Yealink phones through 2019-08-04 have an issue with OpenVPN file upload. They execute tar as root to extract files, but do not validate the extraction directory. Creating a tar file with ../../../../ allows replacement of almost any file on a phone. This leads to password replacement and arbitrary code execution as root.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
yeahlink vp59_firmware |
||
yeahlink t49g_firmware |
||
yeahlink t58v_firmware |