Vulnerabilites related to yealink - configuration_encryption_tool
Vulnerability from fkie_nvd
Published
2024-02-23 23:15
Modified
2025-03-25 18:15
Severity ?
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
An issue was discovered in Yealink Configuration Encrypt Tool (AES version) and Yealink Configuration Encrypt Tool (RSA version before 1.2). There is a single hardcoded key (used to encrypt provisioning documents) across customers' installations.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/gitaware/CVE/tree/main/CVE-2024-24681 | Third Party Advisory | |
| cve@mitre.org | https://seclists.org/fulldisclosure/2024/Feb/22 | Mailing List | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/gitaware/CVE/tree/main/CVE-2024-24681 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://seclists.org/fulldisclosure/2024/Feb/22 | Mailing List |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| yealink | configuration_encryption_tool | * | |
| yealink | configuration_encryption_tool | - |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:yealink:configuration_encryption_tool:*:*:*:*:rsa:*:*:*", matchCriteriaId: "9036114A-94DC-4846-841D-5B33B0648D19", versionEndExcluding: "1.2", vulnerable: true, }, { criteria: "cpe:2.3:a:yealink:configuration_encryption_tool:-:*:*:*:aes:*:*:*", matchCriteriaId: "F6F45166-A35B-463E-B62F-37E7B0D69334", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "An issue was discovered in Yealink Configuration Encrypt Tool (AES version) and Yealink Configuration Encrypt Tool (RSA version before 1.2). There is a single hardcoded key (used to encrypt provisioning documents) across customers' installations.", }, { lang: "es", value: "Clave AES insegura en la herramienta de cifrado de configuración de Yealink inferior a la versión 1.2. Se filtró una única clave AES codificada en todo el proveedor en la herramienta de configuración utilizada para cifrar los documentos de aprovisionamiento, lo que comprometió la confidencialidad de los documentos de aprovisionamiento.", }, ], id: "CVE-2024-24681", lastModified: "2025-03-25T18:15:31.937", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 5.9, source: "nvd@nist.gov", type: "Primary", }, { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 5.9, source: "134c704f-9b21-4f2e-91b3-4a467353bcc0", type: "Secondary", }, ], }, published: "2024-02-23T23:15:09.687", references: [ { source: "cve@mitre.org", tags: [ "Third Party Advisory", ], url: "https://github.com/gitaware/CVE/tree/main/CVE-2024-24681", }, { source: "cve@mitre.org", tags: [ "Mailing List", ], url: "https://seclists.org/fulldisclosure/2024/Feb/22", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://github.com/gitaware/CVE/tree/main/CVE-2024-24681", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mailing List", ], url: "https://seclists.org/fulldisclosure/2024/Feb/22", }, ], sourceIdentifier: "cve@mitre.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-798", }, ], source: "nvd@nist.gov", type: "Primary", }, { description: [ { lang: "en", value: "CWE-798", }, ], source: "134c704f-9b21-4f2e-91b3-4a467353bcc0", type: "Secondary", }, ], }
cve-2024-24681
Vulnerability from cvelistv5
Published
2024-02-23 00:00
Modified
2025-03-25 17:32
Severity ?
EPSS score ?
Summary
An issue was discovered in Yealink Configuration Encrypt Tool (AES version) and Yealink Configuration Encrypt Tool (RSA version before 1.2). There is a single hardcoded key (used to encrypt provisioning documents) across customers' installations.
References
{ containers: { adp: [ { metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, }, { other: { content: { id: "CVE-2024-24681", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-03-04T21:20:30.937842Z", version: "2.0.3", }, type: "ssvc", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-798", description: "CWE-798 Use of Hard-coded Credentials", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2025-03-25T17:32:39.675Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, { providerMetadata: { dateUpdated: "2024-08-01T23:28:11.066Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://github.com/gitaware/CVE/tree/main/CVE-2024-24681", }, { tags: [ "x_transferred", ], url: "https://seclists.org/fulldisclosure/2024/Feb/22", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], descriptions: [ { lang: "en", value: "An issue was discovered in Yealink Configuration Encrypt Tool (AES version) and Yealink Configuration Encrypt Tool (RSA version before 1.2). There is a single hardcoded key (used to encrypt provisioning documents) across customers' installations.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2024-03-28T07:30:32.031Z", orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", shortName: "mitre", }, references: [ { url: "https://github.com/gitaware/CVE/tree/main/CVE-2024-24681", }, { url: "https://seclists.org/fulldisclosure/2024/Feb/22", }, ], }, }, cveMetadata: { assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", assignerShortName: "mitre", cveId: "CVE-2024-24681", datePublished: "2024-02-23T00:00:00.000Z", dateReserved: "2024-01-26T00:00:00.000Z", dateUpdated: "2025-03-25T17:32:39.675Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }