[YMCS/YDMP Free Trial Program]Yealink would like to offer Free Trial Program of Yealink device management service for our current eligible customers. You can see the details below.
https://www.yealink.com/ydmp-freetrial-2020


Post Reply 
 
Thread Rating:
  • 1 Votes - 5 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Vulnerability (Sweet32)
Author Message
Lilpombo Offline
Junior Member
**

Posts: 8
Joined: Apr 2022
Reputation: 0
Post: #1
Bug Vulnerability (Sweet32)
Hello, guys!

We did some vulnerability scans in our environment and found a vulnerability called "SWEET32" on some Yealink phones. I've updated the firmware to the last version and nothing ...

Has anyone been through this? Can you guys help me? What can I do to solve this?
04-13-2022 02:39 AM
Find all posts by this user    like0    dislike0 Quote this message in a reply
complex1 Offline
3CX Adv. Cert. Engineer
*****

Posts: 1,549
Joined: Jan 2014
Reputation: 48
Post: #2
RE: Vulnerability (Sweet32)
(04-13-2022 02:39 AM)Lilpombo Wrote:  Hello, guys!

We did some vulnerability scans in our environment and found a vulnerability called "SWEET32" on some Yealink phones. I've updated the firmware to the last version and nothing ...

Has anyone been through this? Can you guys help me? What can I do to solve this?

Hi,

Do not use DES, 3DES, IDEA or RC2 as the symmetric encryption cipher, upgrade the firmware or replace the phones for newer ones.

Kind regards,
Frank.

I am not an employee of Yealink.
Dutch is my native language, not English. Apologies for my imperfect grammar.
Please do not send unsolicited PM messages. I will not answer them.
04-13-2022 04:08 PM
Find all posts by this user    like0    dislike0 Quote this message in a reply
Lilpombo Offline
Junior Member
**

Posts: 8
Joined: Apr 2022
Reputation: 0
Post: #3
RE: Vulnerability (Sweet32)
(04-13-2022 04:08 PM)complex1 Wrote:  
(04-13-2022 02:39 AM)Lilpombo Wrote:  Hello, guys!

We did some vulnerability scans in our environment and found a vulnerability called "SWEET32" on some Yealink phones. I've updated the firmware to the last version and nothing ...

Has anyone been through this? Can you guys help me? What can I do to solve this?

Hi,

Do not use DES, 3DES, IDEA or RC2 as the symmetric encryption cipher, upgrade the firmware or replace the phones for newer ones.

Hi, very thanks for the reply.

The firmware is already updated. I'm trying to adding a line on the cfg file of the phone. see:

sip.tls_cipher_list = AES:!ADH:!LOW:!EXPORT:!NULL
security.tls_cipher_list = AES:!ADH:!LOW:!EXPORT:!NULL
static.security.default_ssl_method = 5


I found in this forum someone with similar problem... He made this alteration and solve the problem. But my new problem is: Import of local config files has no effect

I export a local config file (CFG File, I chose Local in the dropdown) via the phones web interfacce
I edit the file
I import the file (same filename as before)
I ok the prompt that the phone should import the new file
the phone is busy and rebooting
none of the changes I made take effect (I reexport the local config file and it hasn't changed


To me it looks like the import feature is not working for CFG files

Any ideas? Anybody successfully used this feature?
04-19-2022 10:35 PM
Find all posts by this user    like0    dislike0 Quote this message in a reply
complex1 Offline
3CX Adv. Cert. Engineer
*****

Posts: 1,549
Joined: Jan 2014
Reputation: 48
Post: #4
RE: Vulnerability (Sweet32)
(04-19-2022 10:35 PM)Lilpombo Wrote:  
(04-13-2022 04:08 PM)complex1 Wrote:  
(04-13-2022 02:39 AM)Lilpombo Wrote:  Hello, guys!

We did some vulnerability scans in our environment and found a vulnerability called "SWEET32" on some Yealink phones. I've updated the firmware to the last version and nothing ...

Has anyone been through this? Can you guys help me? What can I do to solve this?

Hi,

Do not use DES, 3DES, IDEA or RC2 as the symmetric encryption cipher, upgrade the firmware or replace the phones for newer ones.

Hi, very thanks for the reply.

