Solved: UCCE Rogger Vulnerability - port 69 open

anthonyroesler · ‎01-22-2020

We have been given a scan of our rogger that is showing open on port 69 UDP and accepting connections. Trying to determine why that could be and what we need to do to shut it down. This is open on our A side, but not on our B side.

Version 11.6.2

bill.king1 · ‎01-22-2020

Perhaps someone installed software for TFTP to do things like transfer files to voice gateways and never removed it?

View solution in original post

Omar Deen · ‎01-22-2020

Port 69 UDP is TFTP... and since this is only happening on Side A, I'm going to guess that you're running the Outbound Dialer and are using TFTP to bring in a dialing list for your campaigns.

anthonyroesler · ‎01-22-2020

Incorrect, we do not use dialer at all.

Omar Deen · ‎01-22-2020

Regardless, TFTP is using that port

bill.king1 · ‎01-22-2020

Perhaps someone installed software for TFTP to do things like transfer files to voice gateways and never removed it?

anthonyroesler · ‎01-22-2020

This was it. Someone did install a TFTP client. It's been removed now! Thanks!

bill.king1 · ‎01-22-2020

Good deal, glad that it resolved it and thanks for posting the confirmation.

And you probably know this, but if you had an issue with that server, and Cisco saw that you had that third party software on there, they may tell you that you have to remove it before they would continue to troubleshoot it. Here's an article about it.

https://www.cisco.com/c/en/us/products/collateral/customer-collaboration/unified-ip-interactive-voice-response-ivr/prod_bulletin09186a0080207fb9.html