Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-17699 | RTS-VTC 2820.00 | SV-18873r2_rule | DCBP-1 ECLP-1 ECPA-1 IAIA-1 IAIA-2 | Medium |
Description |
---|
Large conference room VTC systems may be built into the conference room in such a way that a hand-held remote control cannot directly access or control the CODEC because it is located in another room such as an AV control room. While there are systems and methods for extending the control signals from the hand-held remote control to the CODEC, many times the CODEC is connected to an AV control panel (typically called a “touch panel”) that sits on the conference table or possibly a podium. While this panel can be connected to the CODEC wirelessly (as discussed later) or via a wired IP connection, typically the connection is via an EIA-232 serial connection on the CODEC. To give the “touch panel” the ability to control the CODEC, the CODEC contains an Application Programmers Interface (API) control program. All functions that are available on the hand-held remote control are typically duplicated on the “touch panel” Typically a VTC CODEC’s API provides full access to all configuration settings and control commands supported but the CODEC. This can be a big problem if the command channel is compromised because this would give the attacker the ability to reconfigure the CODEC or its features and capabilities and not just control them. To mitigate this problem, the CODEC’s API must provide a separation of the commands that control the system from the commands related to user and administrator configuration settings. If a password/PIN is implemented for user settings as required above, the touch panel must support the manual entry of the user configuration password/PIN assuming they will need to be accessed via the touch panel. Similarly, administrator settings should not be accessible from the touch panel or the interface on the CODEC that it uses without the use of an administrator password/PIN. Such separation/segregation of access to privileged commands is required by DoDI 8500.2 IA controls ECLP-1 and ECPA-1. |
STIG | Date |
---|---|
Video Services Policy STIG | 2014-06-26 |
Check Text ( C-18969r1_chk ) |
---|
[IP][ISDN]; Interview the IAO to validate compliance with the following requirement: Ensure a CODEC’s API does not provide unrestricted access to user or administrator configuration settings and without the use of an appropriate password in addition to any regular user activation password/PIN. Review the vendor documentation on the API. Look for information on restricting access to user or administrator configuration settings. Determine what user or administrator configuration settings are accessible or programmable via the API. Determine all API access methods and communications protocols, meaning local serial connection or “remotely” via a network. AND Establish a connection to the CODEC’s API using the information gained above and a PC; disconnect any AV control panel if necessary. Attempt to gain access and to change various user or administrator configuration settings via the API. This is a finding if the user or administrator configuration settings are unprotected and/or easily changeable. |
Fix Text (F-17596r1_fix) |
---|
[IP][ISDN]; Perform the following tasks: Purchase and implement VTC CODECs that support the restriction of access to user or administrator configuration settings via the API. AND Configure VTC CODECs to restrict access to user or administrator configuration settings via the API. |