The integrity of Voice Video endpoint configuration files downloaded during endpoint registration must be validated using digital signatures.

From Voice Video Policy Security Technical Implementation Guide

Part of SRG-POL-300042

Associated with: CCI-002163

VVSP-01-000009_rule The integrity of Voice Video endpoint configuration files downloaded during endpoint registration must be validated using digital signatures.

Vulnerability discussion

During Voice Video endpoint registration with the session controller, a file containing specific configuration settings is downloaded by the endpoint from the session manager. This file contains the phone number assigned to the endpoint, the IP addresses for session management, the software menus specific to the system, the endpoint configuration password, the stored personal preferences and speed dial numbers, and other system operational information. These configuration settings can be updated by resetting and re-registering the endpoint, which causes an updated configuration file to be downloaded.The integrity of these files is critical to preventing compromise of the Unified Capabilities (UC) soft clients, the hardware endpoints, and the system itself. The best method for maintaining configuration file integrity is requiring it to be digitally signed. This prevents man-in-the-middle attacks where the configuration file could be modified in transit or the source of the file spoofed. Digital signatures and the file integrity must also be validated before the configuration file is used.

Check content

Review the Voice Video registration policies enforced by session managers for approved Voice Video endpoints. Confirm the integrity of Voice Video endpoint configuration files downloaded during endpoint registration is validated using digital signatures. This is not applicable to hardware endpoints with a preinstalled configuration file that do not download a configuration file through the network. This is not applicable to UC soft clients that do not download a configuration file through the network. If the Voice Video endpoint configuration files downloaded during endpoint registration are not digitally signed, this is a finding. If the Voice Video endpoint configuration files downloaded during endpoint registration are not validated using digital signatures, this is a finding. If vendor-generated certificates are used instead of DoD PKI certificates, reduce the severity to CAT III.

Fix text

Document Voice Video registration policies to enforce for approved Voice Video endpoints. The integrity of Voice Video endpoint configuration files downloaded during endpoint registration must be validated using digital signatures. Voice Video endpoints must use DoD PKI certifications. This requirement does not apply to hardware endpoints or UC soft clients that do not download configuration files from the session manager.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer