Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
481
Views
3
Helpful
5
Replies

tftp cucm

bluesea2010
Level 5
Level 5

‎09-26-2023 09:04 AM

Hi,

The VAPT team has identified TFTP services as a vulnerability because they can retrieve files without any authentication. Consequently, I have restricted access exclusively to the phone VLAN. However, they are suggesting that this issue should be addressed at the system level, as ACLs are not considered a sufficient solution

Please advise 

cucm 11.5 

 

https://www.cisco.com/c/en/us/support/docs/unified-communications/unified-communications-manager-callmanager/200408-Retrieve-Phone-Configuration-File-from-T.html

 

Labels:
0 Helpful
5 Replies 5

Carlo Poggiarelli
VIP
VIP

‎09-26-2023 09:57 AM - edited ‎09-26-2023 09:57 AM

Well.. about TFTP it's true,but you can apply encryption to all file exchanged between devices and cucm so they would be unussefull to an attacker.

UC Security Design also includes the signaling and voice encryption if required.

 

HTH

 

Regards

 

Carlo

Please rate all helpful posts "The more you help the more you learn"

bluesea2010
Level 5
Level 5
In response to Carlo Poggiarelli

‎09-26-2023 10:29 AM - edited ‎09-26-2023 11:32 AM

Hi @Carlo Poggiarelli 

to enable encryption cucm , does it have any prerequisites 

Thanks

0 Helpful

Carlo Poggiarelli
VIP
VIP
In response to bluesea2010

‎09-26-2023 11:34 AM - edited ‎09-26-2023 11:35 AM

Hi,

Thanks for your vote

7906 supports encryption and is still a Cucm supported model even if he has reached his life about 8 years ago.

Regarding files, well.. they are configuration files , ringtones and images .. an attacker colud retrieve network info and personal data such as users Names and extensions but, except the privacy nothing that can compromise other systems.

Obviously, it’s to your network/security engineer to protect the rest of your infrastructure .

Here is a security guide that could be helpful.

https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/security/12_0_1/secugd/cucm_b_cucm-security-guide-1201/cucm_b_cucm-security-guide-1201_chapter_01011.html

 

HTH

 

Regards

 

Carlo

Please rate all helpful posts "The more you help the more you learn"

bluesea2010
Level 5
Level 5
In response to Carlo Poggiarelli

‎09-26-2023 11:59 AM

Hi,

I am using 6901 phone also , for encrypting tftp files , I need to change  the secuiry mode from default to  mixed mode 

Does it have any impact 

Thanks

0 Helpful

Carlo Poggiarelli
VIP
VIP
In response to bluesea2010

‎09-26-2023 12:55 PM

Hi,

All depends on different factors:

Your actual deployment, number of devices/users, applications you are running (Eg. Voicemail, IM&P , Contact Center and so forth) number of sites.

For sure, when you change the cluster to Mixed Mode, all devices will use certificates to authenticate and decrypt files.

So you have to take care of certificates expiration on every core Cucm services.

The good news is that you don’t need hardware tokens( containing certificates) but you can generate tokens via Cucm cli. 

Just follow the security guide and you’ll minimize the impact.

 

If you need further info, don’t hesitate to ask.

 

Regards

 

Carlo

 

 

 

 

Please rate all helpful posts "The more you help the more you learn"
0 Helpful
Customers Also Viewed These Support Documents