UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The hardware Voice Video Endpoint using SIP or AS-SIP signaling must prevent cross-site scripting attacks caused by improper filtering or validation of the content of SIP invitation fields.


Overview

Finding ID Version Rule ID IA Controls Severity
V-66711 SRG-NET-000147-VVEP-00016 SV-81201r1_rule Medium
Description
A cross-site scripting vulnerability has been demonstrated by adding scripting code to the "From:" field in the SIP invite. Upon receiving the invite, the embedded code can be executed by a vulnerable embedded web server to download additional malicious code and launch an attack. The demonstration of the vulnerability also exists on www.securityfocus.com under Bugtraq ID: 25987, which pops up a specific alert box on the user’s workstation after downloading a SIP invite. While this vulnerability has been demonstrated on a specific IP phone, it could potentially affect all SIP-based endpoints or clients and their signaling partners. This vulnerability is a result of improper filtering or validation of the content of the various fields in the SIP invite and potentially the Session Description Protocol (SDP) portion of the invite. The injected code potentially causes malicious code to be run on the target device, to include an endpoint (hard or soft), a session controller, or any other SIP signaling partner. Additionally, this vulnerability may affect applications other than SIP VoIP clients, such as IM clients. A similar vulnerability results when URLs embedded in SIP messages are launched automatically.
STIG Date
Voice Video Endpoint Security Requirements Guide 2017-04-06

Details

Check Text ( C-67337r1_chk )
If the Voice Video Endpoint is not a hardware endpoint, this check procedure is Not Applicable.

Verify the hardware Voice Video Endpoint using SIP or AS-SIP signaling prevents cross-site scripting attacks caused by improper filtering or validation of the content of SIP invitation fields.

If the hardware Voice Video Endpoint does not use SIP or AS-SIP, this is not a finding.

If the hardware Voice Video Endpoint does not prevent cross-site scripting attacks caused by improper filtering or validation of the content of SIP invitation fields, this is a finding.
Fix Text (F-72787r1_fix)
Configure the hardware Voice Video Endpoint using SIP or AS-SIP signaling to prevent cross-site scripting attacks caused by improper filtering or validation of the content of SIP invitation fields.