ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Yealink Device Management Platform - Stores User Credentials in Plain-Text

    Scheduled Pinned Locked Moved IT Discussion
    yealinksecurity blunderlocalon-premisesecuritypasswordprivacyhell noffs
    15 Posts 3 Posters 2.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • JaredBuschJ
      JaredBusch
      last edited by

      Every SIP device on the planet sends unencrypted credentials by default.

      1 Reply Last reply Reply Quote 1
      • JaredBuschJ
        JaredBusch
        last edited by

        Every SIP device on the planet, that uses tftp/http/https provisioning stores everything in raw text.

        DustinB3403D 1 Reply Last reply Reply Quote 1
        • JaredBuschJ
          JaredBusch
          last edited by

          Here is a Snom PA1 config file.

          0_1535376726628_f0738d92-691a-40ea-955c-51acad389a86-image.png

          1 1 Reply Last reply Reply Quote 0
          • DustinB3403D
            DustinB3403 @JaredBusch
            last edited by

            @jaredbusch I assume you have a recommendation? As this is we can't use this system for deployment/administration.

            JaredBuschJ 1 Reply Last reply Reply Quote 0
            • JaredBuschJ
              JaredBusch @DustinB3403
              last edited by

              @dustinb3403 said in Yealink Device Management Platform - Stores User Credentials in Plain-Text:

              @jaredbusch I assume you have a recommendation? As this is we can't use this system for deployment/administration.

              Why not? don't react to perceived issues and articulate.

              DustinB3403D 1 Reply Last reply Reply Quote 0
              • DustinB3403D
                DustinB3403 @JaredBusch
                last edited by

                @jaredbusch This is an issue, as having all of our users credentials in one place, is an issue.

                Policy is policy, that I have to follow.

                JaredBuschJ 1 Reply Last reply Reply Quote 0
                • JaredBuschJ
                  JaredBusch @DustinB3403
                  last edited by

                  @dustinb3403 said in Yealink Device Management Platform - Stores User Credentials in Plain-Text:

                  @jaredbusch This is an issue, as having all of our users credentials in one place, is an issue.

                  Policy is policy, that I have to follow.

                  Ask a valid question and I can attempt to give you answers. Ranting with no reasoning is not something I can help with.

                  Extensions are not users.

                  The configuration files stored on this provisioning server should not be, this is the beginning of it all. The point of a servers like this is typically only to redirect the phones to the PBX that then holds the full configurations. The only config that should be on there is a high level general config holding the PBX info.

                  I've been meaning to spin this up one of these days, just a low priority as I have no local network to any phones.

                  DustinB3403D 1 Reply Last reply Reply Quote 0
                  • DustinB3403D
                    DustinB3403 @JaredBusch
                    last edited by

                    @jaredbusch the issue is that the credentials are stored on the server, not pointing to a server where the credentials are stored.

                    If the phone has the credentials, it then provides those credentials for the server to cache them.

                    In your snom picture there, did you manually edit and provide the credentials or was the config file built by your PBX and stored locally?

                    JaredBuschJ 2 Replies Last reply Reply Quote 0
                    • JaredBuschJ
                      JaredBusch @DustinB3403
                      last edited by

                      @dustinb3403 said in Yealink Device Management Platform - Stores User Credentials in Plain-Text:

                      In your snom picture there, did you manually edit and provide the credentials or was the config file built by your PBX and stored locally?

                      It could be both. I happen to manually create the files for almost all clients. but the FreePBX commercial EPM creates the same file.

                      1 Reply Last reply Reply Quote 0
                      • JaredBuschJ
                        JaredBusch @DustinB3403
                        last edited by

                        @dustinb3403 said in Yealink Device Management Platform - Stores User Credentials in Plain-Text:

                        If the phone has the credentials, it then provides those credentials for the server to cache them.

                        How is the phone supposed to get the credentials in the first place to send to the PBX to log in the extension? It gets it from the configuration file.

                        DustinB3403D 1 Reply Last reply Reply Quote 0
                        • DustinB3403D
                          DustinB3403 @JaredBusch
                          last edited by

                          @jaredbusch said in Yealink Device Management Platform - Stores User Credentials in Plain-Text:

                          @dustinb3403 said in Yealink Device Management Platform - Stores User Credentials in Plain-Text:

                          If the phone has the credentials, it then provides those credentials for the server to cache them.

                          How is the phone supposed to get the credentials in the first place to send to the PBX to log in the extension? It gets it from the configuration file.

                          That's a great question, and one that I specifically thought first (we only have a handful of devices atm) which the idea at the initial onset is to have people authenticate to the phones themselves so we never know their passwords.

                          1 Reply Last reply Reply Quote 0
                          • 1
                            1337 @JaredBusch
                            last edited by

                            @jaredbusch said in Yealink Device Management Platform - Stores User Credentials in Plain-Text:

                            Here is a Snom PA1 config file.

                            Off topic question to this thred, but do you have the Snom PA1 connected to an external amplifier? If that is the case, may I ask how you connected it?

                            1 Reply Last reply Reply Quote 0
                            • DustinB3403D
                              DustinB3403
                              last edited by

                              So this has been changed in their newest release 2.0.0.25 (not sure if it's publically available), and while the credentials are no longer in plain-text there are a few things you lose the ability to do.

                              Namely to tell if any given used is logged into a device, and secondly to sign in/out as a user on any given device.

                              I've provided my feedback to Yealink and hope to hear back soon. Neither of the above 2 issues are deal breakers, as the bigger goal is to be able to set configuration options, screensavers, time servers etc and have the user deal with the login.

                              Especially since the "Web Sign in" functionality is so simple, there is little reason to need the ability to sign in for a user.

                              1 Reply Last reply Reply Quote 0
                              • 1 / 1
                              • First post
                                Last post