Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Yealink Configuration Encrypt Tool Static AES Key

🗓️ 21 Feb 2024 00:00:00Reported by Jeroen J.A.W. HermansType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 691 Views

Yealink Configuration Encrypt Tool with Insecure Static AES Key Compromising Confidentialit

Related
Code
ReporterTitlePublishedViews
Family
Circl		CVE-2024-24681
21 Feb 202407:21
circl
CNNVD		Yealink Config Encrypt Tool Security Vulnerability
23 Feb 202400:00
cnnvd
CVE		CVE-2024-24681
23 Feb 202400:00
cve
Cvelist		CVE-2024-24681
23 Feb 202400:00
cvelist
EUVD		EUVD-2024-22081
3 Oct 202520:07
euvd
NVD		CVE-2024-24681
23 Feb 202423:15
nvd
OSV		CVE-2024-24681
23 Feb 202423:15
osv
Prion		Hardcoded credentials
23 Feb 202423:15
prion
RedhatCVE		CVE-2024-24681
23 May 202510:04
redhatcve
Vulnrichment		CVE-2024-24681
23 Feb 202400:00
vulnrichment
Rows per page
`CloudAware Security Advisory  
  
CVE-2024-24681: Insecure AES key in Yealink Configuration Encrypt Tool  
  
  
========================================================================  
Summary  
========================================================================  
A single, vendorwide, hardcoded AES key in the configuration tool used to  
encrypt provisioning documents was leaked leading to a compromise of  
confidentiality of provisioning documents.  
  
========================================================================  
Product  
========================================================================  
* Yealink Configuration Encrypt Tool (AES version)  
* Yealink Configuration Encrypt Tool (RSA version <v1.2)  
  
========================================================================  
Detailed description  
========================================================================  
The Yealink Configuration Encrypt Tool facilites provisioning and   
configuration mangement  
of Yealink products, such as VoIP phones. The tool created AES encrypted   
provisioning  
documents, containing configuration directives such as  
username=user1  
passwword=passw0rd!  
serverhost=sip.host.com  
callerid=+19051231212  
The files created by this tool are then transferred to the Yealink   
equipment. The equipment  
decrypts the files and uses them to configure itself.  
This process needs to be secure. So these files are encrypted.  
The decryption is done by a static, hardcoded, key that is identical   
across all installs and  
customers. After decryption of this file by the hardcoded AES key   
confidential information,  
such as user passwords are visible in plain text.  
This implies that knowledge of this hardcoded key allows for the   
disclosure of sensitive  
information from the configuration files, or that files with different   
information can be  
introduced and are axiomatically trusted by the phone.  
As this key is static - this includes historic files from any customer   
that used this tool.  
The vendor has fixed this in version 1.2 of the Configuration Encrypt Tool.  
  
========================================================================  
Solution  
========================================================================  
1) Upgrade Yealink Configuration Encrypt Tool to version 1.2  
2) Evaluate the impact of the disclosure of any configurations rolled   
out with  
prior versions of this tool (including, specifically, the leaking of   
passwords)  
  
========================================================================  
Mitigation  
========================================================================  
1) If an upgrade is not an option - as `anyone' can create valid   
configuration  
files; ensure that affected equipment is unable to reach provisioning   
servers.  
2) Evaluate the impact of the disclosure of any configurations rolled   
out prior  
to these mitigation steps  
  
========================================================================  
Weblinks  
========================================================================  
https://github.com/gitaware/CVE/tree/main/CVE-2024-24681  
  
========================================================================  
History  
========================================================================  
early 2020, release of Configuration Encrypt Tool v1 containing RSA   
encryption method  
juli 2022, Yealink informed “old” AES key still present and working in tool  
2023, new version of Configuration Encrypt Tool v1.2 without a hardcoded   
AES  
encryptionkey  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
21 Feb 2024 00:00Current
7.4High risk
Vulners AI Score7.4
EPSS0.00205
yealinkconfigurationstatic aes keycompromiseconfidentialityprovisioningdocumentsencryptionrsavulnerability
691