Yealink Configuration Encrypt Tool Static AES Key

CloudAware Security AdvisoryCVE-2024-24681: Insecure AES key in Yealink Configuration Encrypt Tool========================================================================Summary========================================================================A single, vendorwide, hardcoded AES key in the configuration tool used toencrypt provisioning documents was leaked leading to a compromise ofconfidentiality of provisioning documents.========================================================================Product========================================================================* Yealink Configuration Encrypt Tool (AES version)* Yealink Configuration Encrypt Tool (RSA version <v1.2)========================================================================Detailed description========================================================================The Yealink Configuration Encrypt Tool facilites provisioning and configuration mangementof Yealink products, such as VoIP phones. The tool created AES encrypted provisioningdocuments, containing configuration directives such asusername=user1passwword=passw0rd!serverhost=sip.host.comcallerid=+19051231212The files created by this tool are then transferred to the Yealink equipment. The equipmentdecrypts the files and uses them to configure itself.This process needs to be secure. So these files are encrypted.The decryption is done by a static, hardcoded, key that is identical across all installs andcustomers. After decryption of this file by the hardcoded AES key confidential information,such as user passwords are visible in plain text.This implies that knowledge of this hardcoded key allows for the disclosure of sensitiveinformation from the configuration files, or that files with different information can beintroduced and are axiomatically trusted by the phone.As this key is static - this includes historic files from any customer that used this tool.The vendor has fixed this in version 1.2 of the Configuration Encrypt Tool.========================================================================Solution========================================================================1) Upgrade Yealink Configuration Encrypt Tool to version 1.22) Evaluate the impact of the disclosure of any configurations rolled out withprior versions of this tool (including, specifically, the leaking of passwords)========================================================================Mitigation========================================================================1) If an upgrade is not an option - as `anyone' can create valid configurationfiles; ensure that affected equipment is unable to reach provisioning servers.2) Evaluate the impact of the disclosure of any configurations rolled out priorto these mitigation steps========================================================================Weblinks========================================================================https://github.com/gitaware/CVE/tree/main/CVE-2024-24681========================================================================History========================================================================early 2020, release of Configuration Encrypt Tool v1 containing RSA encryption methodjuli 2022, Yealink informed “old” AES key still present and working in tool2023, new version of Configuration Encrypt Tool v1.2 without a hardcoded AESencryptionkey