The firmware is already updated. I'm trying to adding a line on the cfg file of the phone. see:

sip.tls_cipher_list = AES:!ADH:!LOW:!EXPORT:!NULL
security.tls_cipher_list = AES:!ADH:!LOW:!EXPORT:!NULL
static.security.default_ssl_method = 5


I found in this forum someone with similar problem... He made this alteration and solve the problem. But my new problem is: Import of local config files has no effect

I export a local config file (CFG File, I chose Local in the dropdown) via the phones web interfacce
I edit the file
I import the file (same filename as before)
I ok the prompt that the phone should import the new file
the phone is busy and rebooting
none of the changes I made take effect (I reexport the local config file and it hasn't changed


To me it looks like the import feature is not working for CFG files

Any ideas? Anybody successfully used this feature?

Hi,

Are you referring to the question regarding the W52P/W56P models in this post?
http://forum.yealink.com/forum/showthread.php?tid=45753

Kind regards,
Frank.

I am not an employee of Yealink.
Dutch is my native language, not English. Apologies for my imperfect grammar.
Please do not send unsolicited PM messages. I will not answer them.
04-19-2022 11:28 PM
Find all posts by this user    like0    dislike0 Quote this message in a reply
Lilpombo Offline
Junior Member
**

Posts: 8
Joined: Apr 2022
Reputation: 0
Post: #5
RE: Vulnerability (Sweet32)
(04-19-2022 11:28 PM)complex1 Wrote:  
(04-19-2022 10:35 PM)Lilpombo Wrote:  
(04-13-2022 04:08 PM)complex1 Wrote:  
(04-13-2022 02:39 AM)Lilpombo Wrote:  Hello, guys!

We did some vulnerability scans in our environment and found a vulnerability called "SWEET32" on some Yealink phones. I've updated the firmware to the last version and nothing ...

Has anyone been through this? Can you guys help me? What can I do to solve this?

Hi,

Do not use DES, 3DES, IDEA or RC2 as the symmetric encryption cipher, upgrade the firmware or replace the phones for newer ones.

Hi, very thanks for the reply.

The firmware is already updated. I'm trying to adding a line on the cfg file of the phone. see:

sip.tls_cipher_list = AES:!ADH:!LOW:!EXPORT:!NULL
security.tls_cipher_list = AES:!ADH:!LOW:!EXPORT:!NULL
static.security.default_ssl_method = 5


I found in this forum someone with similar problem... He made this alteration and solve the problem. But my new problem is: Import of local config files has no effect

I export a local config file (CFG File, I chose Local in the dropdown) via the phones web interfacce
I edit the file
I import the file (same filename as before)
I ok the prompt that the phone should import the new file
the phone is busy and rebooting
none of the changes I made take effect (I reexport the local config file and it hasn't changed


To me it looks like the import feature is not working for CFG files

Any ideas? Anybody successfully used this feature?

Hi,

Are you referring to the question regarding the W52P/W56P models in this post?
http://forum.yealink.com/forum/showthread.php?tid=45753

Yes Smile
04-20-2022 12:31 AM
Find all posts by this user    like0    dislike0 Quote this message in a reply
complex1 Offline
3CX Adv. Cert. Engineer
*****

Posts: 1,549
Joined: Jan 2014
Reputation: 48
Post: #6
RE: Vulnerability (Sweet32)
(04-20-2022 12:31 AM)Lilpombo Wrote:  
(04-19-2022 11:28 PM)complex1 Wrote:  
(04-19-2022 10:35 PM)Lilpombo Wrote:  
(04-13-2022 04:08 PM)complex1 Wrote:  
(04-13-2022 02:39 AM)Lilpombo Wrote:  Hello, guys!

We did some vulnerability scans in our environment and found a vulnerability called "SWEET32" on some Yealink phones. I've updated the firmware to the last version and nothing ...

Has anyone been through this? Can you guys help me? What can I do to solve this?

Hi,

Do not use DES, 3DES, IDEA or RC2 as the symmetric encryption cipher, upgrade the firmware or replace the phones for newer ones.

Hi, very thanks for the reply.

The firmware is already updated. I'm trying to adding a line on the cfg file of the phone. see:

sip.tls_cipher_list = AES:!ADH:!LOW:!EXPORT:!NULL
security.tls_cipher_list = AES:!ADH:!LOW:!EXPORT:!NULL
static.security.default_ssl_method = 5


I found in this forum someone with similar problem... He made this alteration and solve the problem. But my new problem is: Import of local config files has no effect

I export a local config file (CFG File, I chose Local in the dropdown) via the phones web interfacce
I edit the file
I import the file (same filename as before)
I ok the prompt that the phone should import the new file
the phone is busy and rebooting
none of the changes I made take effect (I reexport the local config file and it hasn't changed


To me it looks like the import feature is not working for CFG files

Any ideas? Anybody successfully used this feature?

