Title

The hardware Voice Video Endpoint must disable or restrict built-in web servers. (Cat II impact)

Discussion

Hardware Voice Video Endpoints sometimes contain a web server for the implementation of various functions and features. In many cases these are used to configure the network settings or user preferences on the device. In some Voice Video Endpoints, a user can access a missed call list, call history, or other information. If access to such a web server is not restricted to authorized entities, the device supporting it is subject to unauthorized access and compromise.

Check Content

If the Voice Video Endpoint is not a hardware endpoint, this check procedure is Not Applicable. If the hardware Voice Video Endpoint does not contain a web server, this check procedure is Not Applicable. Verify the hardware Voice Video Endpoint disables or restricts built-in web servers. Web servers embedded in hardware Voice Video Endpoints must be restricted to authorized entities’ devices through an authentication mechanism or, minimally, through IP address filtering, or be otherwise disabled. Additionally, the connection must be for direct user or administrative functions. If the hardware Voice Video Endpoint does not disable or restrict built-in web servers, this is a finding.

Fix Text

Configure the hardware Voice Video Endpoint to disable or restrict built-in web servers.

Additional Identifiers

Rule ID: SV-206799r604140_rule

Vulnerability ID: V-206799

Group Title: SRG-NET-000512

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.