Check: SRG-NET-000518-VVEP-00101
Enterprise Voice, Video, and Messaging Endpoint SRG:
SRG-NET-000518-VVEP-00101
(in versions v1 r2 through v1 r1)
Title
The Enterprise Voice, Video, and Messaging Endpoint must provide a logout capability for user-initiated communications sessions. (Cat II impact)
Discussion
If a user cannot explicitly end a session, the session may remain open and be exploited by an attacker; this is referred to as a zombie session. However, for some types of interactive sessions including, for example, remote login, information systems typically send logout messages as final messages prior to terminating sessions. This applies to network elements that have the concept of a user account and have the login function residing on the network element.
Check Content
Verify the Enterprise Voice, Video, and Messaging Endpoint provides a logout capability for user-initiated communications sessions. If the Enterprise Voice, Video, and Messaging Endpoint does not provide a logout capability for user-initiated communications sessions, this is a finding.
Fix Text
Configure the Enterprise Voice, Video, and Messaging Endpoint to provide a logout capability for user-initiated communications sessions.
Additional Identifiers
Rule ID: SV-259983r948916_rule
Vulnerability ID: V-259983
Group Title: SRG-NET-000518
Expert Comments
CCIs
| Number | Definition |
|---|---|
| CCI-002363 |
Provide a logout capability for user-initiated communications sessions whenever authentication is used to gain access to organization-defined information resources. |
Controls
| Number | Title |
|---|---|
| AC-12(1) |
User-initiated Logouts / Message Displays |