Hardware based VVoIP or IP-VTC endpoint contains a web server, the access to which is not restricted OR which is NOT disabled.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-21515	VVoIP/VTC 1615 (GENERAL)	SV-23724r2_rule	ECSC-1	Medium

Description
Hardware based VVoIP and IP-VTC endpoints sometimes contain a web server for the implementation of various functions and features. In many cases these are used to configure the network settings or user preferences on the device. In some VVoIP phones, a user can access a missed call list, call history, or other information. If access to such a web server is not restricted to authorized entities, the device supporting it is subject to unauthorized access and compromise.

Description

Hardware based VVoIP and IP-VTC endpoints sometimes contain a web server for the implementation of various functions and features. In many cases these are used to configure the network settings or user preferences on the device. In some VVoIP phones, a user can access a missed call list, call history, or other information. If access to such a web server is not restricted to authorized entities, the device supporting it is subject to unauthorized access and compromise.

STIG	Date
Voice/Video over Internet Protocol (VVoIP) STIG	2015-12-29

Details

Check Text ( C-25758r1_chk )
Interview the IAO to validate compliance with the following requirement: Ensure web servers embedded in hardware based VVoIP and IP-VTC endpoints restrict their accessibility to authorized devices through an authentication mechanism or minimally IP address filtering, or are otherwise disabled. Further ensure that if the connection is for direct user or administrative functions, the user is authenticated minimally with a username and password. This is a finding in the event the endpoint accepts HTTP connections from any source, except those that are specifically authorized access.

Check Text ( C-25758r1_chk )

Interview the IAO to validate compliance with the following requirement:

Ensure web servers embedded in hardware based VVoIP and IP-VTC endpoints restrict their accessibility to authorized devices through an authentication mechanism or minimally IP address filtering, or are otherwise disabled. Further ensure that if the connection is for direct user or administrative functions, the user is authenticated minimally with a username and password.

This is a finding in the event the endpoint accepts HTTP connections from any source, except those that are specifically authorized access.

Fix Text (F-22305r1_fix)
Ensure web servers embedded in hardware based VVoIP and IP-VTC endpoints restrict their accessibility to authorized devices through an authentication mechanism or minimally IP address filtering, or are otherwise disabled. Configure the endpoint’s web server to authenticate or minimally filter by IP address all automated machine to machine connections. Configure the web server to minimally authenticate users and administrators using a username and password.

Fix Text (F-22305r1_fix)

Ensure web servers embedded in hardware based VVoIP and IP-VTC endpoints restrict their accessibility to authorized devices through an authentication mechanism or minimally IP address filtering, or are otherwise disabled.

Configure the endpoint’s web server to authenticate or minimally filter by IP address all automated machine to machine connections. Configure the web server to minimally authenticate users and administrators using a username and password.