| Finding ID |
Severity |
Title |
Description |
|
V-259986
|
High |
The Enterprise Voice, Video, and Messaging Endpoint must prohibit client negotiation to TLS 1.1, TLS 1.0, SSL 2.0, or SSL 3.0. |
Using older unauthorized versions or incorrectly configuring protocol negotiation makes the gateway vulnerable to known and unknown attacks that exploit vulnerabilities in this protocol.
This requirement applies to TLS gateways (also known as SSL gateways), web servers, and web applications. Application protocols such as HTTPS and DNSSEC use TLS as... |
|
V-259980
|
High |
The Enterprise Voice, Video, and Messaging Endpoint must be configured with a firmware release supported by the vendor. |
Operating a device with outdated firmware may leave the device with unmitigated security vulnerabilities. Vendors routinely update and patch firmware to address vulnerabilities. Operating with current supported firmware mitigates the vulnerabilities known by the vendor. |
|
V-259974
|
High |
The Enterprise Voice, Video, and Messaging Endpoint, when using passwords or PINs for authentication or authorization, must be configured to cryptographically protect the PIN or password. |
Passwords need to be protected at all times and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised.
This does not apply to authentication for the purpose of configuring the device itself (management). |
|
V-259973
|
High |
The Enterprise Voice, Video, and Messaging Endpoint must be configured to use FIPS-compliant algorithms for network traffic. |
Without protection of the transmitted information, confidentiality and integrity may be compromised as unprotected communications can be intercepted and either read or altered. TLS can be used to secure SIP and SCCP signaling by configuring the session manager in a secure mode.
DOD-to-DOD voice communications are generally considered to contain... |
|
V-259967
|
High |
The Enterprise Voice, Video, and Messaging Endpoint must be configured to terminate all network connections associated with a communications session at the end of the session. |
Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session will also free up resources committed by... |
|
V-259964
|
High |
The Enterprise Voice, Video, and Messaging Endpoint must be configured to uniquely identify participating users. |
To ensure accountability and prevent unauthenticated access, users must be identified to prevent potential misuse and compromise of the system. The Enterprise Voice, Video, and Messaging Endpoint must display the source of an incoming call and the participant's identity to aid the user in deciding whether to answer a call.... |
|
V-259963
|
High |
The Enterprise Voice, Video, and Messaging Endpoint must be configured to only use ports, protocols, and services allowed per the Ports, Protocols, and Services Management (PPSM) Category Assurance List (CAL) and Vulnerability Assessments (VAs). |
In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable or restrict unused or unnecessary physical and logical ports/protocols on information systems.
Network elements are capable of providing a wide variety of functions and... |
|
V-259942
|
High |
The Enterprise Voice, Video, and Messaging Endpoint must be configured to register with an Enterprise Voice, Video, and Messaging Session Manager. |
For most VoIP systems, registration is the process of centrally recording the user ID, endpoint MAC address, service/policy profile with two-stage authentication prior to authorizing the establishment of the session and user service. The event of successful registration creates the session record immediately. VC systems register using a similar process... |
|
V-259985
|
Medium |
For accounts using password or PINs for authentication, the Enterprise Voice, Video, and Messaging Endpoint must store only cryptographic representations of passwords. |
If passwords and PINs are not encrypted when stored, they may be read if the storage location is compromised.
Note that DOD requires the use two-factor, CAC-enabled authentication and the use of passwords incurs a permanent finding. Passwords should be used only in limited situations.
Examples of situations where a... |
|
V-259984
|
Medium |
The Enterprise Voice, Video, and Messaging Endpoint must display an explicit logout message to users indicating the reliable termination of communications sessions. |
If a user cannot explicitly end a session, the session may remain open and be exploited by an attacker; this is referred to as a zombie session. Users need to be aware of whether or not the session has been terminated.
Logout messages for access, for example, can be displayed... |
|
V-259983
|
Medium |
The Enterprise Voice, Video, and Messaging Endpoint must provide a logout capability for user-initiated communications sessions. |
If a user cannot explicitly end a session, the session may remain open and be exploited by an attacker; this is referred to as a zombie session.
