Directory Traversal in Ergophone/Tiptel IP 286 and Yealink SIP-T28P IP Phones
Directory Traversal in Ergophone/Tiptel IP 286 and Yealink SIP-T28P IP Phones
Directory Traversal in Ergophone/Tiptel IP 286 and Yealink SIP-T28P IP Phones
| CVE ID | CVE-2024-33109 |
| CVE Link | https://nvd.nist.gov/vuln/detail/CVE-2024-33109 |
| Vendor | Ergophone/Tiptel and Yealink |
| Affected Product & Version | Ergophone/Tiptel IP 286 and Yealink SIP-T28P <= 2.61.13.10 |
| Vulnerability Type | CWE-23: Relative Path Traversal |
| CVSS Base Score / CVSS Vector | NVD: Awaiting Analysis |
| Author | Nico Pieplow |
| Date | 2024-09-19 |
CVE Details
Description:
A relative directory traversal vulnerability in the web interface of the Tiptel IP 286 telephone with firmware version 2.61.13.10 allows attackers to overwrite arbitrary files on the phone via the ringtone upload function. This enables manipulation of configuration files, for example in the /etc directory. This can be exploited to gain root access to the underlying Linux system via Telnet.
Remediation:
As the phone model is end of life for more than 5 years, the manufacturer no longer provides software fixes. Thus, the phone should be replaced by a modern device which is still under support. As a temporary workaround, it should be ensured that Telnet is deactivated in the settings and that the settings are secured with a reasonably strong password so that no one can access the Telnet and ringtone upload functions.
References:
Timeline
2024-04-11: Vulnerability reported to Tiptel – no response from the vendor
2024-05-08: Attempt to contact the vendor again – no response from the vendor
2024-09-19: CVE published