Sign-up

ID

VAR-201406-0123


CVE

CVE-2014-3428


TITLE

Yealink VoIP Phone Firmware cross-site scripting vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2014-002944

DESCRIPTION

Cross-site scripting (XSS) vulnerability in Yealink VoIP Phones with firmware 28.72.0.2 allows remote attackers to inject arbitrary web script or HTML via the model parameter to servlet. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks. Yealink VoIP Phones firmware 28.72.0.2 and hardware 28.2.0.128.0.0.0 are vulnerable; other versions may also be affected. Yealink VoIP P are IP phone products of China YeaLink Company. The product supports caller avatar display, call recording and anonymous calling, etc. I. ADVISORY CVE-2014-3427 CRLF Injection in Yealink VoIP Phones CVE-2014-3428 XSS vulnerabilities in Yealink VoIP Phones Date published: 06/12/2014 Vendor Contacted: 05/08/2014 II. BACKGROUND Yealink is a manufacturer of VoIP and Video products. To minimize noise read more at: http://www.yealink.com/Companyprofile.aspx III. DESCRIPTION There are CRLF Injection and XSS vulnerabilities in Yealink VoIP telephones. Validated on Firmware Version 28.72.0.2 Hardware Version 28.2.0.128.0.0.0 CRLF Injection (Header Splitting) proof of concept: Request GET /servlet?linepage=1&model=%0d%0a%20 ANYTHING I WANT GOES HERE &p=dsskey&q=load HTTP/1.1 In the above request, attackers can shove in code, webpages, etc. In my tests, I have used javascript, redirects, and even an entire web page shoved into the CRLF vulnerable inputs. ----- The XSS vulnerability GET /servlet?jumpto=dsskey&model=%22%20onmouseover%3dprompt%28 1337 %29%20badpuppy%3d%22&p=login&q=loginForm HTTP/1.1 Typical Cross Site Scripting. IV. SOLUTION Minimize accessibility to the phone's interface. V. VENDOR CONTACT AND RESPONSE 05/08/2014 E-mailed security@yealink.com (bounced) 05/08/2014 Created an account on Yealink's forum and sent message (no response for weeks) 05/26/2014 Response via e-mail from Yealink 05/26/2014 Replied to vendor I would disclose in June 06/01/2014 Reached back out to vendor for update 06/08/2014 Reached back out to vendor for update 06/11/2014 Rouched out one last time... Crickets 06/12/2014 Advisory VI. TOOLS USED Burpsuite, WVS, Firefox -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP, GREM "Where ignorance is our master, there is no possibility of real peace" - Dalai Lama 42B0 5A53 6505 6638 44BB 3943 2BF7 D83F 210A 95AF http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x2BF7D83F210A95AF

Trust: 2.07

sources: NVD: CVE-2014-3428 // JVNDB: JVNDB-2014-002944 // BID: 68023 // VULHUB: VHN-71368 // PACKETSTORM: 127081

AFFECTED PRODUCTS

vendor:yealinkmodel:voip phonescope:eqversion:28.72.0.2

Trust: 2.4

vendor:yealinkmodel:voip phonescope:eqversion:28.2.0.128.0.0.0

Trust: 1.8

vendor:yealinkmodel:hardwarescope:eqversion:28.2.0.128.0.0.0

Trust: 0.3

vendor:yealinkmodel:yealinkscope:eqversion:28.72.0.2

Trust: 0.3

sources: BID: 68023 // JVNDB: JVNDB-2014-002944 // CNNVD: CNNVD-201406-324 // NVD: CVE-2014-3428

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2014-3428
value: MEDIUM

Trust: 1.0

NVD: CVE-2014-3428
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201406-324
value: MEDIUM

Trust: 0.6

VULHUB: VHN-71368
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2014-3428
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-71368
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: VULHUB: VHN-71368 // JVNDB: JVNDB-2014-002944 // CNNVD: CNNVD-201406-324 // NVD: CVE-2014-3428

