Heartbleed OpenSSL

[bluewhite4]

I know not everyone on here is not a sole Mitel shop, so wanted to post this link to Cisco products affected by this issue.

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140409-heartbleed

[ralph]

I haven't seen a Mitel advisory on this.   Is there one?

Ralph

[bluewhite4]

Don't know. Been looking for one myself.

Already tested against the latest version of MAS and it wasn't affected.

From what I've read, it would be Linux servers that haven't been patched/updated in the last few years.

[ralph]

How do you test it?

Ralph

[bluewhite4]

By putting in the outside URL of our MAS here"
http://filippo.io/Heartbleed/

[martyn]

Don't know. Been looking for one myself.

Already tested against the latest version of MAS and it wasn't affected.

From what I've read, it would be Linux servers that haven't been patched/updated in the last few years.

It is not just limited to those that have not been patched or updated. Even latest release of software are still vulnerable to it.

[martyn]

There is a security advisory available on MOL that covers off which products are vulnerable, which are not, and which are still being tested.

[ralph]

I wasn't able to find the bulletin.   Is there a bulletin number that I can search for?

Ralph

[sarond]

Hover over Support on MOL.
On the left is the link.

[acejavelin]

FYI to anyone without Mitel Online Access, here is the complete article as of the time of this posting...

OpenSSL Heartbleed Vulnerability

April 12, 2014

Summary
The Heartbleed bug is a vulnerability in a popular open-source implementation of the SSL/TLS protocol, called OpenSSL.  It may allow unauthenticated remote attackers on the Internet to read the memory of connected systems which use vulnerable versions of the OpenSSL library, which may compromise high value assets such as secret keys used to encrypt and decrypt private information. This could allow attackers, armed with these secret keys, to impersonate users and services, steal information or eavesdrop on communications.
 
This vulnerability is limited to specific versions of the OpenSSL library, that were made available after the bug was introduced in December 2011.  The bug is known as CVE-2014-0160.
 
Mitel is currently investigating its product portfolio to determine vulnerability on this issue.  This advisory will be updated on a regular basis, while we complete the investigation on the product portfolio.  The current status of the portfolio is as follows:
 
Products Not Vulnerable
The following products are confirmed to be not vulnerable:
Mitel Standard Linux, 10.0 and earlier
Mitel MiVoice Communications Director, 6.0 and earlier
Mitel Virtual MiVoice Communications Director, 6.0 and earlier
Mitel Multi-Instance Communications Director, 1.2.1.8 and earlier
Mitel MiVoice Office (Mitel 5000), 6.0 SP1 PR1 and earlier
Mitel MiVoice Border Gateway, 8.1 and earlier
Mitel MiVoice Enterprise Manager, 8.1 and earlier
Mitel MiVoice Call Accounting, all versions
Mitel MiVoice IP Phones 53xx, 5560, 5540, 5505, all versions
Mitel MiVoice 5603/5604/5607 IP DECT phones, all versions
Mitel MiVoice IP DECT Base Station, all versions
Mitel MiVoice 5624 WiFi Phone, all versions
Mitel MiVoice Digital Phones 8528, 8568, all versions
Mitel MiVoice Conference Unit (UC360), all versions
Mitel MiVoice Video Unit (UC360), all versions
Mitel MiCollab Server, all versions
Mitel MiCollab Mobile Client (Android), all versions
Mitel MiCollab (Web Portal), all versions
Mitel MiCollab (Unified Messaging), all versions
Mitel MiCollab (Speech Auto Attendant), all versions
Mitel MiCollab with Voice (vUCC), all versions
Mitel MiCollab (Audio, Web and Video Conferencing), all versions
Mitel MiContact Center Enterprise, all versions
Mitel MiContact Center Business, all versions
Mitel MiContact Center for Microsoft Lync, all versions
Mitel Mitel Virtualization Framework, all versions
Mitel Oria, all versions
Mitel ER Advisor, all versions
Mitel 3250, all versions
Oaisys Talkument/Navigator, all versions
Aastra MX-ONE Telephony System, 4.1 SPx
Aastra MX-ONE Telephony Server, 4.1 SPx
Aastra MX-ONE Manager Provisioning, 4.1 SPx
Aastra MX-ONE Manager Telephony System, 4.1 SPx
Aastra MX-ONE Telephony System, 5.0 SPx
Aastra MX-ONE Telephony Server, 5.0 SPx
Aastra MX-ONE Manager Provisioning, 5.0
Aastra MX-ONE Manager Telephony System, 5.0
Aastra 700 R2 - Aastra MX-ONE Telephony Server, 5.0 SPx
Aastra MX-ONE Manager Provisioning, 5.0
Aastra MX-ONE Manager Telephony System, 5.0
Aastra Telephony Switch (TSW), all versions
Aastra InAttend, 1.0 SP6 and earlier
Aastra CMG, 7.5 SP4 and earlier
Aastra BluStar Web, 8.0 and earlier
Aastra D.N.A. Application Suite, 5.6 and earlier
Aastra OneBox VoiceMail, 5.X
Aastra 6700i 6800i 9000i Series SIP Phones, 3.3.1 SP3 and earlier
Aastra Redirection and Configuration Service (RCS), 1.0.22
Aastra BluStar 8000i, 4.3.0-1096 and earlier
Aastra S850i (Revolabs OEM), 2.1.6
Aastra Solidus eCare 7.0 SP8, 7.0 SP8 and earlier
Aastra Solidus eCare 8.2 SP1, 8.2 SP1 and earlier
Aastra 400, all versions
Aastra 5300 series, all versions
Aastra 2380ip, all versions
Aastra A5000, 5.4 and earlier
Aastra AM7450, R2.3 and all service packs

Products Confirmed As Vulnerable
The following products are confirmed to be vulnerable.  Patch versions, if available, are specified.
Aastra AMCC, versions 10684.16.5 to 1064.18.3; hotfix for these versions or upgrade is available through Aastra support

Products under Investigation
We have not yet completed investigation on the following products:
Mitel MiVoice HTML Application
Mitel MiVoice for Lync
Mitel MiCollab Client (Desktop), 5.1 and higher
Mitel MiCollab Mobile Client (iOS), 5.1 and higher
Mitel MiContact Center Office, all versions
Mitel MiContact Center Outbound (Noetica), all versions
Mitel SX-200IP ICP
Aastra MX-ONE Telephony System, 4.1 SPx
Aastra MX-ONE Manager System Performance
Aastra MX-ONE Manager Availability (BMC Patrol), 4.1
Aastra MX-ONE Telephony System, 5.0 SPx
Aastra MX-ONE Manager System Performance
Aastra MX-ONE Manager Availability (BMC Patrol)
Aastra Opencom 100
Aastra Opencom 1000
Aastra A100
Aastra OIP