+- Yealink Forums (http://forum.yealink.com/forum)
+-- Forum: IP Phone Series (/forumdisplay.php?fid=4)
+--- Forum: Configuration (/forumdisplay.php?fid=24)
+--- Thread: Weak SSL/TLS Key Exchange (/showthread.php?tid=46314)
Weak SSL/TLS Key Exchange - lance.nettles - 12-06-2022 10:19 PM
We recently had a vulnerability scan done and received a ton of notes on our Yealink IP Phones. We have models T21P, T21P_E2, T38G, T42G, T42S, T48G, T48S mostly on the latest firmwares. Here is the description, as well as a single phone note. Any help on this would be appreciated.
Weak SSL/TLS Key Exchange
THREAT:
QID Detection Logic:
For a SSL enabled port, the scanner probes and maintains a list of supported SSL/TLS versions. For each supported version, the scanner
does a SSL handshake to get a list of KEX methods supported by the server. It reports all KEX methods that are considered weak. The
criteria of a weak KEX method is as follows:
The SSL/TLS server supports key exchanges that are cryptographically weaker than recommended. Key exchanges should provide at least
112 bits of security, which translates to a minimum key size of 2048 bits for Diffie Hellman and RSA key exchanges.
IMPACT:
An attacker with access to sufficient computational power might be able to recover the session key and decrypt session content.
SOLUTION:
Change the SSL/TLS server configuration to only allow strong key exchanges. Key exchanges should provide at least 112 bits of security,
which
translates to a minimum key size of 2048 bits for Diffie Hellman and RSA key exchanges.
T38G - Firmware 38.70.0.228
RESULTS:
PROTOCOL CIPHER NAME GROUP KEY-SIZE FORWARD-SECRET CLASSICAL-STRENGTH QUANTUM-STRENGTH
SSLv2 DES-CBC3-MD5 RSA 1024 no 80 low
SSLv2 EXP-RC4-MD5 RSA export-512 512 varies 57 low
SSLv3 AES256-SHA RSA 1024 no 80 low
SSLv3 EXP1024-RC4-SHA RSA export-1024 1024 varies 80 low
TLSv1 AES256-SHA RSA 1024 no 80 low
TLSv1 EXP1024-RC4-SHA RSA export-1024 1024 varies 80 low