However, for some types of interactive sessions including, for example, remote login, information systems typically send logout messages as final messages prior to... |
|
V-259982
|
Medium |
The Enterprise Voice, Video, and Messaging Endpoint must be configured to disable any auto answer features. |
An Enterprise Voice, Video, and Messaging Endpoint set to automatically answer a call with audio or video capabilities enabled risks transmitting information not intended for the caller. In the event an Enterprise Voice, Video, and Messaging Endpoint automatically answered a call during a classified meeting or discussion, potentially sensitive or... |
|
V-259981
|
Medium |
The Enterprise Voice, Video, and Messaging Endpoint must be configured to dynamically implement configuration file changes. |
Configuration management includes the management of security features and assurances through control of changes made to device hardware, software, and firmware throughout the life cycle of a product. Secure configuration management relies on performance and functional attributes of products to determine the appropriate security features and assurances used to measure... |
|
V-259979
|
Medium |
The Enterprise Voice, Video, and Messaging Endpoint must be configured in accordance with the security configuration settings based on DOD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. |
Configuring the network element to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DOD that reflects the most restrictive security posture consistent with operational requirements.
Configuration settings are the set of parameters that can be changed that affect... |
|
V-259978
|
Medium |
The Enterprise Voice, Video, and Messaging Endpoint must, at a minimum, offload interconnected systems in real-time and offload standalone systems weekly. |
Information stored in one location is vulnerable to accidental or incidental deletion or alteration.
Offloading is a common process in information systems with limited audit storage capacity.
Audit records are commonly produced by session management and border elements. Many Enterprise Voice, Video, and Messaging Endpoints are not capable of providing... |
|
V-259977
|
Medium |
The Enterprise Voice, Video, and Messaging Endpoint must generate audit records showing starting and ending time for user access to the system. |
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible for one.
Audit records are commonly produced by session management and border elements. Many Enterprise... |
|
V-259976
|
Medium |
The Enterprise Voice, Video, and Messaging Endpoint must generate audit records for privileged activities or other system-level access. |
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible for one.
Audit records are commonly produced by session management and border elements. Many Enterprise... |
|
V-259975
|
Medium |
The Enterprise Voice, Video, and Messaging Endpoint must generate audit records when successful/unsuccessful logon attempts occur. |
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible for one.
Audit records are commonly produced by session management and border elements. Many Enterprise... |
|
V-259972
|
Medium |
The Enterprise Voice, Video, and Messaging Endpoint must provide an explicit indication of current participants in all Videoconference (VC)-based and IP-based online meetings and conferences. |
Providing an explicit indication of current participants in teleconferences helps to prevent unauthorized individuals from participating in collaborative teleconference sessions without the explicit knowledge of other participants. Teleconferences allow groups of users to collaborate and exchange information. Without knowing who is in attendance, information could be compromised.
Network elements that... |
|
V-259971
|
Medium |
The Enterprise Voice, Video, and Messaging Endpoint must be configured to use cryptographic algorithms approved by NSA to protect NSS when transporting classified traffic across an unclassified network. |
Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data.
NIST cryptographic algorithms are approved by NSA to protect NSS. Based on an analysis of the impact of quantum computing, cryptographic algorithms specified by CNSSP-15 and approved for use in products in the CSfC... |
|
V-259970
|
Medium |
The Enterprise Voice, Video, and Messaging Endpoint must offload audit records onto a different system or media than the system being audited. |
Information stored in one location is vulnerable to accidental or incidental deletion or alteration.
Offloading is a common process in information systems with limited audit storage capacity.
Audit records are commonly produced by session management and border elements. Many Enterprise Voice, Video, and Messaging Endpoints are not capable of providing... |
|
V-259969
|
Medium |
In the event of a device failure, Enterprise Voice, Video, and Messaging Endpoints must preserve any information necessary to determine cause of failure and return to operations with least disruption to service. |
Failure in a known state can address safety or security in accordance with the mission needs of the organization. Failure to a known secure state helps prevent a loss of confidentiality, integrity, or availability in the event of a failure of the information system or a component of the system.... |
|
V-259968
|
Medium |
The Enterprise Voice, Video, and Messaging Endpoint must be configured to use FIPS-validated SHA-2 or higher to protect the authenticity of communications sessions. |
Authenticity protection provides protection against man-in-the-middle attacks/session hijacking and the insertion of false information into sessions.
Although allowed by SP800-131Ar2 for some applications, SHA-1 is considered a compromised hashing standard and is being phased out of use by industry and government standards. Unless required for legacy use, DOD systems should... |
|
V-259966
|
Medium |
The Enterprise Voice, Video, and Messaging Endpoint must be configured to implement replay-resistant authentication mechanisms for network access. |
A replay attack may enable an unauthorized user to gain access to the application. Authentication sessions between the authenticator and the application validating the user credentials must not be vulnerable to a replay attack.
An authentication process resists replay attacks if it is impractical to achieve a successful authentication by... |
|
V-259965
|
Medium |
The Enterprise Voice, Video, and Messaging Endpoint must use multifactor authentication for network access to nonprivileged (nonadmin) accounts. |
To ensure accountability and prevent unauthenticated access, nonprivileged users must use multifactor authentication to prevent potential misuse and compromise of the system.
