NIAP: Assurance Continuity
NIAP/CCEVS
  NIAP  »»  Product Compliant List  »»  Product Entry  »»  Assurance Continuity  
Assurance Continuity - Cisco Unified Communications Manager and the IM and Presence Service v14.0

Date of Maintenance Completion:  2022.02.23

Product Type:    Network Device
   SIP Server

Conformance Claim:  Protection Profile Compliant

PP Identifier:    collaborative Protection Profile for Network Devices Version 2.1
  Extended Package for Enterprise Session Controller (ESC) Version 1.0

Original Evaluated TOE:  2021.01.11 - Cisco Unified Communications Manager and the IM and Presence Service v12.5

CC Certificate [PDF] Validation Report [PDF] Assurance Activity [PDF]

Administrative Guide [PDF]

Please note:  The above files are for the Original Evaluated TOE.  Consequently, they do not refer to this maintained version, although they apply to the maintained version. 

Security Target [PDF] * Assurance Continuity Maintenance Report [PDF] Administrative Guide [PDF]

Please note:  This serves as an addendum to the VR for the Original Evaluated TOE. 

* This is the Security Target (ST) associated with this latest Maintenance Release.  To view previous STs for this TOE, click here.

Readers are reminded that the certification of this product (TOE) is the result of maintenance, rather than an actual re-evaluation of the product.  Maintenance only considers the affect of TOE changes on the assurance baseline (i.e. the original evaluated TOE); maintenance is not intended to provide assurance in regard to the resistance of the TOE to new vulnerabilities or attack methods discovered since the date of the initial certificate.  Such assurance can only be gained through re-evaluation. 

Using a security impact analysis of the changes made to the TOE, which was provided by the developer, the CCEVS has determined that the impact of changes on the TOE are considered minor and that independent evaluator analysis was not necessary.  A summary of the results can be found in the Maintenance Report, which is written in relation to the product's original validation report and Security Target.  Readers are therefore reminded to read the Security Target, Validation Report, and the Assurance Maintenance Report to fully understand the meaning of what a maintained certificate represents. 

Product Description

Several changes to the TOE are documented and are divided into four categories:new features, bug fixes, operating system, and ESXi supportability. The TOE has been updated from the evaluated software version 12.5 to 14.0.The information below describes each change and justifies that the changes have no security relevance on the TOE. It should be noted that new features listed here were not included in the original evaluation and are not covered by this maintenance assurance update.

 

New Feature

Assessment

Additional Billing Server Support - You can now add up to eight billing servers in Unified Communications Manager.

Billing Servers were not part of the evaluated environment. This feature enhancement does not impact the security functions defined in [NDcPP], [ESC EP], and the Security Target.

AV1 Codec Support - Unified Communications Manager now supports negotiation and passthrough of AVI codec.

AV1 codec will be supported by Cisco Webex Desk Pro Endpoint, Webex Codec Pro, and Room Panorama systems. Telepresence devices were not defined as part of the SFR in the original analysis. Does not impact the security functions defined in [NDcPP], [ESC EP], and the Security Target.

Cisco Tomcat Containerization - Releases prior to 14 have single instance of Cisco Tomcat managing many web applications with limited resource control and throttling.

Multiple instances of Tomcat now run simultaneously. This does not reflect a change in Tomcat coding, but rather load balancing of applications using Tomcat. Does not impact the security functions defined in [NDcPP], [ESC EP], and the Security Target.

Certificate Regeneration without Service Restarts - A manual restart of the CallManager and CTIManager services are no longer required when a CallManager certificate is regenerated on Unified Communications Manager.

Does not impact the security functions defined in [NDcPP], [ESC EP], and the Security Target.

Fresh Install with Data Import - Virtual to Virtual (V2V) migration make it easy to upgrade and migrate Unified Communications Manager.

Improvements to Install and Upgrade do not impact secure operation/functionality of the TOE. Does not impact the security functions defined in [NDcPP], [ESC EP], and the Security Target.

Enable SIP OAuth for 78xx and 88xx Phones - SIP OAuth provides end to end secure signaling and media encryption without CAPF on-premises as well as over MRA and by default, TFTP is secure for SIP phones when SIP OAuth is enabled.

This is a new security feature since certification  The AGD will not be modified to include this new feature, but rather continue to use the evaluated configuration which will not impact the security functions defined in [NDcPP], [ESC EP], and the Security Target.

Enhanced Accessibility and Usability in Self Care Portal - The Self Care Portal, for the phone features and settings, has been enhanced.

Use of the selfcare portal was not included in the TSF. Does not impact the security functions defined in [NDcPP], [ESC EP], and the Security Target.

Enhanced Security Compliances - As part of Cisco's continuous review of the Unified Communications Manager and IM and Presence Service architecture to identify security vulnerabilities and weaknesses, the following compliance and validation investments were made as part of the security compliances roll-out.

·         Cross-Site Scripting Vulnerability—A vulnerability in the web-based management interface of Unified Communications Manager and IM and Presence Service is addressed so that it does not allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface of an affected device. Open Web Application Security Project (OWASP) encoding guidelines were implemented to fix the XSS vulnerabilities.

