-
1
×InformationNeed Windows 11 help?Check documents on compatibility, FAQs, upgrade information and available fixes.
Windows 11 Support Center. -
-
1
×InformationNeed Windows 11 help?Check documents on compatibility, FAQs, upgrade information and available fixes.
Windows 11 Support Center. -
- HP Community
- Poly Phones
- Desk and IP Conference Phones
- SSL Certificate Cannot Be Trusted on Soundstation IP 6000

Create an account on the HP Community to personalize your profile and ask a question

01-28-2020 10:37 PM
Hi Polycom Community Team,
We have a vulnerability observed by our security team for the Polycom phones and the model impacted is Polycom IP Soundstation 6000 phone. We do not use the SSL/TLS capacbility as this is not supported by the PBX so want to know how we can disable this certificate or mitigate this vulnerability.
Firmware version is the latest.
UC Software Version | 4.0.14.1580 |
01-29-2020 03:38 AM
Hello @Tejas ,
Welcome to the Poly Community.
I am not fully sure what you mean by this?
Is this in regards of browsing to the Web UI of the Phone and the browser displaying the error?
If yes this is completely normal as the phone contains a self-signed certificate which we add in the factory and obviously your browser does not trust. You can download the Polycom Root CA from http://pki.polycom.com/pki
You could maybe disable HTTPS using the attached. Simply download, unzip and import using the Web Interface:
- Utilities > Import & Export Configuration > Import Configuration
If this is no it there is to my knowledge no way to disable TLS SIP signalling. You can only change the TLS versions via the Web UI:
- Settings > Network > TLS > TLS Applications
in order to change the minimum version.
Please ensure to provide some feedback if this reply has helped you so other users can profit from your experience.
Best Regards
Steffen Baier
Notice: I am an HP Poly employee but all replies within the community are done as a volunteer outside of my day role. This community forum is not an official HP Poly support resource, thus responses from HP Poly employees, partners, and customers alike are best-effort in attempts to share learned knowledge.
If you need immediate and/or official assistance for former Poly\Plantronics\Polycom please open a service ticket through your support channels
For HP products please check HP Support.
Please also ensure you always check the General VoIP , Video Endpoint , UC Platform (Microsoft) , PSTN

02-06-2020 10:29 PM
I have exported the configuration to the Phone and waiting for a reply from the Security Team if the scan does not find the SSL certificate vulnerability anymore. ANd yes this vulnerability was observed for the admin access that we take using the admin mode to do changes on the device and there is no option to disable particular SSL versions and TLS are already on the latest ones i.e 1.2 enabled.
And normally how is the admin password stored in this polycom devices. Is it # based,clear text or ?
02-07-2020 12:58 AM
Hello @Tejas
its not in clear text.
Best Regards
Steffen Baier
Notice: I am an HP Poly employee but all replies within the community are done as a volunteer outside of my day role. This community forum is not an official HP Poly support resource, thus responses from HP Poly employees, partners, and customers alike are best-effort in attempts to share learned knowledge.
If you need immediate and/or official assistance for former Poly\Plantronics\Polycom please open a service ticket through your support channels
For HP products please check HP Support.
Please also ensure you always check the General VoIP , Video Endpoint , UC Platform (Microsoft) , PSTN

02-14-2020 01:55 AM
HI,
We have our own internal CA and would require now the steps to create the CSR and upload this new generated certificate instead of the Polycom devices Certificates as we are observing an SSL X.509 certificate vulnerability on all Polycom devices and to mitigate the same we need to update the certificate.
Vulnerability Details :
Plugin ID : 51192
Description :SSL Certificate Cannot Be Trusted
Port : 443
First Discovered On : Dec 14, 2019 13:20:26 CET
Description Detailed:
The server's X.509 certificate cannot be trusted. This situation can occur in three different ways, in which the chain of trust can be broken, as stated below : - First, the top of the certificate chain sent by the server might not be descended from a known public certificate authority. This can occur either when the top of the chain is an unrecognized, self-signed certificate, or when intermediate certificates are missing that would connect the top of the certificate chain to a known public certificate authority. - Second, the certificate chain may contain a certificate that is not valid at the time of the scan. This can occur either when the scan occurs before one of the certificate's 'notBefore' dates, or after one of the certificate's 'notAfter' dates. - Third, the certificate chain may contain a signature that either didn't match the certificate's information or could not be verified. Bad signatures can be fixed by getting the certificate with the bad signature to be re-signed by its issuer. Signatures that could not be verified are the result of the certificate's issuer using a signing algorithm that Nessus either does not support or does not recognize.If the remote host is a public host in production, any break in the chain makes it more difficult for users to verify the authenticity and identity of the web server. This could make it easier to carry out man-in-the-middle attacks against the remote host.
Solution : Purchase or generate a proper certificate for this service.