PROBLEMTYPE DATA

problemtype:CWE-79

Trust: 1.9

sources: VULHUB: VHN-71368 // JVNDB: JVNDB-2014-002944 // NVD: CVE-2014-3428

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201406-324

TYPE

xss

Trust: 0.7

sources: PACKETSTORM: 127081 // CNNVD: CNNVD-201406-324

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2014-002944

EXPLOIT AVAILABILITY
sources:
            
            
            VULHUB: VHN-71368

PATCH
title:Top Pageurl:http://www.yealink.com/index.aspx
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2014-002944

EXTERNAL IDS
db:NVDid:CVE-2014-3428
Trust: 2.9
db:BIDid:68023
Trust: 2.0
db:PACKETSTORMid:127081
Trust: 1.2
db:JVNDBid:JVNDB-2014-002944
Trust: 0.8
db:CNNVDid:CNNVD-201406-324
Trust: 0.7
db:VULHUBid:VHN-71368
Trust: 0.1
sources:
            
            
            VULHUB: VHN-71368 // 
            
            
            
            BID: 68023 // 
            
            
            
            JVNDB: JVNDB-2014-002944 // 
            
            
            
            PACKETSTORM: 127081 // 
            
            
            
            CNNVD: CNNVD-201406-324 // 
            
            
            
            NVD: CVE-2014-3428

REFERENCES
url:http://www.securityfocus.com/bid/68023
Trust: 1.7
url:http://www.securityfocus.com/archive/1/archive/1/532410/100/0/threaded
Trust: 1.4
url:http://www.securityfocus.com/archive/1/532410/100/0/threaded
Trust: 1.1
url:http://seclists.org/fulldisclosure/2014/jun/74
Trust: 1.1
url:http://packetstormsecurity.com/files/127081/yealink-voip-phones-xss-crlf-injection.html
Trust: 1.1
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-3428
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-3428
Trust: 0.8
url:www.yealink.com
Trust: 0.3
url:http://www.yealink.com/companyprofile.aspx
Trust: 0.1
url:http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x2bf7d83f210a95af
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2014-3428
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2014-3427
Trust: 0.1
sources:
            
            
            VULHUB: VHN-71368 // 
            
            
            
            BID: 68023 // 
            
            
            
            JVNDB: JVNDB-2014-002944 // 
            
            
            
            PACKETSTORM: 127081 // 
            
            
            
            CNNVD: CNNVD-201406-324 // 
            
            
            
            NVD: CVE-2014-3428

CREDITS
Jesus Oquendo
Trust: 0.4
sources:
            
            
            BID: 68023 // 
            
            
            
            PACKETSTORM: 127081

SOURCES
db:VULHUBid:VHN-71368
db:BIDid:68023
db:JVNDBid:JVNDB-2014-002944
db:PACKETSTORMid:127081
db:CNNVDid:CNNVD-201406-324
db:NVDid:CVE-2014-3428

LAST UPDATE DATE
2024-11-23T22:59:40.337000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-71368date:2018-10-09T00:00:00
db:BIDid:68023date:2014-06-12T00:00:00
db:JVNDBid:JVNDB-2014-002944date:2014-06-18T00:00:00
db:CNNVDid:CNNVD-201406-324date:2014-06-17T00:00:00
db:NVDid:CVE-2014-3428date:2024-11-21T02:08:04.537

SOURCES RELEASE DATE
db:VULHUBid:VHN-71368date:2014-06-16T00:00:00
db:BIDid:68023date:2014-06-12T00:00:00
db:JVNDBid:JVNDB-2014-002944date:2014-06-18T00:00:00
db:PACKETSTORMid:127081date:2014-06-13T00:12:49
db:CNNVDid:CNNVD-201406-324date:2014-06-17T00:00:00
db:NVDid:CVE-2014-3428date:2014-06-16T18:55:09.010