·         Standard Practices Followed for X.509 Certificate Validation—Ensure the name or identification information (FQDN) that is presented in the certificate Subject Name of the peer being authenticated matches with the peer the Unified Communications Manager is communicating with. Always reject expired or invalid certificates. Users should also ensure that there is only one X.509 extension of any type in the certificate list before accepting the certificates you receive from the web server.

·         Certificate Validity—Addresses the Lifetime of Certificates to achieve security compliance.

o   TLS-based (server) Certificates have a lifetime of three years.

o   Signing Certificates are by default restricted to a lifetime of five years.

o   ITL Recovery Certificates have a lifetime of 20 years.

·         Digitally Sign Software and Control Keys—Post Release 14, the SHA512SUM hash-based signing tool improves security to upgrade all COP and ISO files.

 

Regarding the Enhanced Security Compliances:

·         Mediating the Cross-Site Scripting Vulnerability prevents possible unauthorized access to the TOE. Standard Practices Followed for X.509 Certificate Validation represent an across the board conformance that was already claimed and met for Common Criteria. security changes across the board, are already consistence with FIPS/CC modes of operation, where applicable.

·         Certificate lifetimes are not part of the SFR claim.

Does not impact the security functions defined in [NDcPP], [ESC EP], and the Security Target.

Digitally signed software available from the Cisco Software Download web page previously used a SHA256 hash. The digital signature and hash are generated at the point the update is generated. The hash is verified when the update is accepted, following the processes defined in the AGD for update acceptance. The addition of the SHA512 hash algorithm results in an SFR change, however the change is minor because the algorithm was already covered by the CAVP certificates supplied with the original evaluation.

Granular Access Control Enhancements - Granular Access Control Enhancements allows creation of hierarchy among administrators for segregation of duties.

CUCM has always allowed limiting of Administrator access based on Roles and Policy Groups. This enhancement provides further granularity of access restriction. Does not impact the security functions defined in [NDcPP], [ESC EP], and the Security Target.

Headset and Accessories Inventory Download - This feature enables an administrator to download a detailed report of Headsets and Accessories in your deployment.

Headsets and headset management were not defined as part of the SFR in the original analysis. Does not impact the security functions defined in [NDcPP], [ESC EP], and the Security Target.

SAML Based Single Logout - The Unified Communications Manager now includes a new feature to support SAML based Single Logout (SLO).

SSO was not evaluated. Does not impact the security functions defined in [NDcPP], [ESC EP], and the Security Target.

MRA Failover with Lightweight Keepalives - The MRA High-Availability for endpoint registration feature allows Cisco Webex and Cisco Jabber clients to quickly detect any failure of network and take corrective action to re-register using a new path.

MRA was not evaluated. Does not impact the security functions defined in [NDcPP], [ESC EP], and the Security Target.

Native Phone Migration using IVR and Phone Services - The Phone Migration feature is an easy and intuitive Cisco IP Phone migration solution native to Unified Communications Manager.

Improvements to Install and Upgrade do not impact secure operation/functionality of the TOE. Does not impact the security functions defined in [NDcPP], [ESC EP], and the Security Target.

Oracle JRE Removal from Manager Assistant - The Oracle Java Runtime Environment (JRE) is no longer included in the Cisco Unified Communications Manager Assistant plug-in.

CUCM Assistant is an application that runs on a Windows machine allowing office assistant the ability to manage calls for their managers. This application was not evaluated. Does not impact the security functions defined in [NDcPP], [ESC EP], and the Security Target.

Phones with Mismatched ITL Checksums - When Call Manager Certificate is renewed, the phones reset and obtain new ITL files. During this process, some phones may retain the old ITL files. The Unified Communications Manager now allows the administrator to identify SIP phones that have older ITL files and provides the centralized report of phones with mismatched ITL files.

This feature is for reporting/maintenance purposes and does not impact device security. Does not impact the security functions defined in [NDcPP], [ESC EP], and the Security Target.

Simplified Certificate Management - Unified Communications Manager and the IM and Presence Service now includes a new feature to reduce the number of Identity Certificates.

This is a new security feature since certification.  The AGD will be modified to inform Administrators to continue using CUCM 12.5 instructions for certificates and not use the new Simplified features introduced in 14.0 , which will not impact the security functions defined in [NDcPP], [ESC EP], and the Security Target.

UDS Enhancements - The following enhancements are introduced for UDS:

·         The UDS Bulk Search by Email enables Cisco Jabber to send requests in batches using the email attribute.

·         UDS is enhanced to do a better discovery of the home cluster of a user across remote clusters

Improvements are related to search requests. Does not impact the security functions defined in [NDcPP], [ESC EP], and the Security Target.

Version Independent Licensing - Unified Communications Manager supports Version Independent User Licenses

CUCM  14 use new licenses specific to version 14.  This is consistence with previous releases and does not impact the security functions defined in [NDcPP], [ESC EP], and the Security Target.

