Yealink Device Management Platform - Stores User Credentials in Plain-Text
-
Security Blunder 101 - Don't store credentials in plain-text, EVER.
I got around to setting up an on premise Yealink Device Management Platform - should make deploying devices much easier right?! You'd think this would be an easy thing.
The install goes through and sets up a mariadb server (without securing this either with a database password) to start things off.
You'd think that would be enough, but all of the user credentials are stored in plain-text.
Just go to
/usr/local/yealink/dm_data/cfg/account
run anls
and you'll see any devices and account details there.Looking in any
*_bind.cfg
file you see the username and password in plain-text!!FML. . .
-
So in watching
netstat -nputwc
no traffic is connecting to the outside world from what I'm seeing. And this is an on-premise system.But this is still unusable, no one can have all user credentials stored on a server in plain-text. ..
-
Every SIP device on the planet sends unencrypted credentials by default.
-
Every SIP device on the planet, that uses tftp/http/https provisioning stores everything in raw text.
-
Here is a Snom PA1 config file.
-
@jaredbusch I assume you have a recommendation? As this is we can't use this system for deployment/administration.
-
@dustinb3403 said in Yealink Device Management Platform - Stores User Credentials in Plain-Text:
@jaredbusch I assume you have a recommendation? As this is we can't use this system for deployment/administration.
Why not? don't react to perceived issues and articulate.
-
@jaredbusch This is an issue, as having all of our users credentials in one place, is an issue.
Policy is policy, that I have to follow.
-
@dustinb3403 said in Yealink Device Management Platform - Stores User Credentials in Plain-Text:
@jaredbusch This is an issue, as having all of our users credentials in one place, is an issue.
Policy is policy, that I have to follow.
Ask a valid question and I can attempt to give you answers. Ranting with no reasoning is not something I can help with.
Extensions are not users.
The configuration files stored on this provisioning server should not be, this is the beginning of it all. The point of a servers like this is typically only to redirect the phones to the PBX that then holds the full configurations. The only config that should be on there is a high level general config holding the PBX info.
I've been meaning to spin this up one of these days, just a low priority as I have no local network to any phones.
-
@jaredbusch the issue is that the credentials are stored on the server, not pointing to a server where the credentials are stored.
If the phone has the credentials, it then provides those credentials for the server to cache them.
In your snom picture there, did you manually edit and provide the credentials or was the config file built by your PBX and stored locally?
-
@dustinb3403 said in Yealink Device Management Platform - Stores User Credentials in Plain-Text:
In your snom picture there, did you manually edit and provide the credentials or was the config file built by your PBX and stored locally?
It could be both. I happen to manually create the files for almost all clients. but the FreePBX commercial EPM creates the same file.
-
@dustinb3403 said in Yealink Device Management Platform - Stores User Credentials in Plain-Text:
If the phone has the credentials, it then provides those credentials for the server to cache them.
How is the phone supposed to get the credentials in the first place to send to the PBX to log in the extension? It gets it from the configuration file.
-
@jaredbusch said in Yealink Device Management Platform - Stores User Credentials in Plain-Text:
@dustinb3403 said in Yealink Device Management Platform - Stores User Credentials in Plain-Text:
If the phone has the credentials, it then provides those credentials for the server to cache them.
How is the phone supposed to get the credentials in the first place to send to the PBX to log in the extension? It gets it from the configuration file.
That's a great question, and one that I specifically thought first (we only have a handful of devices atm) which the idea at the initial onset is to have people authenticate to the phones themselves so we never know their passwords.
-
@jaredbusch said in Yealink Device Management Platform - Stores User Credentials in Plain-Text:
Here is a Snom PA1 config file.
Off topic question to this thred, but do you have the Snom PA1 connected to an external amplifier? If that is the case, may I ask how you connected it?
-
So this has been changed in their newest release 2.0.0.25 (not sure if it's publically available), and while the credentials are no longer in plain-text there are a few things you lose the ability to do.
Namely to tell if any given used is logged into a device, and secondly to sign in/out as a user on any given device.
I've provided my feedback to Yealink and hope to hear back soon. Neither of the above 2 issues are deal breakers, as the bigger goal is to be able to set configuration options, screensavers, time servers etc and have the user deal with the login.
Especially since the "Web Sign in" functionality is so simple, there is little reason to need the ability to sign in for a user.