, ROUT, DNSL
		Requirements that mitigate this threat: CRYPT, AUTH, ROUT, DNSL

		Mitigations for Likelihood:

		* Medium to Low: NUTI-1, CRYPT-2, ROUT-1, AUTH-1, AUTH-2
		* Medium to Low: CRYPT-2, ROUT-1, AUTH-1, AUTH-2

		* High to Low: NUTI-1, NUTI-2, DNSL-6, CRYPT-1, CRYPT-2, ROUT-1, ROUT-2, ROUT-3, AUTH-1, AUTH-2, AUTH-3, AUTH-4, AUTH-5, AUTH-6
		* High to Low: DNSL-6, CRYPT-1, CRYPT-2, ROUT-1, ROUT-2, ROUT-3, AUTH-1, AUTH-2, AUTH-3, AUTH-4, AUTH-5, AUTH-6

		Mitigations for Impact:

		@@ -1043,7 +1043,7 @@ Mitigations for Impact:

		* High to Low: CDST

		### C.4.12 TH-CONF: Access to assets via configuration errors in single endpoint VPN
		### C.4.12 TH-CNFS: Access to assets via configuration errors in single endpoint VPN

		Attacker may use configuration errors to get unauthorised access to product assets in a single endpoint VPN.

		@@ -1077,7 +1077,7 @@ Mitigations for Impact:

		* High to Low: AUTH-3, AUTH-4, AUTH-5, LOGG-1, LOGG-2, CDST

		### C.4.12 TH-CONF: Access to assets via configuration errors in a multi-endpoint VPN
		### C.4.12 TH-CNFM: Access to assets via configuration errors in a multi-endpoint VPN

		Attacker may use configuration errors to get unauthorised access to product assets in a multi-endpoint VPN.

		@@ -1097,7 +1097,7 @@ Table: _Table C.19_

		Table: _Table C.20_

		Requirements that mitigate this threat: CONF, TRAF, IPv6, CDST, DMIN, LOGG
		Requirements that mitigate this threat: CONF, TRAF, IPv6, CDST, LOGG

		Mitigations for Likelihood:

		@@ -1182,18 +1182,18 @@ Mitigations for Impact:
		Attacker may get unauthorised access to confidential data stored on the product through access to or acquisition of a device containing the used product.

		\| Risk factors \| Likelihood \| Security profiles \|
		\|------------------------------\|------------\|-------------------\|
		\| ADM > 0 & DAT = 2 & FUN = 2 \| High \| SP-3 \|
		\| all others \| Medium \| SP-2, SP-4 \|
		\| ADM = 0 or DAT = 0 & FUN = 0 \| Low \| SP-1, SP-5 \|
		\|-------------------\|------------\|-------------------\|
		\| ADM > 0 & DAT = 2 \| High \| SP-3, SP-4 \|
		\| all others \| Medium \| SP-2, SP-5 \|
		\| DAT = 0 \| Low \| SP-1 \|

		Table: _Table C.25_

		\| Risk factors \| Impact \| Security profiles \|
		\|-------------------\|--------\|-------------------\|
		\| DAT = 2 & FUN = 2 \| High \| SP-3, SP-5 \|
		\| all others \| Medium \| SP-2, SP-4 \|
		\| DAT = 0 & FUN = 0 \| Low \| SP-1 \|
		\|--------------\|--------\|-------------------\|
		\| DAT = 2 \| High \| SP-3, SP-4, SP-5 \|
		\| all others \| Medium \| SP-2, \|
		\| DAT = 0 \| Low \| SP-1 \|

		Table: _Table C.26_

		@@ -1295,8 +1295,8 @@ This clause describes the methodology followed in the current text.

		\| Threat \| Requirements \|
		\|--------\|-------------------------------------------------------------\|
		\| UEVU \| SSDD, LOGG, VULH \|
		\| KEVU \| NKEV, SSDD, LOGG, VULH \|
		\| UEVU \| SSDD, NUTI, LOGG \|
		\| KEVU \| NKEV, SSDD, SCUD, NUTI, LOGG, VULH \|
		\| UEAC \| AUTH, DMIN \|
		\| RDOS \| AVAI \|
		\| MITM \| CRYPT, LOGG \|
		@@ -1305,7 +1305,8 @@ This clause describes the methodology followed in the current text.
		\| PLNM \| CRYPT, AUTH, ROUT, DNSL \|
		\| UNAA \| AUTH, LOGG \|
		\| LDEL \| LOGG \|
		\| CONF \| CONF, TRAF, IPv6, CDST, DMIN, LOGG \|
		\| CNFS \| CONF, TRAF, IPv6, CDST, LOGG \|
		\| CNFM \| CONF, TRAF, IPv6, CDST, LOGG \|
		\| META \| TODO \|
		\| RCOM \| TODO \|
		\| USED \| AUTH, CDST, SCDL, SDEF \|