Yealink Forums
Vulnerability (Sweet32) - Printable Version

+- Yealink Forums (http://forum.yealink.com/forum)
+-- Forum: IP Phone Series (/forumdisplay.php?fid=4)
+--- Forum: General topics (/forumdisplay.php?fid=15)
+--- Thread: Vulnerability (Sweet32) (/showthread.php?tid=45743)



Vulnerability (Sweet32) - Lilpombo - 04-13-2022 02:39 AM

Hello, guys!

We did some vulnerability scans in our environment and found a vulnerability called "SWEET32" on some Yealink phones. I've updated the firmware to the last version and nothing ...

Has anyone been through this? Can you guys help me? What can I do to solve this?


RE: Vulnerability (Sweet32) - complex1 - 04-13-2022 04:08 PM

(04-13-2022 02:39 AM)Lilpombo Wrote:  Hello, guys!

We did some vulnerability scans in our environment and found a vulnerability called "SWEET32" on some Yealink phones. I've updated the firmware to the last version and nothing ...

Has anyone been through this? Can you guys help me? What can I do to solve this?

Hi,

Do not use DES, 3DES, IDEA or RC2 as the symmetric encryption cipher, upgrade the firmware or replace the phones for newer ones.


RE: Vulnerability (Sweet32) - Lilpombo - 04-19-2022 10:35 PM

(04-13-2022 04:08 PM)complex1 Wrote:  
(04-13-2022 02:39 AM)Lilpombo Wrote:  Hello, guys!

We did some vulnerability scans in our environment and found a vulnerability called "SWEET32" on some Yealink phones. I've updated the firmware to the last version and nothing ...

Has anyone been through this? Can you guys help me? What can I do to solve this?

Hi,

Do not use DES, 3DES, IDEA or RC2 as the symmetric encryption cipher, upgrade the firmware or replace the phones for newer ones.

Hi, very thanks for the reply.

The firmware is already updated. I'm trying to adding a line on the cfg file of the phone. see:

sip.tls_cipher_list = AES:!ADH:!LOW:!EXPORT:!NULL
security.tls_cipher_list = AES:!ADH:!LOW:!EXPORT:!NULL
static.security.default_ssl_method = 5


I found in this forum someone with similar problem... He made this alteration and solve the problem. But my new problem is: Import of local config files has no effect

I export a local config file (CFG File, I chose Local in the dropdown) via the phones web interfacce
I edit the file
I import the file (same filename as before)
I ok the prompt that the phone should import the new file
the phone is busy and rebooting
none of the changes I made take effect (I reexport the local config file and it hasn't changed


To me it looks like the import feature is not working for CFG files

Any ideas? Anybody successfully used this feature?


RE: Vulnerability (Sweet32) - complex1 - 04-19-2022 11:28 PM

(04-19-2022 10:35 PM)Lilpombo Wrote:  
(04-13-2022 04:08 PM)complex1 Wrote:  
(04-13-2022 02:39 AM)Lilpombo Wrote:  Hello, guys!

We did some vulnerability scans in our environment and found a vulnerability called "SWEET32" on some Yealink phones. I've updated the firmware to the last version and nothing ...

Has anyone been through this? Can you guys help me? What can I do to solve this?

Hi,

Do not use DES, 3DES, IDEA or RC2 as the symmetric encryption cipher, upgrade the firmware or replace the phones for newer ones.

Hi, very thanks for the reply.

The firmware is already updated. I'm trying to adding a line on the cfg file of the phone. see:

sip.tls_cipher_list = AES:!ADH:!LOW:!EXPORT:!NULL
security.tls_cipher_list = AES:!ADH:!LOW:!EXPORT:!NULL
static.security.default_ssl_method = 5


I found in this forum someone with similar problem... He made this alteration and solve the problem. But my new problem is: Import of local config files has no effect

I export a local config file (CFG File, I chose Local in the dropdown) via the phones web interfacce
I edit the file
I import the file (same filename as before)
I ok the prompt that the phone should import the new file
the phone is busy and rebooting
none of the changes I made take effect (I reexport the local config file and it hasn't changed


To me it looks like the import feature is not working for CFG files

Any ideas? Anybody successfully used this feature?

Hi,

Are you referring to the question regarding the W52P/W56P models in this post?
http://forum.yealink.com/forum/showthread.php?tid=45753


RE: Vulnerability (Sweet32) - Lilpombo - 04-20-2022 12:31 AM

(04-19-2022 11:28 PM)complex1 Wrote:  
(04-19-2022 10:35 PM)Lilpombo Wrote:  
(04-13-2022 04:08 PM)complex1 Wrote:  
(04-13-2022 02:39 AM)Lilpombo Wrote:  Hello, guys!

We did some vulnerability scans in our environment and found a vulnerability called "SWEET32" on some Yealink phones. I've updated the firmware to the last version and nothing ...

Has anyone been through this? Can you guys help me? What can I do to solve this?

Hi,

Do not use DES, 3DES, IDEA or RC2 as the symmetric encryption cipher, upgrade the firmware or replace the phones for newer ones.

Hi, very thanks for the reply.

