UCF STIG Viewer Logo

Hardware based VVoIP or IP-VTC endpoint contains a web server, the access to which is not restricted OR which is NOT disabled.


Overview

Finding ID Version Rule ID IA Controls Severity
V-21515 VVoIP/VTC 1615 (GENERAL) SV-23724r2_rule ECSC-1 Medium
Description
Hardware based VVoIP and IP-VTC endpoints sometimes contain a web server for the implementation of various functions and features. In many cases these are used to configure the network settings or user preferences on the device. In some VVoIP phones, a user can access a missed call list, call history, or other information. If access to such a web server is not restricted to authorized entities, the device supporting it is subject to unauthorized access and compromise.
STIG Date
Voice/Video over Internet Protocol STIG 2015-01-05

Details

Check Text ( C-25758r1_chk )
Interview the IAO to validate compliance with the following requirement:

Ensure web servers embedded in hardware based VVoIP and IP-VTC endpoints restrict their accessibility to authorized devices through an authentication mechanism or minimally IP address filtering, or are otherwise disabled. Further ensure that if the connection is for direct user or administrative functions, the user is authenticated minimally with a username and password.

This is a finding in the event the endpoint accepts HTTP connections from any source, except those that are specifically authorized access.

Fix Text (F-22305r1_fix)
Ensure web servers embedded in hardware based VVoIP and IP-VTC endpoints restrict their accessibility to authorized devices through an authentication mechanism or minimally IP address filtering, or are otherwise disabled.

Configure the endpoint’s web server to authenticate or minimally filter by IP address all automated machine to machine connections. Configure the web server to minimally authenticate users and administrators using a username and password.