An error occurred:

Check: SRG-NET-000371-VVEP-00018

Voice Video Endpoint SRG: SRG-NET-000371-VVEP-00018 (in versions v2 r2 through v1 r4)

Title

The Voice Video Endpoint must protect the confidentiality of transmitted configuration files from the Voice Video Session Manager. (Cat I impact)

Discussion

Without protection of the transmitted information, confidentiality and integrity may be compromised as unprotected communications can be intercepted and either read or altered. When Voice Video Endpoint configuration files traverse a network without encryption for confidentiality, system information can be intercepted by an adversary. Encryption of the configuration files mitigates this vulnerability. However, TFTP is the most common protocol used for configuration file transfers and does not natively encrypt data. The Cisco TFTP implementation for VoIP systems uses encryption to both store and transfer configuration files. Refer to the “CISCO-UCM-TFTP” Vulnerability Analysis report provided by the Protocols, Ports, and Services management site for more details. Integrity checks during the transmission of configuration files ensure no changes have been introduced by adversarial attacks. TLS can be utilized to secure SIP and SCCP signaling by configuring the session manager in a secure mode. DoD-to-DoD voice communications are generally considered to contain sensitive information and therefore DoD voice and data traffic crossing the unclassified DISN must be encrypted. Cryptographic mechanisms such as Media Access Control Security (MACsec) implemented to protect information integrity include cryptographic hash functions that have common application in digital signatures, checksums, and message authentication codes.

Check Content

Verify the Voice Video Endpoint protects the confidentiality of transmitted configuration files from the Voice Video Session Manager. If the Voice Video Endpoint does not protect the confidentiality of transmitted configuration files from the Voice Video Session Manager, this is a finding.

Fix Text

Configure the Voice Video Endpoint to protect the confidentiality of transmitted configuration files from the Voice Video Session Manager.

Additional Identifiers

Rule ID: SV-206779r604140_rule

Vulnerability ID: V-206779

Group Title: SRG-NET-000371

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-002418

The information system protects the confidentiality and/or integrity of transmitted information.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
SC-8

Transmission Confidentiality And Integrity