The VVoIP endpoint configuration files must not be downloaded automatically during endpoint registration.

Part of VVoIP 1937

Associated with IA controls: ECSC-1, DCBP-1

SV-75799r1_rule The VVoIP endpoint configuration files must not be downloaded automatically during endpoint registration.

Vulnerability discussion

During VVoIP endpoint registration with the session controller, a file is downloaded by the endpoint from the session manager containing specific configuration settings. This file contains the phone number assigned to the endpoint, the IP addresses for session management, the software menus specific to the system, the endpoint configuration password, the stored personal preferences and speed dial numbers, and other system operational information. These configuration settings can be updated by resetting and re-registering the endpoint, which causes an updated configuration file to be downloaded.Automatic download of VVoIP endpoint configuration files during registration allows rogue endpoints to become part of the system. It also potentially allows human readable configuration files to be sent without encryption or digital signatures.

Check content

Review site documentation to confirm the VVoIP endpoint configuration files are not downloaded automatically during endpoint registration. If VVoIP endpoint configuration files are downloaded automatically during endpoint registration, this is a finding.

Fix text

Implement and document that the VVoIP endpoint configuration files are not downloaded automatically during endpoint registration.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.