Accessibility Skip to content

Trio Devices - Incorrect Permission Assignment for Critical Resource

Vulnerability Summary

A weakness was identified in the Polycom Trio Bluetooth stack which could allow an attacker to use the Trio’s microphone to record sound remotely without authentication or notification of the user. 

 

Details

CVE 2018-14934 – Trio Incorrect Permission Assignment for Critical Resource
The Bluetooth subsystem on Polycom Trio devices with software before 5.5.4 has Incorrect Access Control. An attacker can connect without authentication and subsequently record audio from the device microphone. 

Poly released a firmware update to address this vulnerability.  There is no workaround.

Published

Last Update: 3/14/2022
Initial Public Release: 11/1/2018
Advisory ID:  PLYVC18-09

CVE ID: CVE-2018-14934
CVSS Score: 6.5
CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Product Affected
PRODUCTS FIRMWARE FIX
Trio

Prior to UC Software 5.5.4

Poly UC Software 5.7.2
Solution

Poly recommends customers upgrade to firmware build 5.7.2 or later. 

 

Workaround

There is no workaround.

Contact

Any customer using an affected system who is concerned about this vulnerability within their deployment should contact Poly Technical Support(888) 248-4143, (916) 928-7561, or visit the Poly Support Site.

 

RECOGNITION

Poly would like to thank Phil Wilcox from Cyberis Ltd. for reporting security vulnerabilities to us and for their coordinated disclosure.

Revision History
VERSION DATE DESCRIPTION
1.0 11/1/2018 Initial Release
2.0 3/14/2022 Format Changes