Mitel Forums - The Unofficial Source
Mitel Forums => Mitel Software Applications => Topic started by: 619Tech on September 25, 2014, 12:55:23 PM
-
Got a Teleworker customer inquiry asking about Mitel Standard Linux's vulnerability to this worm? Anybody know anything?
-
I haven't had time to test a MAS server yet but you can test it yourself.
Log into the server ant type
env X="() { :;} ; echo busted" /bin/sh -c "echo stuff"
If it returns "busted stuff" its vulnerable.
-
Can someone with MOL grab an official statement from Mitel concerning the vulnerability? Otherwise, how do I drop to the shell on a MAS/MBG to test?
Thanks
-
I think the official word from Mitel so far is "we're still testing".
-
Use putty and log in with the root account its the same password as your admin account.
I just tested on my MAS 5.0.216 and it failed the test
[root@awc ~]# env X="() { :;} ; echo busted" /bin/sh -c "echo stuff"
busted
stuff
-
Thank you both for your help. It appears I am affected as well.
-
What ports in the firewalls need to be blocked?
Does Bash use 80, 443, 23, 21?
Ralph
-
Here is the Mitel reply to my ticket:
"We do have this vulnerability. But this isn't exploitable remotely. By default, MSL turn off the SSH connection to public network (and we also suggest that).
You could double check on your system, in Server-manager--Security--Remote access--secure shell setting, make sure we are not allowing public access. If so, we don't need worry about this by now.
Our design is also working on this to get it patched in next version."
-
Here is the Mitel reply to my ticket:
"We do have this vulnerability. But this isn't exploitable remotely. By default, MSL turn off the SSH connection to public network (and we also suggest that).
You could double check on your system, in Server-manager--Security--Remote access--secure shell setting, make sure we are not allowing public access. If so, we don't need worry about this by now.
Our design is also working on this to get it patched in next version."
Ralph it could use any port for remote code execution thats why this is going to be so ugly. Here are two writeups that are pretty good at explaining the whats and why.
http://mashable.com/2014/09/26/what-is-shellshock/
http://www.troyhunt.com/2014/09/everything-you-need-to-know-about.html
-
I suppose you could get the patched bash rpm from any centos repo and rpm -Uhv it.
-
Has anyone seen a Mitel released bulletin on ShellShock yet?
Ralph
-
Found it.
It's on MOL.
Mol/support/shell-shocked security advisory
The flaw involves improper processing of environment variables. In certain configurations, the ShellShock vulnerability may allow an unauthenticated remote attacker to execute malicious code on a targeted system. Of particular concern are services that receive a request via HTTP and use BASH to execute commands on the server. In some configurations, this vulnerability could be used to install malware on a server. Independent reports indicate that vulnerable systems are being targeted and compromised to be used in botnets.
I think this means we will have to block external access to systems via firewalls. That means any remote login such as UCA/YA/AWC etc.
Does anyone else view it that way?
Ralph
-
Here's an online testing tool.
http://shellshock.brandonpotter.com/
Ralph
-
#2014-1004-04
Remote Code Execution Vulnerability in BASH Interpreter
Oct 1, 2014
Background
The ShellShock bug is a group of serious vulnerabilities in the popular BASH shell interpreter. It is also widespread, existing in most Linux-based products. Since the initial vulnerability was first announced and patched, new aspects of the vulnerability have been discovered. These are being tracked as CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277, and CVE-2014-6278.
The flaw involves improper processing of environment variables. In certain configurations, the ShellShock vulnerability may allow an unauthenticated remote attacker to execute malicious code on a targeted system. Of particular concern are services that receive a request via HTTP and use BASH to execute commands on the server. In some configurations, this vulnerability could be used to install malware on a server. Independent reports indicate that vulnerable systems are being targeted and compromised to be used in botnets.
Summary
Mitel is monitoring this dynamic situation very carefully. We are conducting a thorough investigation of its entire portfolio to ascertain which of our products may be susceptible. This security advisory will be updated as new information emerges and as our investigation progresses.
The following products that may be vulnerable
Customers are advised to contact Mitel or Aastra support.
