Quick Summary
TFTP Service Enabled on Internal Network is a network service misconfiguration where the Trivial File Transfer Protocol (TFTP) service is running and accessible within the internal network. TFTP does not provide authentication or encryption, which may allow unauthorized users to download or upload files, potentially exposing sensitive configurations or enabling malicious file placement.
Vulnerability Classification
| Field | Value |
|---|---|
| Vulnerability Type | Insecure File Transfer Service Exposure |
| CWE ID | CWE-319 – Cleartext Transmission of Sensitive Information |
| CVE ID | N/A (Configuration Issue) |
| CVSS 4.0 Base Score | 7.6 (High) |
| CVSS Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L |
| OWASP Category | A05:2021 – Security Misconfiguration |
| Attack Surface | Internal Network |
Affected Asset / Environment
- Service: TFTP
- Default Port: 69 (UDP)
- Common Use Cases: Network device firmware transfer, configuration backup
- Platforms: Linux Servers, Routers, Switches
- Testing Method: Internal Network Assessment
- Tools Used: Nmap, tftp client
Description
The assessor observed that the TFTP service is enabled and accessible on the internal network. TFTP is a simple file transfer protocol that does not implement authentication, encryption, or access control mechanisms.
During testing, it was possible to interact with the TFTP service without providing credentials. In some configurations, sensitive configuration files or firmware images may be accessible.
Because TFTP transmits data in plaintext and lacks access controls, it should not be enabled on production networks unless strictly required and properly restricted.
Root Cause
The issue occurs due to legacy or default configuration where TFTP service is enabled without secure restrictions.
Common root causes include:
- Default TFTP service left enabled
- No authentication mechanism implemented
- Inadequate firewall restrictions
- Misconfigured file permissions
- Lack of network segmentation
Business Impact
Exploitation of this vulnerability may allow attackers to download configuration backups containing credentials, network topology, or sensitive operational data.
If upload access is permitted, attackers may replace configuration files or firmware images, potentially disrupting network devices or implanting malicious content.
In enterprise environments, exposure of device configuration files may facilitate lateral movement and privilege escalation.
Technical Impact
An attacker can:
- Enumerate accessible files
- Download configuration backups
- Upload malicious files (if write enabled)
- Intercept file transfers due to lack of encryption
- Facilitate further network compromise
Although often considered low risk, exposed TFTP services can significantly assist reconnaissance and device compromise.
Proof of Concept (PoC)
Step1: Identify TFTP Service
nmap -sU -p 69 <target-ip>
If port 69/udp is open and identified as TFTP, proceed to validation.
Step2: Attempt File Retrieval
tftp <target-ip>
get filename.conf
If file download succeeds without authentication, unauthorized access is confirmed.
Step3: Enumerate TFTP Server (If Supported)
nmap --script tftp-enum -p 69 <target-ip>
If accessible files are listed, exposure is validated.
Step4: Attempt File Upload (Authorized Testing Only)
tftp <target-ip>
put test.txt
If upload succeeds without authentication, write access is enabled.
Exploitation Prerequisites
- Network access to UDP port 69
- TFTP service enabled
- No authentication or IP-based restriction
- Insecure file permissions
Remediation
It is recommended that TFTP service be disabled unless strictly required.
Recommended actions:
- Disable TFTP service on production systems
- Restrict access to trusted IP addresses only
- Implement firewall rules to block UDP port 69
- Replace TFTP with secure file transfer protocols such as SFTP
- Regularly audit network services
After applying changes, verify that unauthorized access to port 69 is blocked.
Detection and Monitoring
- Monitor network traffic for TFTP activity
- Alert on unexpected file transfer events
- Conduct periodic internal port scanning
- Review configuration of network devices using TFTP