CVE Dictionary Entry: CVE-2019-14656
DATE PUBLISHED: 2019-10-08
Please Note:
Yealink takes the security of our customers and our products seriously. This is a living document and may be subject to updates.The latest version of this document can be found atthe following URL: https://www.yealink.com/trust-center-resource
Vulnerability Summary
Yealink phones through 2019-08-04 do not properly check user roles in POST requests. Consequently, the default User account (with a password of user) can make admin requests via HTTP.
Solution
Yealink has released software updates to all affected phone models that contain fixes for these issues as well as other fixes and features. Please refer to the release notes for your particular endpoint for more information.
Phone Series
Product Family and Model | Fixed Software Release |
SIP-T27P | 45.83.0.120 |
SIP-T29G | 46.83.0.120 |
SIP-T41P | 36.83.0.120 |
SIP-T42G | 29.83.0.120 |
SIP-T46G | 28.83.0.120 |
SIP-T48G | 35.83.0.120 |
SIP-T19P_E2 | 53.84.0.130 |
SIP-T21P_E2 | 52.84.0.130 |
SIP-T23G | 44.84.0.130 |
SIP-T40P | 54.84.0.130 |
SIP-T40G | 76.84.0.130 |
SIP-T52S/T54S | 70.84.0.80 |
SIP-CP920 | 78.86.0.15 |
T4XS Series Phones | 66. 86.0.15 |
T4XU Series Phones | 108.86.0.60 |
T3X Series Phones | 124.86.0.60 |
T5X Series Phones | 96.86.0.60 |
SIP-T58 | 58.86.0.5 |
SIP-CP960 | 73.86.0.5 |
SIP-VP59 | 91.86.0.5 |
SIP-T58W | 150.86.0.35 |
SIP-CP965 | 143.86.0.5 |
VP59-Zoom | 91.30.0.30 |
MP5X-Zoom | 122.30.0.15 |
MP5X-Teams | 122.15.0.9 |
T5X-Teams | 58.15.0.53 |
CP960-Teams | 73.15.0.163 |
CP965-Teams | 143.15.0.12 |
W60B | 146.85.0.35 |
W70B | 77.85.0.60 |
W80B | 103.83.0.80 |
W90B | 130.85.0.25 |
VCS Series
Product Family and Model | Fixed Software Release |
VC210 Series | 118.320.0.15 |
MeetingEye400 Series | 120.320.0.15 |
MeetingEye400Pro Series | 133.320.0.15 |
MeetingEye800 Series | 129.320.0.30 |
VP59-VCS | 91.353.0.10 |
MeetingBoard65 | 155.310.0.15 |
The software, release notes, and other documentation for your voice endpoint can be found at: https://support.yealink.com/en/portal/home
Mitigation
Yealink recommends all customers upgrade to the latest version.
Contact
Any customer using an affected system who is concerned about this vulnerability within their deployment should contact Yealink Technical Support by visiting: https://support.yealink.com/en/portal/home for the latest information.
You might also find value in the high-level security guidance and security news located at: https://support.yealink.com/en/portal/home