Dubai, UAE – Yealink has thanked Positive Technologies for discovering the critical vulnerability BDU:2024-00482 in its Yealink Meeting Server videoconferencing system. Yealink is the world's number-one VoIP provider and one of the five biggest online conferencing vendors. Its products are used in 140 countries. The vendor was notified of the threat in line with the responsible disclosure policy and released a software patch .

PT SWARM experts found that an adversary who compromised Yealink Meeting Server at the external perimeter could develop the attack on the LAN if the latter lacked an adequately set up demilitarized zone[1]. By exploiting the flaw, the malicious actor gained initial access to the corporate segment.

In mid-January, Positive Technologies' security expert center estimated the number of vulnerable systems allowing an authenticated attacker to infiltrate the LAN at 131. The countries with the largest share of installations are China (42%), Russia (26%), Poland (7%), Taiwan (4%), Germany (2%), Brazil (2%), and Indonesia (2%).

The vulnerability is categorized as OS Command Injection (CWE-78) and allows injecting operating system commands. Attackers can leverage this type of flaws to gain access to OS password files, application source code, or completely compromise the web server. In 2023, Positive Technologies experts came across this type of vulnerability while doing security analysis and penetration testing in 5% of cases.

Yealink registered the vulnerability as YVD-2023-1257833. To remediate the flaw, which received a CVSS 3.0 score of 9.9, Yealink Meeting Server has to be updated to version 26.0.0.66.

An attempt to exploit YVD-2023-1257833 can be detected with PT Network Attack Discovery, a network traffic analysis (NTA) system, which already contains the necessary rules.

OS Command Injection vulnerabilities can be reliably detected and blocked by web application firewalls, such as PT Application Firewall, or its cloud-based version, PT Cloud Application Firewall. MaxPatrol VM is another tool that detects infrastructure flaws. To lower the risks, we recommend using EDR security tools, such as MaxPatrol EDR. This solution helps to detect malicious activity, alerts the SIEM system, and prevents the adversary from carrying on the attack.

Earlier, in 2021, Positive Technologies experts found vulnerabilities in Zoom: malicious actors could intercept any data from private videoconferences and attack corporate subscribers' infrastructures.

About Positive Technologies

Positive Technologies is an industry leader in result-driven cybersecurity and a major global provider of information security solutions. Our mission is to safeguard businesses and entire industries against cyberattacks and non-tolerable damage. Over 3,300 organizations worldwide use technologies and services developed by our company. Positive Technologies is the first and only cybersecurity company in Russia to have gone public on the Moscow Exchange (MOEX: POSI), with 170,000 shareholders and counting. Follow us in the News section at ptsecurity.com.

Media Contact:
Ziad Baig
ziad@activedmc.com

[1] A segment of the LAN accessible from the Internet and isolated from other resources.