Hello, all.

Have you finally found solution how to fix "Cisco CallManager tftp Accessible Vulnerability"? If yes, please share fix procedure. Thanks.

 

That forum post is jumbled nonsense on a page full of ads, I would not give it a lot of merit.

 

The UCM runs TFTP services for devices to obtain configurations, firmware, ringtones, and other support files.

I would refer to the security guide for the version of the product you're running, and the SRND/PA for overall architecture considerations with regard to system security.

 

The guide for 12.5SU5 linked below:

 

https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/security/12_5_1SU5/cucm_b_security-guide-1251su5.html

 

Basic principles apply. Don't run the services if you're not using them, and place appropriate access controls such as a firewall or other network boundary between the UCM and networks that do not require access.

Hi, Adam.

Thanks for info. I have CUCM 11.5 Unrestricted and based on security guide i have no options to enable TFTP secure for protect phone configuration xml.sgn files  (no cryptography in Unrestricted releases + phones pull their configuration in unencrypted form, without authentication from a TFTP server).

Trying get alternate methods to allow Cisco phone download \store configurations from CUCM TFTP Server  in secure methods ( Secure TFTP or etc).

There are a few articles describes that CUCM store phone configuration files as plain text xml.cfg files and any user inside network may check it and potentially change. 

 

https://www.cisco.com/c/en/us/support/docs/unified-communications/unified-communications-manager-callmanager/200408-Retrieve-Phone-Configuration-File-from-T.html

 

https://www.cisco.com/c/en/us/support/docs/unified-communications/unified-communications-manager-callmanager/200769-Two-Ways-to-Obtain-a-Phone-s-Configurati.html

 

Need mitigate \close such Cisco Call Manager tftp Accessible Vulnerability risk.  

Hi Nikolay,

Sorry I'm not completely familiar with the limitations that come with the unrestricted export version.
If it's cryptography in its totality and certificates aren't in use, then even ITL and TVS services won't help you there.

I suppose I would look at hardening whatever I could, or validating compliance if possible.

Configuration passwords on the device, disabling PC port if not needed.
Web server can be off to prevent some information exposure, if accessed, but you could also potentially use it to scrape the device configurations and look to see if Alternate TFTP has been set.
If you can secure your network with 802.1x or some other means to allow only the devices you intend to have access to a network, which in turn can access the TFTP services, that's about it that I can think of.

Sorry that's not of much help, though we've just gone through this exercise ourselves.
As we're using MRA for Jabber we're able to keep requests from those endpoints limited to a subset of addresses, and we can restrict general access to TFTP from elsewhere, even in the corporate network.
It's otherwise largely intended to be available and not authenticated outside of the signing mechanisms and certificate trust that are available at least in some circumstances.

Best,

Adam