Wi-Fi to LTE Call Handoff - Wi-Fi to LTE Call Handoff provides flexibility for Cisco Webex users to switch between Wi-Fi and LTE networks without disconnecting any active calls that the user may be while switching network.

Cisco Webex were not defined as part of the TOE in the original analysis. Does not impact the security functions defined in [NDcPP], [ESC EP], and the Security Target.

Windows 10 (2019) Support for RTMT - You can install Cisco Unified Real-Time Monitoring Tool on a computer that is running on Windows 10 (2019) operating system to monitor or troubleshoot Unified Communications Manager.

RTMT is an application that runs on a Windows machine allowing monitoring of CUCM real-time. This application was not evaluated. Does not impact the security functions defined in [NDcPP], [ESC EP], and the Security Target.

Certificate Sync and Intercluster Periodic Sync - The IM and Presence Service performs certificates sync as part of the intercluster sync process. This feature introduces a new service parameter Certificate Sync during Inter-Cluster Periodic Sync

The TOE was evaluated as a single cluster. New feature only applies to multi cluster deployment. Does not impact the security functions defined in [NDcPP], [ESC EP], and the Security Target.

Deletion of Intercluster Peers does not Require XCP Router Restart - The IM and Presence Service is enhanced to prevent restart of XCP router on each node within the IM and Presence cluster after deleting an intercluster peer.

The TOE was evaluated as a single cluster. New feature only applies to multi cluster deployment. Does not impact the security functions defined in [NDcPP], [ESC EP], and the Security Target.

IM and Presence Configuration for SIP Open Federation - Cisco IM and Presence Service supports SIP open federation for Cisco Jabber clients.

The TOE was evaluated using a single domain and not a Federation. Does not impact the security functions defined in [NDcPP], [ESC EP], and the Security Target.

IM and Presence Failover Enhancement to Nearly Zero Downtime - IM and Presence Service is enhanced to reduce the impact during upgrade and failover of nodes and clusters, and hence minimize the Jabber service outage.

The TOE was evaluated using a single IMP server. High Availably (HA) performance and failover were not evaluated. Does not impact the security functions defined in [NDcPP], [ESC EP], and the Security Target.

Improved IM and Presence Stream Features/Services Advertisement via Expressway - IM and Presence Service now supports the advertisement of XMPP stream features/services to the clients connecting over Cisco Expressway's Mobile and Remote Access.

MRA was not evaluated. Does not impact the security functions defined in [NDcPP], [ESC EP], and the Security Target.

Jabber User Location Migration - The IM and Presence Service supports the migration of locations that are configured by Jabber users, from one IM and Presence Service cluster to another.

The TOE was evaluated as a single cluster. New feature only applies to multi cluster deployment. Does not impact the security functions defined in [NDcPP], [ESC EP], and the Security Target.

Out of Office Presence Status - The IM and Presence Service supports Out of Office (OOO) as the user’s availability status.

Presence status was not evaluated. Does not impact the security functions defined in [NDcPP], [ESC EP], and the Security Target.

Push Notification Support for Jabber MAM Clients - The IM and Presence Service extends its Push Notification feature support for Mobile Application Management (MAM) clients like Cisco Jabber for Intune and Cisco Jabber for BlackBerry.

Push Notification was not evaluated. Does not impact the security functions defined in [NDcPP], [ESC EP], and the Security Target.

User Session Report for Device Capacity Monitoring - The Device Capacity Monitoring feature lets IM and Presence Service administrators view the User Session Report of the active users logged in from multiple devices.

Improvements are related to search requests and reports. Does not impact the security functions defined in [NDcPP], [ESC EP], and the Security Target.

 

Bug Fixes

Assessment

CUCM and IMP Related bugs.

Multiple bug fixes have been introduced since the initial certification was analyzed by the vendor and determined to have no security relevance or fell out of the scope of evaluated functionality and are not security relevant in the context of the NDcPP evaluation.

 

Operating System

Assessment

The version of CentOS has changed from 7.6 for CUCM and IMP 12.5 to 7.7 for CUCM and IMP 14.0.

CentOS follows the Red Hat Linux numbering system which uses a “major.minor” version numbering format. Moving from CentOS 6.7 to 7.7 is a minor change per the vendor.  

Features new to CentOS 7.7 were analyzed and determined to have no security relevance or fell out of the scope of evaluated functionality. 

 

ESXi Supportability

Assessment

CUCM and IMP 14.0 is only supported for ESXi 6.7 and 7.0U1, which were not part of the evaluation.

The updated ST states that ESXi version 6.7 is the platform on which CUCM is installed.  VMWare ESXi follows a “major.minor” version numbering format. Moving from ESXi 6.5 to 6.7 is a minor change per the vendor.

Feature changes included in ESXi 6.7 were determined to have no impact on the TOE Security Functions. additionally, ESXi 6.7 itself is CC compliant.

 

Vendor Information


Cisco Systems, Inc.
Anil Bhatt
(410) 309-4862
abhatt@cisco.com

cisco.com
Site Map              Contact Us              Home