Title

VVoIP endpoint configuration files must not be downloaded automatically during initial endpoint registration. (Cat II impact)

Discussion

During VVoIP endpoint registration with the session controller, a file is downloaded by the endpoint from the session manager containing specific configuration settings. This file contains the phone number assigned to the endpoint, the IP addresses for session management, the software menus specific to the system, the endpoint configuration password, the stored personal preferences and speed dial numbers, and other system operational information. These configuration settings can be updated by resetting and re-registering the endpoint, which causes an updated configuration file to be downloaded. Unregulated automatic download of VVoIP endpoint configuration files during initial registration allows rogue endpoints to become part of the system. It also potentially allows human readable configuration files to be sent without encryption or digital signatures.

Check Content

Review site documentation to confirm the VVoIP endpoint configuration files are not downloaded automatically during initial endpoint registration. If VVoIP endpoint configuration files are downloaded automatically during initial endpoint registration, this is a finding.

Fix Text

Implement a VVoIP system design preventing auto-download of VVoIP endpoint configuration files on initial deployment. Document the design, demonstrating that unregulated automatic download of VVoIP endpoint configuration files during initial registration is prevented.

Additional Identifiers

Rule ID: SV-75799r2_rule

Vulnerability ID: V-61319

Group Title: VVoIP 1937

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.