Online Webinar: Discover the Latest AI-Powered AV Solutions for Next-gen Digtial Workpace > Yealink Meetingbar Series - All Rooms Plug-and-Play > Yealink 4th-Gen MVC Series – Discover the Next-Gen Hybrid Meeting Room Solutions > Trade-In Campaign – Upgrade to Yealink with Android 13 or Windows 11 + MDEP
EN
English Español Français Deutsch Nederlands Português 中文
Contact Sales
Products
Microsoft | Zoom Device Headsets IP Phone Management Platform
Others
EoS Products EoL Products Products A-Z
Business Solutions
Microsoft Solutions NEW Zoom Solutions By Meeting Space HOT By Industry By Scenario NEW For Strategic Partners
Essential Tools
Live Demo Service Room Configurator Deployment Tools Room Device Calculator Headset Selector NEW Headset Compatible Center NEW
Yealink Support
Pre-Sale Service After-Sale Service Trust Center Resource Center Yealink Academy Policy Center
Yealink Partner
Partners Online Reseller IP Phone Engineer Microsoft Solution Engineer Headset Solution Engineer Multicell Engineer
Company
About Yealink News & Insights Customer Stories Sustainability Contact Us
Teams Rooms System NEW HOT
Zoom Rooms System
USB Cameras & BYOD Kits NEW
AIOT Room Device
Room Audio Devices
Room System Accessories NEW
Room Mount Kit
Teams Phones
Zoom Phones
Bluetooth Wireless Headsets
DECT Wireless Headsets NEW
Wired Headsets NEW
Speakerphones NEW
Headset Accessories
Headset Selector
T5 Series
T4 Series
T3 Series
Teams Phones
Zoom Phones
Conference Phones
DECT Phones
Wi-Fi IP Phone NEW
Phone Accessories
Device Management Platform (YDMP)
Management Cloud Service (YMCS)
USB Connect Management
Teams Room
Teams Phone
AV ONE NEW
SkySound Audio Solution NEW
Zoom Rooms
Zoom Phone
Zoom Meetings
Small Room
Medium Room HOT
Large Room NEW HOT
Extra-Large Room NEW
Finance
Education
Healthcare
Manufacturing
Future Workers
Headset&Handset
Personal Collaboration
Desktop Video
Video Conferencing NEW
RingCentral Solutions
3CX Solution
Extron Solution
BroadSoft Solution
Metaswitch Solution
BlueJeans Solution
Online Demo for MTR
Customer Experience Center
Room Configurator
Device Calculator
Headset Compatibility
Support Home
Submit a Ticket
Assurance Maintenance System
Partner PrimeCare Service
Hotline Service
Device Management Service
Overview
Security&Compliance
Privacy
Resources
Security Advisories
Software
Materials
Videos
Learning Center
Training List
Certification Portal
Webniar & Events
End-of-Life Policy
Vulnerability Disclosure Policy
Partner Center
Channel Partners
Technology Partners
Carrier and ITSP Partners
Program Overview
Authorized Online Reseller
Unauthorized Yealink Online Reseller
Find an Authorized Online Reseller
Become an Authorized Online Reseller
Opportunity Registration
Junior Certified IP Phone Engineer
Senior Certified IP Phone Engineer
Certified IP Phone Sales Engineer
Yealink Microsoft Solution Sales Course
Yealink Microsoft Solution Technical Course
Certified Headset Solution Specialist
Certified Headset Solution Professional
Certified Multicell Engineer
Company Profile
Company Honors
Webniar & Events
Global Privacy Statement
Blog
News Center
Room Design Center
Manufacturing
IT services
Education
Retail
Healthcare
Sustainable Development
Environmental
People
CSR
Resources
Contact Us
Contact Support
NEW
NEW
NEW
NEW
NEW
NEW
NEW
NEW
NEW
NEW
NEW
NEW
NEW
NEW
NEW

Yealink IP Phone WEB Server Vulnerabilities


CVE Dictionary Entry: CVE-2018-16221

CVE Dictionary Entry: CVE-2018-16218 

CVE Dictionary Entry: CVE-2018-16217 

DATE PUBLISHED: 2019-05-29


Please Note: 

Yealink takes the security of our customers and our products seriously. This is a living document and may be subject to updates.