Hi,

Are you referring to the question regarding the W52P/W56P models in this post?
http://forum.yealink.com/forum/showthread.php?tid=45753

Yes Smile

Hi,

I'm afraid it's not possible that what you want to do with this model. This model is simply too old for this.

The below is not supported
sip.tls_cipher_list = AES:!ADH:!LOW:!EXPORT:!NULL
security.tls_cipher_list = AES:!ADH:!LOW:!EXPORT:!NULL
static.security.default_ssl_method = 5

Kind regards,
Frank.

I am not an employee of Yealink.
Dutch is my native language, not English. Apologies for my imperfect grammar.
Please do not send unsolicited PM messages. I will not answer them.
04-20-2022 02:30 AM
Find all posts by this user    like0    dislike0 Quote this message in a reply
Lilpombo Offline
Junior Member
**

Posts: 8
Joined: Apr 2022
Reputation: 0
Post: #7
RE: Vulnerability (Sweet32)
(04-20-2022 02:30 AM)complex1 Wrote:  
(04-20-2022 12:31 AM)Lilpombo Wrote:  
(04-19-2022 11:28 PM)complex1 Wrote:  
(04-19-2022 10:35 PM)Lilpombo Wrote:  
(04-13-2022 04:08 PM)complex1 Wrote:  Hi,

Do not use DES, 3DES, IDEA or RC2 as the symmetric encryption cipher, upgrade the firmware or replace the phones for newer ones.

Hi, very thanks for the reply.

The firmware is already updated. I'm trying to adding a line on the cfg file of the phone. see:

sip.tls_cipher_list = AES:!ADH:!LOW:!EXPORT:!NULL
security.tls_cipher_list = AES:!ADH:!LOW:!EXPORT:!NULL
static.security.default_ssl_method = 5


I found in this forum someone with similar problem... He made this alteration and solve the problem. But my new problem is: Import of local config files has no effect

I export a local config file (CFG File, I chose Local in the dropdown) via the phones web interfacce
I edit the file
I import the file (same filename as before)
I ok the prompt that the phone should import the new file
the phone is busy and rebooting
none of the changes I made take effect (I reexport the local config file and it hasn't changed


To me it looks like the import feature is not working for CFG files

Any ideas? Anybody successfully used this feature?

Hi,

Are you referring to the question regarding the W52P/W56P models in this post?
http://forum.yealink.com/forum/showthread.php?tid=45753

Yes Smile

Hi,

I'm afraid it's not possible that what you want to do with this model. This model is simply too old for this.

The below is not supported
sip.tls_cipher_list = AES:!ADH:!LOW:!EXPORT:!NULL
security.tls_cipher_list = AES:!ADH:!LOW:!EXPORT:!NULL
static.security.default_ssl_method = 5

Hello, good morning!


Well, i'm replying this question again because I need to buy some new phones... can you send me Yealink Telephone models that doesn't have weak cipher or sweet32 vulnerabilities?

Some that I can disable ssl cipher and enable tls... Huh
07-18-2022 08:58 PM
Find all posts by this user    like0    dislike0 Quote this message in a reply
Lilpombo Offline
Junior Member
**

Posts: 8
Joined: Apr 2022
Reputation: 0
Post: #8
RE: Vulnerability (Sweet32)
Hello!


I need to buy some new telephones... can you send me Yealink Telephone models that doesn't have weak cipher or sweet32 vulnerabilities?
08-10-2022 10:10 PM
Find all posts by this user    like0    dislike0 Quote this message in a reply
complex1 Offline
3CX Adv. Cert. Engineer
*****

Posts: 1,549
Joined: Jan 2014
Reputation: 48
Post: #9
RE: Vulnerability (Sweet32)
(08-10-2022 10:10 PM)Lilpombo Wrote:  Hello!


I need to buy some new telephones... can you send me Yealink Telephone models that doesn't have weak cipher or sweet32 vulnerabilities?

Hi,

Please contact your Yealink sales representor.

Kind regards,
Frank.

I am not an employee of Yealink.
Dutch is my native language, not English. Apologies for my imperfect grammar.
Please do not send unsolicited PM messages. I will not answer them.
08-11-2022 03:08 AM
Find all posts by this user    like0    dislike0 Quote this message in a reply
Post Reply 


Forum Jump:


User(s) browsing this thread:

Contact Us   Yealink   Return to Top   Return to Content   Lite (Archive) Mode   RSS Syndication