UCF STIG Viewer Logo

A unified messaging / mail, text-to-speech feature is enabled without providing proper CAC based authentication and access control to email and the sensitive information it contains.


Overview

Finding ID Version Rule ID IA Controls Severity
V-19444 VVoIP 1755 (GENERAL) SV-21495r1_rule Medium
Description
Unified messaging / mail systems provide the capability to receive voicemails via email and in some cases, have emails read to the user via a text-to-speech feature when accessing the system from a telephone (dial-in). For DoD, this presents two issues or vulnerabilities. Access to voicemail from a telephone only requires the user’s telephone number and a PIN. The telephone number is the account or mailbox number on the voicemail system while the PIN is the user password for accessing the account. This is a rather weak authentication method. The first issue for DoD, is that DoD policy states that access to email requires CAC/PKI based authentication of the user before they are granted access to their email account. Additionally, CAC based PKI certificates are required to decrypt encrypted email. CAC based authentication is not available when using a standard telephone. While some organizations might implement CAC authenticated access to the site’s phone system, such a facility is not available via most DoD phone systems and certainly not via the PSTN. Additionally, while a non-CAC enabled text-to-speech feature would not be able to read encrypted email (which would be considered the most sensitive) the unencrypted email is still considered sensitive DoD information. The argument could be made that normal voicemail messages and regular telephone conversations can also contain sensitive information, however, there is typically more sensitive information in email. Due to these two issues email should not be accessible via the voicemail / unified messaging / mail text-to-speech feature in DoD. That said, this issue does not apply to DoD issued PDA/PED devices that provide CAC authenticated access to email. An example of such a device is the CAC enabled Blackberry. In this case, access to unified mail voicemail would be via the CAC authenticated email service through which the user could listen to the voicemail. Text-to-speech conversion would be permitted in this case even though caution should be used when listening to any voicemail, particularly in a public place. The use of a wired earphone is highly recommended. Wireless Bluetooth earphones or headsets are vulnerable. Guidance for their use can be found in the Wireless STIG.
STIG Date
VOICE and VIDEO over INTERNET PROTOCOL (VVoIP) POLICY SECURITY TECHNICAL IMPLEMENTATION GUIDE 2010-08-17

Details

Check Text ( C-23712r1_chk )
Interview the IAO to validate compliance with the following requirement:

In the event an email text-to-speech feature is employed or enabled in a unified messaging / mail system, and accessed via the dial-in voicemail access method, ensure DoD PKI/CAC based authentication is used to access the feature as is required for normal email access control. Otherwise, disable the text-to-speech feature as well as any other dial-up method that does not provide for CAC authentication for accessing email.

Determine if the site has implemented a unified mail system where voicemail is delivered via the user’s email mailbox. This will normally imply that email could be available via normal voicemail access from a standard telephone and that the email is read to the user via a text-to-speech conversion feature.

This is a finding in the event email is accessible via voicemail unless this access method employs CAC/PKI.

NOTE: Access to the email service must already be in compliance with DoD email access policy using CAC/PKI. Therefore, this requirement does not apply to accessing and listening to voicemail via the email service.

NOTE: This requirement does not apply to the text-to-speech feature in a unified messaging system that is implemented on a classified network such as the SIPRNet where CAC/PKI user authentication has not been established. When CAC/PKI authentication is implemented in the future on such networks, this caveat will not apply.

Fix Text (F-20189r1_fix)
In the event an email text-to-speech feature is employed or enabled in a unified messaging system, and accessed via the dial-in voicemail access method, ensure CAC based authentication is used to access the feature as is required for normal email access control. Otherwise, disable the text-to-speech feature as well as any other dial-up method that does not provide for CAC authentication for accessing email.

Disable the text-to-speech feature of a unified mail service.

NOTE: This requirement does not apply to the text-to-speech feature in a unified messaging system that is implemented on a classified network such as the SIPRNet where CAC/PKI user authentication has not been established. When CAC/PKI authentication is implemented in the future on such networks, this caveat will not apply.