The DISN NIPRNet IPVS firewall (EBC) is NOT configured to validate the structure and validity of AS-SIP messages such that malformed messages or messages containing errors are dropped before action is taken on the contents.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-19669	VVoIP 6320 (DISN-IPVS)	SV-21810r1_rule	ECSC-1	Low

Description
Malformed AS_SIP messages as well as messages containing errors could be an indication that an adversary is attempting some form of attack or denial-of-service. Such an attack is called fuzzing. Fuzzing is the deliberate sending of signaling messages that contain errors in an attempt to cause the target device to react in an inappropriate manner, such as the device could fail causing a denial-of-service or could permit traffic to pass that it would not normally permit. In some cases a target can be flooded with fuzzed messages. As such the EBC must not act on any portion of a signaling message that contains errors. It is possible that a malformed or erroneous message could be sent by the signaling partner and be properly hashed for integrity.

Description

Malformed AS_SIP messages as well as messages containing errors could be an indication that an adversary is attempting some form of attack or denial-of-service. Such an attack is called fuzzing. Fuzzing is the deliberate sending of signaling messages that contain errors in an attempt to cause the target device to react in an inappropriate manner, such as the device could fail causing a denial-of-service or could permit traffic to pass that it would not normally permit. In some cases a target can be flooded with fuzzed messages. As such the EBC must not act on any portion of a signaling message that contains errors. It is possible that a malformed or erroneous message could be sent by the signaling partner and be properly hashed for integrity.

STIG	Date
Voice/Video over Internet Protocol (VVoIP) STIG	2015-12-29

Details

Check Text ( C-24046r1_chk )
Interview the IAO to confirm compliance with the following requirement: Ensure the DISN NIPRNet IPVS firewall (EBC) is configured to validate the structure and validity of AS-SIP messages such that malformed messages or messages containing errors are dropped before action is taken on the contents. This is a finding in the event the EBC does not validate the correct format of the received AS-SIP message.

Check Text ( C-24046r1_chk )

Interview the IAO to confirm compliance with the following requirement:

Ensure the DISN NIPRNet IPVS firewall (EBC) is configured to validate the structure and validity of AS-SIP messages such that malformed messages or messages containing errors are dropped before action is taken on the contents.

This is a finding in the event the EBC does not validate the correct format of the received AS-SIP message.

Fix Text (F-20375r1_fix)
Ensure the DISN NIPRNet IPVS firewall (EBC) is configured to validate the structure and validity of AS-SIP messages such that malformed messages or messages containing errors are dropped before action is taken on its contents.