SSL Certificate Cannot Be Trusted on Soundstation IP 6000

Anonymous · ‎01-28-2020

Hi Polycom Community Team,

We have a vulnerability observed by our security team for the Polycom phones and the model impacted is Polycom IP Soundstation 6000 phone. We do not use the SSL/TLS capacbility as this is not supported by the PBX so want to know how we can disable this certificate or mitigate this vulnerability.

Firmware version is the latest.

UC Software Version

4.0.14.1580

SteffenBaierUK · ‎01-29-2020

Hello @Tejas ,

Welcome to the Poly Community.

I am not fully sure what you mean by this?

Is this in regards of browsing to the Web UI of the Phone and the browser displaying the error?

If yes this is completely normal as the phone contains a self-signed certificate which we add in the factory and obviously your browser does not trust. You can download the Polycom Root CA from http://pki.polycom.com/pki

You could maybe disable HTTPS using the attached. Simply download, unzip and import using the Web Interface:

Utilities > Import & Export Configuration > Import Configuration

If this is no it there is to my knowledge no way to disable TLS SIP signalling. You can only change the TLS versions via the Web UI:

Settings > Network > TLS > TLS Applications

in order to change the minimum version.

Please ensure to provide some feedback if this reply has helped you so other users can profit from your experience.

Best Regards

Steffen Baier

------------------------------------------------
Notice: I am an HP Poly employee but all replies within the community are done as a volunteer outside of my day role. This community forum is not an official HP Poly support resource, thus responses from HP Poly employees, partners, and customers alike are best-effort in attempts to share learned knowledge.
If you need immediate and/or official assistance for former Poly\Plantronics\Polycom please open a service ticket through your support channels
For HP products please check HP Support.

Please also ensure you always check the General VoIP , Video Endpoint , UC Platform (Microsoft) , PSTN

Anonymous · ‎02-06-2020

I have exported the configuration to the Phone and waiting for a reply from the Security Team if the scan does not find the SSL certificate vulnerability anymore. ANd yes this vulnerability was observed for the admin access that we take using the admin mode to do changes on the device and there is no option to disable particular SSL versions and TLS are already on the latest ones i.e 1.2 enabled.

And normally how is the admin password stored in this polycom devices. Is it # based,clear text or ?

SteffenBaierUK · ‎02-07-2020

Hello @Tejas

its not in clear text.

Best Regards

Steffen Baier

------------------------------------------------
Notice: I am an HP Poly employee but all replies within the community are done as a volunteer outside of my day role. This community forum is not an official HP Poly support resource, thus responses from HP Poly employees, partners, and customers alike are best-effort in attempts to share learned knowledge.
If you need immediate and/or official assistance for former Poly\Plantronics\Polycom please open a service ticket through your support channels
For HP products please check HP Support.

Please also ensure you always check the General VoIP , Video Endpoint , UC Platform (Microsoft) , PSTN

Anonymous · ‎02-14-2020

HI,

We have our own internal CA and would require now the steps to create the CSR and upload this new generated certificate instead of the Polycom devices Certificates as we are observing an SSL X.509 certificate vulnerability on all Polycom devices and to mitigate the same we need to update the certificate.

Vulnerability Details :

Plugin ID : 51192

Description :SSL Certificate Cannot Be Trusted

Port : 443

First Discovered On : Dec 14, 2019 13:20:26 CET

Description Detailed:

The server's X.509 certificate cannot be trusted. This situation can occur in three different ways, in which the chain of trust can be broken, as stated below : - First, the top of the certificate chain sent by the server might not be descended from a known public certificate authority. This can occur either when the top of the chain is an unrecognized, self-signed certificate, or when intermediate certificates are missing that would connect the top of the certificate chain to a known public certificate authority. - Second, the certificate chain may contain a certificate that is not valid at the time of the scan. This can occur either when the scan occurs before one of the certificate's 'notBefore' dates, or after one of the certificate's 'notAfter' dates. - Third, the certificate chain may contain a signature that either didn't match the certificate's information or could not be verified. Bad signatures can be fixed by getting the certificate with the bad signature to be re-signed by its issuer. Signatures that could not be verified are the result of the certificate's issuer using a signing algorithm that Nessus either does not support or does not recognize.If the remote host is a public host in production, any break in the chain makes it more difficult for users to verify the authenticity and identity of the web server. This could make it easier to carry out man-in-the-middle attacks against the remote host.

Solution : Purchase or generate a proper certificate for this service.

Anonymous · ‎02-24-2020

Hi All,

Any support to get the new SSL certificate generated for these polycom devices so that we can change to https use only instead of http to resolve this vulnerability.

Create an account on the HP Community to personalize your profile and ask a question