Mitel MiVoice Border Gateway
Mitel MiVoice Office (Mitel 5000)
Mitel Oria
Aastra MX-ONE Telephony System
Aastra MX-ONE Telephony Server
Aastra 5000 Call Manager
Aastra 5000 Compact
Aastra 5000 Gateway
Aastra 700
Aastra AM7450 Management Center
The following products are not vulnerable
Mitel 3250
Mitel ER Advisor
Mitel MiContact Center Business
Mitel MiContact Center Enterprise
Mitel MiContact Center for Microsoft Lync
Mitel MiContact Center Office
Mitel Virtualization Framework
Mitel MiVoice Business Dashboard
Mitel MiVoice Call Accounting
Mitel MiVoice Communications Director (3300)
Mitel MiVoice Conference Unit (UC360)
Mitel MiVoice Digital Phones 8528, 8568
Mitel MiVoice Enterprise Manager
Mitel MiVoice for Lync
Mitel MiVoice HTML Application
Mitel MiVoice IP Phones 53xx, 5560, 5540, 5505
Mitel MiVoice Video Unit (UC360)
Aastra MX-ONE Manager Provisioning
Aastra MX-ONE Manager Telephony System
Aastra MX-ONE Manager System Performance
Aastra MX-ONE Manager Availability
Aastra 2380ip
Aastra 400
Aastra 67XX & 68XX Series SIP Phones
Aastra 6700i 6800i 9000i Series SIP Phones
Aastra 74XXip (H323 terminal family)
Aastra 800 (also A800)
Aastra Alarmserver
Aastra BluStar Client
Aastra BluStar Server
Aastra Open Interfaces Platform
Aastra OpenCom 1000 family
Aastra OpenCom 100
Aastra OpenCom 130
Aastra OpenCom 150
Aastra OpenCom 510
Aastra OpenCom x320
Aastra SIP DECT
Aastra Open Mobility Manager (SIP DECT)
Aastra OpenMobility (RFP32/35/36/37/42/43)
Aastra OpenPhone 7x IP
Aastra TA7102a
Aastra TA7104a
The following products are under investigation
Mitel 5603/5604/5607/5624 Rack Charger (Ascom OEM)
Mitel 1000
Mitel 3000 Communications System
Mitel 5603/5604/5607 Programmer (Ascom OEM)
Mitel DECT Basestation (Ascom OEM)
Mitel MiCollab (Audio, Web and Video Conferencing)
Mitel MiCollab (Speech Auto Attendant)
Mitel MiCollab (Unified Messaging)
Mitel MiCollab (Web Portal)
Mitel MiCollab Client (Desktop)
Mitel MiCollab Mobile Client (Android)
Mitel MiCollab Mobile Client (iOS)
Mitel MiCollab Server
Mitel MiCollab with Voice (vUCC)
Mitel MiContact Center Outbound (Noetica)
MItel MiContact Center Live (LiveOps)
Mitel MiVoice 5603/5604/5606/5607 IP DECT phones
Mitel MiVoice 5610 DECT Handset and IP DECT Stand
Mitel MiVoice 5624 WiFi Phone
Mitel MiVoice Communications Director (Stratus)
Mitel MXE Server
Mitel MiVoice Communications Director (ISS)
Mitel MiVoice IP DECT Base Station
Mitel Multi-Instance Communications Director
Mitel Standard Linux
Mitel SX-200IP ICP
Mitel Virtual MiVoice Communications Director
Mitel WSM, WSM-3 (Ascom OEM)
Aastra 340w and 342w
Aastra 5300 series
Aastra A1023i
Aastra AMCC (Aastra Mobile Clients & Controller)
Aastra BluStar 8000i
Aastra BluStar Web
Aastra Clearspan (Acme Packet Core SBC)
Aastra Clearspan (AudioCodes eSBC / Gateway)
Aastra Clearspan (Broadworks Platform)
Aastra Clearspan (Edgewater eSBC)
Aastra Centergy Virtual Contact Center
Aastra CMG
Aastra D.N.A. Application Suite
Aastra DECT handset programming units
Aastra Dialog 5446ip, 4XXXip (H323 terminal family)
Aastra DT390, DT690 and CPDM 3 (DECT)
Aastra DT413, DT423, DT433
Aastra InAttend
Aastra IP-DECT for OC1000 family
Aastra IPBS 433/434/430/440
Aastra OneBox FaxMail
Aastra OneBox VoiceMail
Aastra Open Messaging
Aastra PointSpan
Aastra Rack Charger for DT390, 69x, 4x3
Aastra Redirection and Configuration Service (RCS)
Aastra RightFax
Aastra S850i (Revolabs OEM)
Aastra SIP DECT Lite
Aastra Solidus eCare 7.0 SP8
Aastra Solidus eCare 8.2 SP1
Aastra Telephony Switch (TSW)
-
This was fixed in a new patch a few hours ago.
