CVE-2016-1518

Name of the Vulnerable Software and Affected Versions Grandstream Wave app versions 1.0.1.26 and earlier Grandstream Video IP phones versions (affected versions not specified)

Description The issue concerns the auto-provisioning mechanism, which fails to use an HTTPS session for downloading configuration files from the "http://fm.grandstream.com/gs/" endpoint. This allows man-in-the-middle attackers to spoof provisioning data, modify device functionality, obtain sensitive information from system logs, and have other unspecified impacts.

Recommendations For Grandstream Wave app versions 1.0.1.26 and earlier, consider disabling the auto-provisioning mechanism until a patch is available. For Grandstream Video IP phones, at the moment, there is no information about a newer version that contains a fix for this vulnerability.