The integrity of VVoIP endpoint configuration files downloaded by hardware or PC based VVoIP endpoints during endpoint registration are not validated using digital signatures.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-16115	VVoIP 1935 (GENERAL)	SV-17103r1_rule	DCBP-1 ECSC-1	Medium

Description
During VVoIP endpoint registration with the LSC, a file is downloaded by the endpoint from the LSC that contains specific configuration parameters needed by the endpoint to operate as needed to support its assigned user. This file contains the phone number assigned to the endpoint; the IP addresses (or URLs) of the LSC(s) with which the endpoint is associated; the software menus specific to the system; the password used to access the endpoint’s configuration; the user’s personal preferences and speed dial numbers; as well as other information critical to the operation of the endpoint. NOTE: Hardware based VVoIP endpoints are like diskless computers on the LAN which need to download an operating system and configurations before they can operate. The code necessary to download this OS is stored in ROM or Flash Memory and is called firmware. To varying degrees some, most, or all of the endpoint’s OS can be stored on the device as firmware. The more of the OS that is stored the device, the quicker it initializes. In any case, no matter how much of the OS is stored as firmware, each endpoint requires a customized configuration settings file to be downloaded that individualizes the endpoint to meet the needs of the user to which it is assigned. These configuration settings can be updated occasionally or regularly by resetting and re-registering the endpoint, which causes an updated configuration file to be downloaded. Many PC based communications applications are fully configured locally on the platform, however, in some cases they rely on a configuration file downloaded from the system with which they are associated. The integrity of these files is critical to preventing compromise of the PC application, hardware endpoint, and the system itself. The best method for maintaining the integrity of these files is to require that they digitally signed. This can prevent man in the middle attacks where the configuration file could be modified in transit or the source of the file spoofed. Digital signatures and the file integrity must also be validated before the configuration file is used. NOTE: DoD PKI machine certificates are preferred for digital file signing, however, a vendor generated certificate would provide similar albeit not the same protection. LSCs and endpoints are to be assigned DoD machine certificates when the system operates as part of the DISN IPVS network. These certificates are also used for encryption purposes.

Description

During VVoIP endpoint registration with the LSC, a file is downloaded by the endpoint from the LSC that contains specific configuration parameters needed by the endpoint to operate as needed to support its assigned user. This file contains the phone number assigned to the endpoint; the IP addresses (or URLs) of the LSC(s) with which the endpoint is associated; the software menus specific to the system; the password used to access the endpoint’s configuration; the user’s personal preferences and speed dial numbers; as well as other information critical to the operation of the endpoint. NOTE: Hardware based VVoIP endpoints are like diskless computers on the LAN which need to download an operating system and configurations before they can operate. The code necessary to download this OS is stored in ROM or Flash Memory and is called firmware. To varying degrees some, most, or all of the endpoint’s OS can be stored on the device as firmware. The more of the OS that is stored the device, the quicker it initializes. In any case, no matter how much of the OS is stored as firmware, each endpoint requires a customized configuration settings file to be downloaded that individualizes the endpoint to meet the needs of the user to which it is assigned. These configuration settings can be updated occasionally or regularly by resetting and re-registering the endpoint, which causes an updated configuration file to be downloaded. Many PC based communications applications are fully configured locally on the platform, however, in some cases they rely on a configuration file downloaded from the system with which they are associated. The integrity of these files is critical to preventing compromise of the PC application, hardware endpoint, and the system itself. The best method for maintaining the integrity of these files is to require that they digitally signed. This can prevent man in the middle attacks where the configuration file could be modified in transit or the source of the file spoofed. Digital signatures and the file integrity must also be validated before the configuration file is used. NOTE: DoD PKI machine certificates are preferred for digital file signing, however, a vendor generated certificate would provide similar albeit not the same protection. LSCs and endpoints are to be assigned DoD machine certificates when the system operates as part of the DISN IPVS network. These certificates are also used for encryption purposes.

