A VTC system/device is not running the latest DoD approved patches/firmware/software from system/device vendor.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-17705	RTS-VTC 3320.00	SV-18879r1_rule	DCBP-1 ECND-1 ECND-2 VIVM-1	Medium

Description
Some of today’s VTUs do not appropriately protect their passwords or access codes. Best practice and DoD policy dictates that authenticators are to be protected. This includes user account names, passwords, PINs, access codes, etc. The primary method used to protect these bits of information is encryption in transit for both the username and the password, and encryption of passwords in storage. It has been found that some VTC endpoint vendors do not provide this protection for passwords in storage, or at least, have not in the past. The first such vulnerability to be aware of is one where the administrator password can be obtained across the network by requesting certain files from the CODEC using a web browser. Once the file is accessed, the admin password is displayed in the clear within the source code for the page. The second such vulnerability to be aware of is one where, in one vendor’s product line, the user access codes are stored in a clear text file that is uploaded to the CODEC. This file is accessible from the FTP server on the CODEC. Access is, however, protected by the remote access password. One can only assume the vendor does not value these access codes as an IA measure since the discussion of their use relates to call accounting. Vulnerabilities like these and other issues are typically addressed by vendors like most issues are addressed, via patches to software, firmware upgrades, and major new releases of code. As such, it is good practice and a widely used DoD requirement that DoD systems should be running the latest version of software and install all patches to mitigate IA issues. Such is the purpose of the DoD IAVM program as required by DoD 8500.2 IA control VIVM-1 as well as mentioned in ECND-1 and ECND-2.

Description

Some of today’s VTUs do not appropriately protect their passwords or access codes. Best practice and DoD policy dictates that authenticators are to be protected. This includes user account names, passwords, PINs, access codes, etc. The primary method used to protect these bits of information is encryption in transit for both the username and the password, and encryption of passwords in storage. It has been found that some VTC endpoint vendors do not provide this protection for passwords in storage, or at least, have not in the past. The first such vulnerability to be aware of is one where the administrator password can be obtained across the network by requesting certain files from the CODEC using a web browser. Once the file is accessed, the admin password is displayed in the clear within the source code for the page. The second such vulnerability to be aware of is one where, in one vendor’s product line, the user access codes are stored in a clear text file that is uploaded to the CODEC. This file is accessible from the FTP server on the CODEC. Access is, however, protected by the remote access password. One can only assume the vendor does not value these access codes as an IA measure since the discussion of their use relates to call accounting. Vulnerabilities like these and other issues are typically addressed by vendors like most issues are addressed, via patches to software, firmware upgrades, and major new releases of code. As such, it is good practice and a widely used DoD requirement that DoD systems should be running the latest version of software and install all patches to mitigate IA issues. Such is the purpose of the DoD IAVM program as required by DoD 8500.2 IA control VIVM-1 as well as mentioned in ECND-1 and ECND-2.

STIG	Date
Video Teleconference STIG	2014-02-11

Details

Check Text ( C-18975r1_chk )
[IP][ISDN]; Interview the IAO and validate compliance with the following requirement: Ensure all VTC systems/devices within his/her control are running the latest DoD approved patches, firmware, and/or software from the VTC system/device vendor to ensure the most current IA vulnerability mitigations or fixes are employed. Note: It is highly recommended that all patches, firmware, and/or software applied to DoD ISs be digitally signed and appropriately hashed by the vendor to ensure its authenticity and integrity. This is a finding if a CODEC and other VTC equipment are not using latest software/firmware/patches from the VTC system/device vendor as tested and/or approved by the DoD. Validate that the latest software/firmware/patches are installed and inspect the documentation regarding DoD testing and approval of the installed versions.

Check Text ( C-18975r1_chk )

[IP][ISDN]; Interview the IAO and validate compliance with the following requirement:

Ensure all VTC systems/devices within his/her control are running the latest DoD approved patches, firmware, and/or software from the VTC system/device vendor to ensure the most current IA vulnerability mitigations or fixes are employed.

Note: It is highly recommended that all patches, firmware, and/or software applied to DoD ISs be digitally signed and appropriately hashed by the vendor to ensure its authenticity and integrity.

This is a finding if a CODEC and other VTC equipment are not using latest software/firmware/patches from the VTC system/device vendor as tested and/or approved by the DoD. Validate that the latest software/firmware/patches are installed and inspect the documentation regarding DoD testing and approval of the installed versions.

Fix Text (F-17602r1_fix)
[IP][ISDN]; Perform the following tasks: Ensure updates to software firmware are patched, tested, and approved by a DoD entity prior to installation of such updates and patches per DoD policy. AND Install the latest DoD approved patches/firmware/software from system/device vendor.