Multifactor authentication is implemented most often with software type endpoints, as this can be implemented at the operating system level. More recent advances in hardware may allow implementation... |
|
V-259962
|
Medium |
The Enterprise Voice, Video, and Messaging Endpoint must be configured to disable or remove nonessential capabilities. |
It is detrimental for Enterprise Voice, Video, and Messaging Endpoints when unnecessary features are enabled by default. Often these features are enabled by default with functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the... |
|
V-259961
|
Medium |
The Enterprise Voice, Video, and Messaging Endpoint must be configured to provide session (call detail) record generation capability. |
Session records are commonly produced by session management and border elements. Many Enterprise Voice, Video, and Messaging Endpoints are not capable of providing session records and instead rely on session management and border elements. Enterprise Voice, Video, and Messaging Endpoints capable of producing session records provide supplemental confirmation of monitored... |
|
V-259960
|
Medium |
The Enterprise Voice, Video, and Messaging Endpoint must be configured to produce session (call detail) records containing the identity of all users. |
Without information that establishes the identity of the subjects (i.e., users or processes acting on behalf of users) associated with the events, security personnel cannot determine responsibility for the potentially harmful event.
Audit records are commonly produced by session management and border elements. Many Enterprise Voice, Video, and Messaging Endpoints... |
|
V-259959
|
Medium |
The Enterprise Voice, Video, and Messaging Endpoint must be configured to produce session (call detail) records containing the outcome of the connection. |
Session records are commonly produced by session management and border elements. Many Enterprise Voice, Video, and Messaging Endpoints are not capable of providing session records and instead rely on session management and border elements. Enterprise Voice, Video, and Messaging Endpoints capable of producing session records provide supplemental confirmation of monitored... |
|
V-259958
|
Medium |
The Enterprise Voice, Video, and Messaging Endpoint must be configured to produce session (call detail) records containing the source of the connection. |
Session records are commonly produced by session management and border elements. Many Enterprise Voice, Video, and Messaging Endpoints are not capable of providing session records and instead rely on session management and border elements. Enterprise Voice, Video, and Messaging Endpoints capable of producing session records provide supplemental confirmation of monitored... |
|
V-259957
|
Medium |
The Enterprise Voice, Video, and Messaging Endpoint must be configured to produce session (call detail) records containing where the connection occurred. |
Session records are commonly produced by session management and border elements. Many Enterprise Voice, Video, and Messaging Endpoints are not capable of providing session records and instead rely on session management and border elements. Enterprise Voice, Video, and Messaging Endpoints capable of producing session records provide supplemental confirmation of monitored... |
|
V-259956
|
Medium |
The Enterprise Voice, Video, and Messaging Endpoint must be configured to produce session (call detail) records containing when (date and time) the connection occurred. |
Session records are commonly produced by session management and border elements. Many Enterprise Voice, Video, and Messaging Endpoints are not capable of providing session records and instead rely on session management and border elements. Enterprise Voice, Video, and Messaging Endpoints capable of producing session records provide supplemental confirmation of monitored... |
|
V-259955
|
Medium |
The Enterprise Voice, Video, and Messaging Endpoint must be configured to produce session (call detail) records containing what type of connection occurred. |
Session records are commonly produced by session management and border elements. Many Enterprise Voice, Video, and Messaging Endpoints are not capable of providing session records and instead rely on session management and border elements. Enterprise Voice, Video, and Messaging Endpoints capable of producing session records provide supplemental confirmation of monitored... |
|
V-259954
|
Medium |
The Enterprise Voice, Video, and Messaging Endpoint must be configured to limit the number of concurrent sessions to an organizationally defined number. |
Enterprise Voice, Video, and Messaging Endpoint management includes the ability to control the number of user sessions and limiting the number of allowed user sessions helps limit risk related to DoS attacks. Enterprise Voice, Video, and Messaging Endpoint sessions occur peer-to-peer for media streams and client-server with session managers. For... |
|
V-259953
|
Medium |
The Enterprise Voice, Video, and Messaging Endpoint must notify the user, upon successful logon (access), of the number of unsuccessful logon (access) attempts since the last successful logon (access). |
Users need to be aware of activity that occurs regarding their account. Providing users with information regarding the number of unsuccessful attempts that were made to login to their account allows the user to determine if any unauthorized activity has occurred and gives them an opportunity to notify administrators.