The firmware is already updated. I'm trying to adding a line on the cfg file of the phone. see:

sip.tls_cipher_list = AES:!ADH:!LOW:!EXPORT:!NULL
security.tls_cipher_list = AES:!ADH:!LOW:!EXPORT:!NULL
static.security.default_ssl_method = 5


I found in this forum someone with similar problem... He made this alteration and solve the problem. But my new problem is: Import of local config files has no effect

I export a local config file (CFG File, I chose Local in the dropdown) via the phones web interfacce
I edit the file
I import the file (same filename as before)
I ok the prompt that the phone should import the new file
the phone is busy and rebooting
none of the changes I made take effect (I reexport the local config file and it hasn't changed


To me it looks like the import feature is not working for CFG files

Any ideas? Anybody successfully used this feature?

Hi,

Are you referring to the question regarding the W52P/W56P models in this post?
http://forum.yealink.com/forum/showthread.php?tid=45753

Yes Smile


RE: Vulnerability (Sweet32) - complex1 - 04-20-2022 02:30 AM

(04-20-2022 12:31 AM)Lilpombo Wrote:  
(04-19-2022 11:28 PM)complex1 Wrote:  
(04-19-2022 10:35 PM)Lilpombo Wrote:  
(04-13-2022 04:08 PM)complex1 Wrote:  
(04-13-2022 02:39 AM)Lilpombo Wrote:  Hello, guys!

We did some vulnerability scans in our environment and found a vulnerability called "SWEET32" on some Yealink phones. I've updated the firmware to the last version and nothing ...

Has anyone been through this? Can you guys help me? What can I do to solve this?

Hi,

Do not use DES, 3DES, IDEA or RC2 as the symmetric encryption cipher, upgrade the firmware or replace the phones for newer ones.

Hi, very thanks for the reply.

The firmware is already updated. I'm trying to adding a line on the cfg file of the phone. see:

sip.tls_cipher_list = AES:!ADH:!LOW:!EXPORT:!NULL
security.tls_cipher_list = AES:!ADH:!LOW:!EXPORT:!NULL
static.security.default_ssl_method = 5


I found in this forum someone with similar problem... He made this alteration and solve the problem. But my new problem is: Import of local config files has no effect

I export a local config file (CFG File, I chose Local in the dropdown) via the phones web interfacce
I edit the file
I import the file (same filename as before)
I ok the prompt that the phone should import the new file
the phone is busy and rebooting
none of the changes I made take effect (I reexport the local config file and it hasn't changed


To me it looks like the import feature is not working for CFG files

Any ideas? Anybody successfully used this feature?

Hi,

Are you referring to the question regarding the W52P/W56P models in this post?
http://forum.yealink.com/forum/showthread.php?tid=45753

Yes Smile

Hi,

I'm afraid it's not possible that what you want to do with this model. This model is simply too old for this.

The below is not supported
sip.tls_cipher_list = AES:!ADH:!LOW:!EXPORT:!NULL
security.tls_cipher_list = AES:!ADH:!LOW:!EXPORT:!NULL
static.security.default_ssl_method = 5


RE: Vulnerability (Sweet32) - Lilpombo - 07-18-2022 08:58 PM

(04-20-2022 02:30 AM)complex1 Wrote:  
(04-20-2022 12:31 AM)Lilpombo Wrote:  
(04-19-2022 11:28 PM)complex1 Wrote:  
(04-19-2022 10:35 PM)Lilpombo Wrote:  
(04-13-2022 04:08 PM)complex1 Wrote:  Hi,

Do not use DES, 3DES, IDEA or RC2 as the symmetric encryption cipher, upgrade the firmware or replace the phones for newer ones.

Hi, very thanks for the reply.

The firmware is already updated. I'm trying to adding a line on the cfg file of the phone. see:

sip.tls_cipher_list = AES:!ADH:!LOW:!EXPORT:!NULL
security.tls_cipher_list = AES:!ADH:!LOW:!EXPORT:!NULL
static.security.default_ssl_method = 5


I found in this forum someone with similar problem... He made this alteration and solve the problem. But my new problem is: Import of local config files has no effect

I export a local config file (CFG File, I chose Local in the dropdown) via the phones web interfacce
I edit the file
I import the file (same filename as before)
I ok the prompt that the phone should import the new file
the phone is busy and rebooting
none of the changes I made take effect (I reexport the local config file and it hasn't changed


To me it looks like the import feature is not working for CFG files

Any ideas? Anybody successfully used this feature?

Hi,

Are you referring to the question regarding the W52P/W56P models in this post?
http://forum.yealink.com/forum/showthread.php?tid=45753

Yes Smile

Hi,

I'm afraid it's not possible that what you want to do with this model. This model is simply too old for this.

The below is not supported
sip.tls_cipher_list = AES:!ADH:!LOW:!EXPORT:!NULL
security.tls_cipher_list = AES:!ADH:!LOW:!EXPORT:!NULL
static.security.default_ssl_method = 5

Hello, good morning!


Well, i'm replying this question again because I need to buy some new phones... can you send me Yealink Telephone models that doesn't have weak cipher or sweet32 vulnerabilities?

Some that I can disable ssl cipher and enable tls... Huh


RE: Vulnerability (Sweet32) - Lilpombo - 08-10-2022 10:10 PM

Hello!


I need to buy some new telephones... can you send me Yealink Telephone models that doesn't have weak cipher or sweet32 vulnerabilities?


RE: Vulnerability (Sweet32) - complex1 - 08-11-2022 03:08 AM

(08-10-2022 10:10 PM)Lilpombo Wrote:  Hello!


I need to buy some new telephones... can you send me Yealink Telephone models that doesn't have weak cipher or sweet32 vulnerabilities?

Hi,

Please contact your Yealink sales representor.