Voice Video endpoint configuration files transferred via Cisco TFTP must be encrypted and signed using DoD PKI certificates.

From Voice Video Policy Security Technical Implementation Guide

Part of SRG-POL-300042

Associated with: CCI-002163

VVSP-01-000012_rule Voice Video endpoint configuration files transferred via Cisco TFTP must be encrypted and signed using DoD PKI certificates.

Vulnerability discussion

During Voice Video endpoint registration with the session controller, a file containing specific configuration settings is downloaded by the endpoint from the session manager. This file contains the phone number assigned to the endpoint, the IP addresses for session management, the software menus specific to the system, the endpoint configuration password, the stored personal preferences and speed dial numbers, and other system operational information. These configuration settings can be updated by resetting and re-registering the endpoint, which causes an updated configuration file to be downloaded.When Voice Video configuration files traverse a network in an unencrypted state, system information may be used by an adversary, which in the aggregate may reveal sensitive data. When Voice Video traffic is passed in the clear, it is open to sniffing attacks. End-to-end encryption of the configuration files mitigates this vulnerability. However, TFTP does not natively encrypt data. The Cisco TFTP implementation for Voice Video systems uses encryption to both store and transfer configuration files. Refer to the "CISCO-UCM-TFTP" Vulnerability Analysis report provided by the Protocols, Ports, and Services management site for more details.

Check content

If the Voice Video endpoints do not use Cisco TFTP, this is not applicable. Review the Voice Video registration policies enforced by session managers for approved Voice Video endpoints. Confirm the Voice Video endpoint configuration files transferred via Cisco TFTP are encrypted and signed using DoD PKI certificates. If the Voice Video endpoint configuration files transferred via Cisco TFTP are not encrypted and signed using DoD PKI certificate, this is a finding. If vendor-generated certificates are used instead of DoD PKI certificates, reduce the severity to CAT III.

Fix text

Configure the Voice Video endpoint configuration files transferred via Cisco TFTP to be encrypted and signed using DoD PKI certificates. Refer to the "CISCO-UCM-TFTP" Vulnerability Analysis report provided by the Protocols, Ports, and Services management site for more details. Document Voice Video registration architecture to enforce for approved Voice Video endpoints.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer