Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-21515 | VVoIP/VTC 1615 (GENERAL) | SV-23724r2_rule | ECSC-1 | Medium |
Description |
---|
Hardware based VVoIP and IP-VTC endpoints sometimes contain a web server for the implementation of various functions and features. In many cases these are used to configure the network settings or user preferences on the device. In some VVoIP phones, a user can access a missed call list, call history, or other information. If access to such a web server is not restricted to authorized entities, the device supporting it is subject to unauthorized access and compromise. |
STIG | Date |
---|---|
Voice/Video over Internet Protocol (VVoIP) STIG | 2017-01-04 |
Check Text ( C-25758r1_chk ) |
---|
Interview the IAO to validate compliance with the following requirement: Ensure web servers embedded in hardware based VVoIP and IP-VTC endpoints restrict their accessibility to authorized devices through an authentication mechanism or minimally IP address filtering, or are otherwise disabled. Further ensure that if the connection is for direct user or administrative functions, the user is authenticated minimally with a username and password. This is a finding in the event the endpoint accepts HTTP connections from any source, except those that are specifically authorized access. |
Fix Text (F-22305r1_fix) |
---|
Ensure web servers embedded in hardware based VVoIP and IP-VTC endpoints restrict their accessibility to authorized devices through an authentication mechanism or minimally IP address filtering, or are otherwise disabled. Configure the endpoint’s web server to authenticate or minimally filter by IP address all automated machine to machine connections. Configure the web server to minimally authenticate users and administrators using a username and password. |