For those with MOL access you can find the latest update here.
http://domino1.mitel.com/ProdSupp/prodsupkb.nsf/ByProduct/611D18460FF313BA85257D65006C6547?opendocument&login
For those that don't, here is the update:
Article ID #
14-1263-00115 Article Type
Technical Bulletin
Article Title
#2014-1004-04 - MBG Remediation Plan - Remote Code Execution Vulnerability in BASH Interpreter - Publish Date
Oct-2-2014
Body/Solutions
MBG Servicelink Update for ShellShock Bug
This service link eliminates a publicly-known defect in the BASH interpreter that affects MiVoice Border Gateway (MBG) and can potentially lead to a security vulnerability. This bug is widely known as “Shellshock.”
About the BASH Defect
The ShellShock bug is a group of serious vulnerabilities in the popular BASH shell interpreter. It is also widespread, existing in most Linux-based products. Since the initial vulnerability was first announced and patched, new aspects of the vulnerability have been discovered. This servicelink update eliminates all currently-known vulnerabilities in BASH related to ShellShock. These are being
tracked as:
• CVE-2014-6271,
• CVE-2014-7169,
• CVE-2014-7186,
• CVE-2014-7187,
• CVE-2014-6277, and
• CVE-2014-6278.
The flaw involves improper processing of environment variables. In certain configurations, the ShellShock vulnerability may allow an unauthenticated remote attacker to execute malicious code on a targeted system. Of particular concern are services that receive a request via HTTP and use BASH to execute commands on the server. In some configurations, this vulnerability could be used to install malware on a server. Independent reports indicate that vulnerable systems are being targeted and compromised for use in botnets.
Risk to MiVoice Border Gateway Systems
ShellShock is rated as a serious vulnerability, but the actual risk varies from system to system. In most deployments of the MBG, the risk is relatively small. Two of the most common ways of exploiting the ShellShock vulnerability is through CGI programs on a web server or via a poorly secured SSH server. However, Mitel normally recommends that the SSH server be disabled by default and most MBGs have no CGI scripts. The exceptions to this are MBGs configured to support YA clients or secure call recording. Even in these configurations, these CGI scripts are unlikely to be known to the malicious scanning engines that are the most prevalent threats “in the wild.”
Nonetheless, Mitel strongly recommends that all customers install the servicelink update to correct the defect. Mitel continues to monitor the situation around the ShellShock bug.
Remediation Plan for Stand Alone Mitel Border Gateway Systems
Mitel Border Gateway Version 8.1
An updated version of the Mitel Standard Linux has been released via AMC to allow for systems to pick up the ShellShock fix. For both physical and virtual servers, please open the blades panel in server-manager, select update list and click upgrade beside the 10.1.0.31 service link load.
As with all upgrades, make a backup of the system before proceeding, and another is recommended following the update.
Any new install must be running 10.1.31.0 or AMC may fail to download license keys.
Mitel Border Gateway Version 8.0
An updated version of the Mitel Standard Linux has been released via AMC to allow for systems to pick up the ShellShock fix.
Physical systems may access the blades panel in server-manager, and execute the servicelink upgrade to 10.0.51.0.
It is recommended to then upgrade MBG to the latest 8.0 blade.
Virtual systems must redeploy the MBG ova file, using 8.0.26.0, and restore the database. Then upgrade the servicelink via the blades panel to 10.0.51.0, and then MBG to 8.0.27.0.
Alternatively, if SWA is active, deploying 8.1.13.0, restoring the db and upgrading servicelink to 10.1.31.0 is also an option.
As with all upgrades, make a backup before proceeding, and a second backup following the upgrade is recommended.
Mitel Border Gateway Version 7.1
An updated version of the Mitel Standard Linux has been released via AMC to allow for systems to pick up the ShellShock fix.
For both physical and virtual servers, please open the blades panel in server-manager, select update list and click upgrade beside the 9.4.39.0 service link load.
As with all upgrades, make a backup of the system before proceeding, and another is recommended following the update
Mitel Border Gateway Version 7.0
An updated version of the Mitel Standard Linux has been released via AMC to allow for systems to pick up the ShellShock fix.
For both physical and virtual servers, please open the blades panel in server-manager, select update list and click upgrade beside the 9.3.31.0 service link.
As with all upgrades, make a backup of the system before proceeding, and another is recommended following the update
-
Any word on an update to MAS?
Ralph
-
There is a MAS version available