Weak SSL/TLS Key Exchange - Printable Version +- Yealink Forums (http://forum.yealink.com/forum) +-- Forum: IP Phone Series (/forumdisplay.php?fid=4) +--- Forum: Configuration (/forumdisplay.php?fid=24) +--- Thread: Weak SSL/TLS Key Exchange (/showthread.php?tid=46314) |
Weak SSL/TLS Key Exchange - lance.nettles - 12-06-2022 10:19 PM We recently had a vulnerability scan done and received a ton of notes on our Yealink IP Phones. We have models T21P, T21P_E2, T38G, T42G, T42S, T48G, T48S mostly on the latest firmwares. Here is the description, as well as a single phone note. Any help on this would be appreciated. Weak SSL/TLS Key Exchange THREAT: QID Detection Logic: For a SSL enabled port, the scanner probes and maintains a list of supported SSL/TLS versions. For each supported version, the scanner does a SSL handshake to get a list of KEX methods supported by the server. It reports all KEX methods that are considered weak. The criteria of a weak KEX method is as follows: The SSL/TLS server supports key exchanges that are cryptographically weaker than recommended. Key exchanges should provide at least 112 bits of security, which translates to a minimum key size of 2048 bits for Diffie Hellman and RSA key exchanges. IMPACT: An attacker with access to sufficient computational power might be able to recover the session key and decrypt session content. SOLUTION: Change the SSL/TLS server configuration to only allow strong key exchanges. Key exchanges should provide at least 112 bits of security, which translates to a minimum key size of 2048 bits for Diffie Hellman and RSA key exchanges. T38G - Firmware 38.70.0.228 RESULTS: PROTOCOL CIPHER NAME GROUP KEY-SIZE FORWARD-SECRET CLASSICAL-STRENGTH QUANTUM-STRENGTH SSLv2 DES-CBC3-MD5 RSA 1024 no 80 low SSLv2 EXP-RC4-MD5 RSA export-512 512 varies 57 low SSLv3 AES256-SHA RSA 1024 no 80 low SSLv3 EXP1024-RC4-SHA RSA export-1024 1024 varies 80 low TLSv1 AES256-SHA RSA 1024 no 80 low TLSv1 EXP1024-RC4-SHA RSA export-1024 1024 varies 80 low |