A CODEC's local Application Programmers Interface (API) provides unrestricted access to user or administrator configuration settings and CODEC controls without the use of an appropriate password.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-17699	RTS-VTC 2820.00	SV-18873r2_rule	DCBP-1 ECLP-1 ECPA-1 IAIA-1 IAIA-2	Medium

Description
Large conference room VTC systems may be built into the conference room in such a way that a hand-held remote control cannot directly access or control the CODEC because it is located in another room such as an AV control room. While there are systems and methods for extending the control signals from the hand-held remote control to the CODEC, many times the CODEC is connected to an AV control panel (typically called a “touch panel”) that sits on the conference table or possibly a podium. While this panel can be connected to the CODEC wirelessly (as discussed later) or via a wired IP connection, typically the connection is via an EIA-232 serial connection on the CODEC. To give the “touch panel” the ability to control the CODEC, the CODEC contains an Application Programmers Interface (API) control program. All functions that are available on the hand-held remote control are typically duplicated on the “touch panel” Typically a VTC CODEC’s API provides full access to all configuration settings and control commands supported but the CODEC. This can be a big problem if the command channel is compromised because this would give the attacker the ability to reconfigure the CODEC or its features and capabilities and not just control them. To mitigate this problem, the CODEC’s API must provide a separation of the commands that control the system from the commands related to user and administrator configuration settings. If a password/PIN is implemented for user settings as required above, the touch panel must support the manual entry of the user configuration password/PIN assuming they will need to be accessed via the touch panel. Similarly, administrator settings should not be accessible from the touch panel or the interface on the CODEC that it uses without the use of an administrator password/PIN. Such separation/segregation of access to privileged commands is required by DoDI 8500.2 IA controls ECLP-1 and ECPA-1.

Description

Large conference room VTC systems may be built into the conference room in such a way that a hand-held remote control cannot directly access or control the CODEC because it is located in another room such as an AV control room. While there are systems and methods for extending the control signals from the hand-held remote control to the CODEC, many times the CODEC is connected to an AV control panel (typically called a “touch panel”) that sits on the conference table or possibly a podium. While this panel can be connected to the CODEC wirelessly (as discussed later) or via a wired IP connection, typically the connection is via an EIA-232 serial connection on the CODEC. To give the “touch panel” the ability to control the CODEC, the CODEC contains an Application Programmers Interface (API) control program. All functions that are available on the hand-held remote control are typically duplicated on the “touch panel” Typically a VTC CODEC’s API provides full access to all configuration settings and control commands supported but the CODEC. This can be a big problem if the command channel is compromised because this would give the attacker the ability to reconfigure the CODEC or its features and capabilities and not just control them. To mitigate this problem, the CODEC’s API must provide a separation of the commands that control the system from the commands related to user and administrator configuration settings. If a password/PIN is implemented for user settings as required above, the touch panel must support the manual entry of the user configuration password/PIN assuming they will need to be accessed via the touch panel. Similarly, administrator settings should not be accessible from the touch panel or the interface on the CODEC that it uses without the use of an administrator password/PIN. Such separation/segregation of access to privileged commands is required by DoDI 8500.2 IA controls ECLP-1 and ECPA-1.

STIG	Date
Video Services Policy STIG	2015-02-05

Details

Check Text ( C-18969r1_chk )
[IP][ISDN]; Interview the IAO to validate compliance with the following requirement: Ensure a CODEC’s API does not provide unrestricted access to user or administrator configuration settings and without the use of an appropriate password in addition to any regular user activation password/PIN. Review the vendor documentation on the API. Look for information on restricting access to user or administrator configuration settings. Determine what user or administrator configuration settings are accessible or programmable via the API. Determine all API access methods and communications protocols, meaning local serial connection or “remotely” via a network. AND Establish a connection to the CODEC’s API using the information gained above and a PC; disconnect any AV control panel if necessary. Attempt to gain access and to change various user or administrator configuration settings via the API. This is a finding if the user or administrator configuration settings are unprotected and/or easily changeable.

Check Text ( C-18969r1_chk )

[IP][ISDN]; Interview the IAO to validate compliance with the following requirement:

Ensure a CODEC’s API does not provide unrestricted access to user or administrator configuration settings and without the use of an appropriate password in addition to any regular user activation password/PIN.

Review the vendor documentation on the API. Look for information on restricting access to user or administrator configuration settings. Determine what user or administrator configuration settings are accessible or programmable via the API. Determine all API access methods and communications protocols, meaning local serial connection or “remotely” via a network.
AND
Establish a connection to the CODEC’s API using the information gained above and a PC; disconnect any AV control panel if necessary. Attempt to gain access and to change various user or administrator configuration settings via the API.

This is a finding if the user or administrator configuration settings are unprotected and/or easily changeable.

Fix Text (F-17596r1_fix)
[IP][ISDN]; Perform the following tasks: Purchase and implement VTC CODECs that support the restriction of access to user or administrator configuration settings via the API. AND Configure VTC CODECs to restrict access to user or administrator configuration settings via the API.