The hardware Voice Video Endpoint using SIP or AS-SIP signaling must prevent cross-site scripting attacks caused by improper filtering or validation of the content of SIP invitation fields.

From Voice Video Endpoint Security Requirements Guide

Part of SRG-NET-000147-VVEP-00016

Associated with: CCI-001942

SV-81201r1_rule The hardware Voice Video Endpoint using SIP or AS-SIP signaling must prevent cross-site scripting attacks caused by improper filtering or validation of the content of SIP invitation fields.

Vulnerability discussion

A cross-site scripting vulnerability has been demonstrated by adding scripting code to the "From:" field in the SIP invite. Upon receiving the invite, the embedded code can be executed by a vulnerable embedded web server to download additional malicious code and launch an attack. The demonstration of the vulnerability also exists on www.securityfocus.com under Bugtraq ID: 25987, which pops up a specific alert box on the user’s workstation after downloading a SIP invite. While this vulnerability has been demonstrated on a specific IP phone, it could potentially affect all SIP-based endpoints or clients and their signaling partners. This vulnerability is a result of improper filtering or validation of the content of the various fields in the SIP invite and potentially the Session Description Protocol (SDP) portion of the invite. The injected code potentially causes malicious code to be run on the target device, to include an endpoint (hard or soft), a session controller, or any other SIP signaling partner. Additionally, this vulnerability may affect applications other than SIP VoIP clients, such as IM clients. A similar vulnerability results when URLs embedded in SIP messages are launched automatically.

Check content

If the Voice Video Endpoint is not a hardware endpoint, this check procedure is Not Applicable. Verify the hardware Voice Video Endpoint using SIP or AS-SIP signaling prevents cross-site scripting attacks caused by improper filtering or validation of the content of SIP invitation fields. If the hardware Voice Video Endpoint does not use SIP or AS-SIP, this is not a finding. If the hardware Voice Video Endpoint does not prevent cross-site scripting attacks caused by improper filtering or validation of the content of SIP invitation fields, this is a finding.

Fix text

Configure the hardware Voice Video Endpoint using SIP or AS-SIP signaling to prevent cross-site scripting attacks caused by improper filtering or validation of the content of SIP invitation fields.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer