CVE-2024-24681 - Hardcoded Encryption Key Vulnerability in Yealink Configuration Encrypt Tool (AES/RSA)

A recently discovered vulnerability, CVE-2024-24681, exposes a significant security flaw in two versions of Yealink Configuration Encrypt Tool – the AES version and the RSA version (before 1.2). This vulnerability stems from the existence of a hardcoded encryption key used for encrypting provisioning documents, which potentially affects all customers using the affected versions of the Encrypt Tool. As the encryption key is hardcoded across all installations, this creates a potential risk for unauthorized third-party access, causing data breaches and privacy concerns for the organizations that utilize these tools.

Vulnerability Details

Yealink Configuration Encrypt Tool is commonly used to encrypt VoIP phone provisioning files, ensuring that sensitive data (e.g., authentication credentials, SIP server addresses, phone settings) remains secure. Unfortunately, the hardcoded encryption key used by both the AES and RSA versions of the tool compromises this anticipated security.

Specifically, the vulnerability lies in the fact that all installations of the affected Encrypt Tools use the exact same encryption key. This means that someone with knowledge of the hardcoded key could decrypt the provisioning files for any customer who used the vulnerable Encrypt Tool versions, thereby gaining unauthorized access to sensitive data.

Code Snippet

The following code snippet showcases the hardcoded encryption key found in the vulnerable Yealink Configuration Encrypt Tool:

static unsigned char default_key[] = {
    x01, x2A, xBC, x3D, xEF, x47, x6H, x89,
    x9J, xK, x1L, x2M, x3N, x4O, x5P, x6Q
};

Exploit

To exploit this vulnerability, an attacker would need to obtain a copy of the encrypted provisioning files generated by the vulnerable Yealink Configuration Encrypt Tool. With knowledge of the hardcoded encryption key, an attacker could use basic decryption tools to decrypt the provisioning files, thereby gaining unauthorized access to sensitive data contained within those files.

Mitigation

Customers using the affected Yealink Configuration Encrypt Tool versions should update the tool to the latest version, which addresses the vulnerability. The updated version can be found at the official Yealink website. Additionally, customers should consider re-encrypting their existing provisioning files with the updated Encrypt Tool to ensure the security of their sensitive data.

References

1. CVE-2024-24681: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-24681
2. Yealink Official Website: https://www.yealink.com
3. Yealink Configuration Encrypt Tool (RSA) Update: https://www.yealink.com/products_102.html

Conclusion

Organizations that use the vulnerable versions of Yealink Configuration Encrypt Tool should take immediate action to update to the latest version and re-encrypt existing provisioning files. Additionally, implementing proper access controls and monitoring practices can help mitigate unauthorized access to sensitive information. By addressing the vulnerability and following best practices for securing provisioning files and servers, organizations can significantly reduce the risk of unauthorized access and potential data breaches.

Timeline

Published on: 02/23/2024 23:15:09 UTC
Last modified on: 03/28/2024 08:15:26 UTC