STIG	Date
Voice/Video Services Policy STIG	2014-04-07

Details

Check Text ( C-17159r1_chk )
Interview the IAO to validate compliance with the following requirement: Ensure PC based or hardware based voice, video, UC, or collaboration communications endpoints or applications that require configurations to be downloaded from the system (LSC) with which they are associated, accepts only those configuration files that are digitally signed by the proper authority (e.g., using a DoD PKI certificate). Further ensure the digital signature and integrity of the file is validated before the endpoint uses the file. Ask the IAO and/or consult the vendor and/or the system documentation to determine if downloaded configuration files are digitally signed and that the digital signature is validated before the endpoint uses the file. This is a finding if either condition is not met. Additionally determine if the certificates used are DoD PKI machine certificates. This is a CAT III finding if DoD PKI certificates are not used but the integrity of the file is validated against a vendor generated certificate. This is not a finding in the event the following mitigations are employed: > Disable automatic configuration file download on endpoint registration > Pre-install the configuration file before the endpoint is deployed to its user using a dedicated and segregated “Provisioning” LAN or VLAN that is local to the LSC having restricted access to or from VLANs other than the LSC VLAN. This will ensure the configuration file is sourced from the LSC eliminating the need for a file integrity check, and will limit its exposure eliminating the need to encrypt.

Check Text ( C-17159r1_chk )

Interview the IAO to validate compliance with the following requirement:

Ensure PC based or hardware based voice, video, UC, or collaboration communications endpoints or applications that require configurations to be downloaded from the system (LSC) with which they are associated, accepts only those configuration files that are digitally signed by the proper authority (e.g., using a DoD PKI certificate). Further ensure the digital signature and integrity of the file is validated before the endpoint uses the file.

Ask the IAO and/or consult the vendor and/or the system documentation to determine if downloaded configuration files are digitally signed and that the digital signature is validated before the endpoint uses the file. This is a finding if either condition is not met. Additionally determine if the certificates used are DoD PKI machine certificates. This is a CAT III finding if DoD PKI certificates are not used but the integrity of the file is validated against a vendor generated certificate.

This is not a finding in the event the following mitigations are employed:
> Disable automatic configuration file download on endpoint registration
> Pre-install the configuration file before the endpoint is deployed to its user using a dedicated and segregated “Provisioning” LAN or VLAN that is local to the LSC having restricted access to or from VLANs other than the LSC VLAN. This will ensure the configuration file is sourced from the LSC eliminating the need for a file integrity check, and will limit its exposure eliminating the need to encrypt.

Fix Text (F-16221r1_fix)
Ensure PC based or hardware based voice, video, UC, or collaboration communications endpoints or applications that require configurations to be downloaded from the system (LSC) with which they are associated, accepts only those configuration files that are digitally signed by the proper authority (e.g., using a DoD PKI certificate). Further ensure the digital signature and integrity of the file is validated before the endpoint uses the file. Configure PC based or hardware based endpoint configuration downloads to use digital signatures. Additionally configure the application to validate the digital signature and the integrity of the configuration file prior to using the file. Additionally configure the system to use DoD PKI certificates. OR Employ the following mitigations: > Disable automatic configuration file download on endpoint registration > Pre-install the configuration file before the endpoint is deployed to its user using a dedicated and segregated “Provisioning” LAN or VLAN that is local to the LSC having restricted access to or from VLANs other than the LSC VLAN.

Fix Text (F-16221r1_fix)

Ensure PC based or hardware based voice, video, UC, or collaboration communications endpoints or applications that require configurations to be downloaded from the system (LSC) with which they are associated, accepts only those configuration files that are digitally signed by the proper authority (e.g., using a DoD PKI certificate). Further ensure the digital signature and integrity of the file is validated before the endpoint uses the file.

Configure PC based or hardware based endpoint configuration downloads to use digital signatures. Additionally configure the application to validate the digital signature and the integrity of the configuration file prior to using the file. Additionally configure the system to use DoD PKI certificates.
OR
Employ the following mitigations:
> Disable automatic configuration file download on endpoint registration
> Pre-install the configuration file before the endpoint is deployed to its user using a dedicated and segregated “Provisioning” LAN or VLAN that is local to the LSC having restricted access to or from VLANs other than the LSC VLAN.