Back to search
CVE-2019-14657
Published: Oct 8, 2019
Modified: Aug 5, 2024
PUBLISHED
Description
Yealink phones through 2019-08-04 have an issue with OpenVPN file upload. They execute tar as root to extract files, but do not validate the extraction directory. Creating a tar file with ../../../../ allows replacement of almost any file on a phone. This leads to password replacement and arbitrary code execution as root.
| Vendor | Product | Versions |
|---|---|---|
n/a | n/a | affected n/a |
References
http://cerebusforensics.com/yealink/exploit.html
x_refsource_MISC
https://sway.office.com/3pCb559LYVuT0eig
x_refsource_MISC
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now