Developers: | Yealink Network Technology |
Technology: | Video conferencing |
Main article: Types and capabilities of modern VKS systems
2024: Addressing the vulnerability to develop an attack on the internal network
Positive Technologies helped fix a dangerous vulnerability BDU:2024-00482 in the system. videoconferences Yealink Positive Technologies announced this on January 31, 2024.
The vendor was notified of the threat as part of the responsible disclosure policy and issued a software update.
The experts of the PT SWARM team found out that the intruder who compromised the Yealink Meeting Server on the external perimeter could develop an attack on the internal network if it lacks or is not well organized a demilitarized zone. After exploiting this error, the attacker gained initial access to the corporate segment.
In mid-January, the number of vulnerable Yealink Meeting Server systems that allow an authorized attacker to penetrate the internal network was estimated by specialists from the Positive Technologies security expert center at 131. Most installations are in China (42%), Russia (26%), Poland (7%), Taiwan (4%), Germany (2%), Brazil (2%), Indonesia (2%).
The vulnerability is of the OS Command Injection (CWE-78) type and allows you to implement commands. operating system Using similar bugs, attackers can gain access to, to files passwords OS source code applications, or completely compromise the web. In server 2023, vulnerabilities of this type were met by Positive Technologies experts in security analysis and penetration testing in 5% of cases.
Yealink has registered a vulnerability under the YVD-2023-1257833 identifier. To eliminate the deficiency, which received a score of 9.9 on the CVSS 3.0 scale, you need to upgrade the Yealink Meeting Server to version 26.0.0.66.