CVE Number: NA
Published Date: September 2, 2022
Updated Date: March 27, 2023
Attention:
Yealink places great importance on the security of our customers and products. This is a dynamic document and may be subject to updates. The latest version of this document can be obtained from the following website: https://www.yealink.com/trust-center-resource
Vulnerability Summary
The Yealink Config Encrypt Tool add RSA V1.1, which is publicly available on the official website and includes a default private.key and pub.key. Additionally, the User Guide on the official website mentions that this pub.key is the built-in RSA public key. Using the default key for encrypting Autop deployment files carries the risk of decryption, which can lead to the loss of deployment information.
Affected Scope: Users who use the Yealink Config Encrypt Tool add RSA for encryption and perform Autop deployment via HTTP, FTP, or TFTP.
History Links: User Guide Tool Download
Influenced Products
Product Family and Model | Affected | Fixed |
Yealink Config Encrypt Tool add RSA | <= V1.1 | V1.2 |
Solution
1. Re-encrypt the relevant configuration files using the new encryption tool. In the new release tool, the example private key information for Yealink Config Encrypt Tool add RSA Demo has been removed, and users are now required to create their own passwords.
2. Change the RSA encryption key and do not use the default encryption
Resolution Measures
You can find the required software, release notes, and other documents at the following location: Yealink_Config_Encrypt_Tool_add_RSA_V1.2
Feedback
For any customers using affected systems who are concerned about this vulnerability in their deployment, please reach out to Yealink technical support for the latest information by visiting Yealink Support.
You can also find additional advanced security guidance and helpful content by searching in the Security News section of the Technical Support Center Yealink Support.