Vulnerability Summary

The diagnostics web interface in the Yealink Ultra-elegant IP Phone SIP-T41P (firmware 66.83.0.35) does not validate (escape) the path information (path traversal), which allows an authenticated remote attacker to get access to privileged information (e.g., /etc/passwd) via path traversal (relative path information in the file parameter of the corresponding POST request).


CVE-2018-16221 Vulnerability CVSS

CVSS Severity: HIGH

CVSS Score: 8.0

CVSS Vector String: CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H


CVE-2018-16218 Vulnerability CVSS

CVSS Severity: HIGH

CVSS Score: 8.8

CVSS Vector String: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H


CVE-2018-16217 Vulnerability CVSS

CVSS Severity: HIGH

CVSS Score: 8.8

CVSS Vector String: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H


Solution

Yealink has released software updates to all affected phone models that contain fixes for these issues as well as other fixes and features. Please refer to the release notes for your particular endpoint for more information.



Phone Series

Product Family and Model

Fixed Software Release

SIP-T27P

45.83.0.120

SIP-T29G

46.83.0.120

SIP-T41P

36.83.0.120

SIP-T42G

29.83.0.120

SIP-T46G

28.83.0.120

SIP-T48G

35.83.0.120

SIP-T19P_E2

53.84.0.130

SIP-T21P_E2

52.84.0.130

SIP-T23G

44.84.0.130

SIP-T40P

54.84.0.130

SIP-T40G

76.84.0.130

SIP-T52S/T54S

70.84.0.80

SIP-CP920

78.86.0.15

T4XS Series Phones

66. 86.0.15

T4XU Series Phones

108.86.0.60

T3X Series Phones

124.86.0.60

T5X Series Phones

96.86.0.60

SIP-T58

58.86.0.5

SIP-CP960

73.86.0.5

SIP-VP59

91.86.0.5

SIP-T58W

150.86.0.35

SIP-CP965

143.86.0.5

VP59-Zoom

91.30.0.30

MP5X-Zoom

122.30.0.15

MP5X-Teams

122.15.0.9

T5X-Teams

58.15.0.53

CP960-Teams

73.15.0.163

CP965-Teams

143.15.0.12




VCS Series

Product Family and Model

Fixed Software Release

VC210 Series

118.320.0.15

MeetingEye400 Series

120.320.0.15

MeetingEye400Pro Series

133.320.0.15

MeetingEye800 Series

129.320.0.30

VP59-VCS

91.353.0.10

MeetingEye400 Series

120.320.0.15

CTP18

137.353.0.15

MeetingBarA20/A30

133.15.0.105

MeetingBoard65

155.310.0.15

RoomPanel

147.15.0.33

RoomCast

144.312.0.5


The software, release notes, and other documentation for your voice endpoint can be found at: https://support.yealink.com/en/portal/home




Mitigation

Yealink recommends all customers upgrade to the latest version.




Contact

Any customer using an affected system who is concerned about this vulnerability within their deployment should contact Yealink Technical Support by visiting: https://support.yealink.com/en/portal/home for the latest information.

You might also find value in the high-level security guidance and security news located at: https://support.yealink.com/en/portal/home