This... |
|
V-259952
|
Medium |
The Enterprise Voice, Video, and Messaging Endpoint must notify the user, upon successful logon (access) to the network element, of the date and time of the last logon (access). |
Users need to be aware of activity that occurs regarding their account. Providing users with information regarding the date and time of their last successful login allows the user to determine if any unauthorized activity has occurred and gives them an opportunity to notify administrators.
This applies to network elements... |
|
V-259951
|
Medium |
The Enterprise Voice, Video, and Messaging Endpoint must be configured to retain the Standard Mandatory DOD Notice and Consent Banner on the screen until users acknowledge the usage conditions and take explicit actions to log on for further access. |
The banner must be acknowledged by the user prior to allowing the user access to the network. This provides assurance that the user has seen the message and accepted the conditions for access. If the consent banner is not acknowledged by the user, DOD will not be in compliance with... |
|
V-259950
|
Medium |
The Enterprise Voice, Video, and Messaging Endpoint must be configured to display the Standard Mandatory DOD Notice and Consent Banner before granting access to the network. |
|
|
V-259949
|
Medium |
The Enterprise Voice, Video, and Messaging Endpoint must be configured to apply 802.1Q VLAN tags to signaling and media traffic. |
When Enterprise Voice, Video, and Messaging Endpoints do not dynamically assign 802.1Q VLAN tags as data is created and combined, it is possible the VLAN tags will not correctly reflect the data type with which they are associated. VLAN tags are used as security attributes. These attributes are typically associated... |
|
V-259948
|
Medium |
The Enterprise Voice, Video, and Messaging Endpoint must be configured to disable the Far End Camera Control feature if supported. |
Many VTC endpoints support Far End Camera Control (FECC). This feature uses H.281 protocol, which must be supported by both VTUs. Typically, this is only available during an active VTC session but could be available if the VTU is compromised or if a call is automatically answered. Allowing another conference... |
|
V-259947
|
Medium |
The Enterprise Voice, Video, and Messaging Endpoint must be configured to use a voice video VLAN, separate from all other VLANs. |
Virtualized networking is used to separate voice video traffic from other types of traffic, such as data, management, and other special types. VLANs provide segmentation at layer 2. Virtual Routing and Forwarding (VRF) provides segmentation at layer 3 and works with Multiprotocol Label Switching (MPLS) for enterprise and WAN environments.... |
|
V-259946
|
Medium |
The Enterprise Voice, Video, and Messaging Endpoint not supporting 802.1x must be configured to use MAC Authentication Bypass (MAB) on the access switchport. |
IEEE 802.1x is a protocol used to control access to LAN services via a network access switchport or wireless access point that requires a device or user to authenticate to the network element and become authorized by the authentication server before accessing the network. This standard is used to activate... |
|
V-259945
|
Medium |
The Enterprise Voice, Video, and Messaging Endpoint PC port must be configured to connect to an 802.1x supplicant or the PC port must be disabled. |
IEEE 802.1x is a protocol used to control access to LAN services via a network access switchport or wireless access point that requires a device or user to authenticate to the network element and become authorized by the authentication server before accessing the network. This standard is used to activate... |
|
V-259944
|
Medium |
The Enterprise Voice, Video, and Messaging Endpoint must be configured to integrate into the implemented 802.1x network access control system. |
IEEE 802.1x is a protocol used to control access to LAN services via a network access switchport or wireless access point that requires a device or user to authenticate to the network element and become authorized by the authentication server before accessing the network. This standard is used to activate... |
|
V-259943
|
Medium |
The Enterprise Voice, Video, and Messaging Endpoint PC port must be configured to maintain VLAN separation from the voice video VLAN, or be disabled. |
Virtualized networking is used to separate voice video traffic from other types of traffic, such as data, management, and other special types. VLANs provide segmentation at layer 2. Virtual Routing and Forwarding (VRF) provides segmentation at layer 3 and works with Multiprotocol Label Switching (MPLS) for enterprise and WAN environments.... |
|
V-259941
|
Medium |
The Enterprise Voice, Video, and Messaging Endpoint must be configured to prevent the configuration or display of configuration settings without the use of a PIN or password. |
Many Enterprise Voice, Video, and Messaging Endpoints can set or display configuration settings in the instrument itself. This presents a risk if a user obtains information such as the IP addresses and URLs of system components. This obtained information could be used to facilitate an attack on the system. Therefore,... |
|
V-259940
|
Medium |
The Enterprise Voice, Video, and Messaging Endpoint must not be configured with any vendor default accounts, PINs, or passwords to access configuration settings. |
Many Enterprise Voice, Video, and Messaging Endpoints can set or display configuration settings in the instrument itself. This presents a risk if a user obtains information such as the IP addresses and URLs of system components. This obtained information could be used to facilitate an attack on the system. Therefore,... |
