Solved: ATA 186 Port 80 vulnerability

chadrife1 · ‎10-02-2018

Hello Community!

Looking for a way to disable the web interface of these devices either from CUCM or local side. Our Security Dept has flagged these with a port 80 vulnerability and which our CUCM provider has yet to provide any reasonable action. Suggestions were to input an ACL however that would be a last resort and not knowing if that will block any other functionality.

Suggestions would be greatly appreciated.

Thanks,IP Telephony and Phones

Daniele Giordano · ‎10-02-2018

Hi, you can modify the bit 7 of OpFlag of the common configuration file on the tftp server:

https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cata/186_188/2_15_ms/english/administration/guide/sccp/sccp/sccpach3.html

The bit 7 is used to configure "web configuration access", 0 allow web config, 1 do not allow.

This metho is not so easy. Probably you can check on whiwhat is the IP of the default gateway of your ATAs and configure an ACL to block all accesse on the port 80.

Regards.

View solution in original post

Scott Pedersen · ‎10-04-2018

If the device is giving you trouble with the web interface and assuming you are using a manage switch why not write an ACL to block port 80 traffic at the switchport? It should not not block any functionality aside from the web interface.

View solution in original post

Daniele Giordano · ‎10-02-2018

Hi, you can modify the bit 7 of OpFlag of the common configuration file on the tftp server:

https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cata/186_188/2_15_ms/english/administration/guide/sccp/sccp/sccpach3.html

The bit 7 is used to configure "web configuration access", 0 allow web config, 1 do not allow.

This metho is not so easy. Probably you can check on whiwhat is the IP of the default gateway of your ATAs and configure an ACL to block all accesse on the port 80.

Regards.

chadrife1 · ‎10-03-2018

Daniele - Thank you for the response. We've been going back and forth with
our provider with no luck.

Can this be changed locally in the web interface then once applied will
stop the access?

Scott Pedersen · ‎10-03-2018

OP flag parameter is available over the web interface from the Network Parameters Link in the left menu.

chadrife1 · ‎10-03-2018

Here's what I see.

Scott Pedersen · ‎10-03-2018

Thats the setting. Looks like you are on an older Firmware version than I am used to. Adjust the bit that was suggested and see if that works for you.

chadrife1 · ‎10-03-2018

I was able to test this one at my desk. Now to work with the vendor for mass fix.

Thank you ALL !

will.alvord · ‎10-03-2018

Curious why an open port 80 is in and of itself insecure?

chadrife1 · ‎10-04-2018

Our main concern is that our infosec team's vulnerability tool flags it as
unsecure due to that port. If it was 443, we would be moving on.

I did find this morning after a reboot, the device somewhat reset itself
and the web interface is enabled.

This is what my opsflag looks now.

0x00000012

Scott Pedersen · ‎10-04-2018

If the device is giving you trouble with the web interface and assuming you are using a manage switch why not write an ACL to block port 80 traffic at the switchport? It should not not block any functionality aside from the web interface.