Your Privacy
Strictly Necessary Cookies
Preferences Cookies
Statistics Cookies
Targeted Cookies
PRIVACY PREFERENCE CENTER
When you visit any website, the website stores or retrieves information from your browser, mostly in the form of Cookies. This information may relate to your personal information, preferences or device information and is used primarily to enable the website to provide the services you expect. This information does not usually directly identify you personally, but can provide you with a more personalized web experience. We fully respect your privacy, so you can choose not to allow certain types of Cookies, simply by clicking on the name of a different Cookie category to learn more and change the default settings. However, blocking certain types of Cookies may affect your experience with the site and the services we can provide to you.
Learn more ->
Strictly Necessary Cookies
Always On
These Cookies are essential for users to navigate the site and use its features, which are necessary for the proper functioning of the site, and cannot be turned off on our system. They are set only for actions you do that are equivalent to service requests, such as setting up your login or populating a form.You can set your browser to block or alert you to such Cookies, but some features of the site will not work. These Cookies do not store any personally identifiable information.
Learn more ->
Preferences Cookies
These cookies are mainly used to record users' preferences while browsing the website and using its features. These cookies allow the website to remember your interactions with the website, choices you have made in the past and information you have entered, such as your preferred language or what your username and password are, so you can be logged in automatically. If you do not allow the use of such Cookies, you will not be able to enjoy a more convenient experience with the site.
Learn more ->
Statistics Cookies
These Cookies allow us to count the number of visits to our website and the sources of traffic in order to evaluate and improve the performance of our website. These Cookies also help us to understand the popularity of our pages and the activity of our visitors on the site. All information collected by such Cookies is aggregated to ensure that it remains anonymous. If you do not allow the use of such Cookies, we will have no way of knowing when you visit our site and will not be able to monitor site performance.
Learn more ->
Targeted Cookies
These Cookies may be set by our advertising partners through our website and may also be used by those companies to create profiles of your interests and to display relevant advertisements to you on other websites. These Cookies do not store personal information directly, but use some information that uniquely identifies your browser and Internet device. If you do not allow the use of such Cookies, the advertisements you see will be less targeted.
Learn more ->
PRIVACY PREFERENCE CENTER
Your Privacy
Your Privacy
When you visit any website, the website stores or retrieves information from your browser, mostly in the form of Cookies. This information may relate to your personal information, preferences or device information and is used primarily to enable the website to provide the services you expect. This information does not usually directly identify you personally, but can provide you with a more personalized web experience. We fully respect your privacy, so you can choose not to allow certain types of Cookies, simply by clicking on the name of a different Cookie category to learn more and change the default settings. However, blocking certain types of Cookies may affect your experience with the site and the services we can provide to you.
Learn more ->
Strictly Necessary Cookies
Strictly Necessary Cookies
Always On
These Cookies are essential for users to navigate the site and use its features, which are necessary for the proper functioning of the site, and cannot be turned off on our system. They are set only for actions you do that are equivalent to service requests, such as setting up your login or populating a form.You can set your browser to block or alert you to such Cookies, but some features of the site will not work. These Cookies do not store any personally identifiable information.
Learn more ->
Preferences Cookies
Preferences Cookies
These Cookies are primarily used to record the preferences of users as they navigate the site and use its features. These Cookies allow the website to remember the choices you have made in the past, such as which language you prefer or what your username and password are, so that you can automatically log in. If you do not allow the use of such Cookies, you will not be able to enjoy a more convenient experience with the site.
Learn more ->
Statistics Cookies
Statistics Cookies
These Cookies allow us to count the number of visits to our website and the sources of traffic in order to evaluate and improve the performance of our website. These Cookies also help us to understand the popularity of our pages and the activity of our visitors on the site. All information collected by such Cookies is aggregated to ensure that it remains anonymous. If you do not allow the use of such Cookies, we will have no way of knowing when you visit our site and will not be able to monitor site performance.
Learn more ->
Targeted Cookies
Targeted Cookies
These Cookies may be set by our advertising partners through our website and may also be used by those companies to create profiles of your interests and to display relevant advertisements to you on other websites. These Cookies do not store personal information directly, but use some information that uniquely identifies your browser and Internet device. If you do not allow the use of such Cookies, the advertisements you see will be less targeted.
Learn more ->
Except for necessary cookies, we may also use functional cookies (including third party cookies) to deliver experience for you. You can turn them off by clicking “configure". More information in cookies policy.
Configure I Accept