Mitel Forums - The Unofficial Source
Mitel Forums => MiVoice Office 250/Mitel 5000 => Topic started by: bstrain74 on June 04, 2015, 03:00:10 PM
-
I have 6 Mitel 5000 phone systems. I don't know much about them. I'm required to run quarterly vulnerability scans and all 6 have been flagged for the following item rated high. Does anyone know much about this, or have any official response from Mitel? Thanks so much.
Vulnerability: OpenSSL CCS Man in the Middle Security Bypass Vulnerability
Severity: High
Description: OpenSSL does not properly restrict processing of ChangeCipherSpec messages, which allows man-in-the-middle attackers to trigger use of a zero-length master key in certain OpenSSL-to-OpenSSL communications, and consequently hijack sessions or obtain sensitive information, via a crafted TLS handshake, aka the 'CCS Injection' vulnerability.
Successfully exploiting this issue may allow attackers to obtain sensitive information by conducting a man-in-the-middle attack. This may lead to other attacks.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0224
-
bstrain74,
If you are below version 5.0 you will need to be upgrade to the latest version of software. If you are 5.x or higher you will need your vendor to load the Shellshock BASH fix or upgrade to the latest version.
Thanks,
TE
-
I have the Mitel DB Programming on my desktop, I see the following. Looks like I have something listed here for Shellshock, but not sure if this OpenSSL CCS Man-in-the-middle vulnerability is the same as Shellshock??
Mitel 5000 Communications Platform Release Notes: Mitel_5000_6_0_SP_2_PR_5
Base Server 5000 System Packages:
Name Version Description
cs-brs 6.0.68 Basic Rate Interface
cs-core-utils 6.0.55 Core Utilities Package
cs-cp-uk 6.0.11.101 UK Call Processing
cs-cp-us 6.0.11.101 US Call Processing
cs-cp-au 6.0.11.101 AU Call Processing
cs-cp-cf-pmts 6.0.87 CP Canadian French Prompts
cs-cp-cm-pmts 6.0.87 CP common Prompts
cs-cp-jp-pmts 6.0.87 CP Japanese Prompts
cs-cp-sp-pmts 6.0.87 CP Spanish Prompts
cs-cp-uk-pmts 6.0.87 CP British English Prompts
cs-cp-us-pmts 6.0.87 CP English Prompts
cs-dei 6.0.83 Digital Endpoint Interface
cs-diags 6.0.55 Diagnostic Applications
cs-dual-t1-e1-pri 6.0.83 Dual T1/E1/PRI Application
cs-ep-html 6.0.100 Endpoint HTML Applications
cs-ep-languages 6.0.100 Endpoint Language specific support files
cs-ep-mitl 6.0.100 Mitel Endpoint Package
cs-ep-mitl2 6.0.100 Mitel Endpoint Extra Package
cs-ep-mitl-85x8 6.0.78 Mitel 85x8 digital endpoint firmware
cs-ipra 6.0.99 IP Resource Application
cs-libs 6.0.89 Shared Libraries
cs-ls 6.0.87 Loopstart Application
cs-norflash 6.0.78 System Norflash Files
cs-olm 6.0.68 On-Line Monitor
cs-rch 6.0.98 Resource Command Handler
cs-rmtmon 6.0.55 Customer Care
cs-release 6.0.101 mtl-5000-6_0-release-65_SP_2_PR_5
cs-romd 6.0.63 Remote Office Monitor Daemon
cs-shellshock-fix-bash 3.1.23 Fixes for Shellshock-vulnerabilities family
cs-sl 6.0.66 Single Line Application
cs-slm8 6.0.55 Single Line 8
cs-system 6.0.83 System Drivers
cs-system-utils 6.0.99 System Utilities
-
bstrain74,
Alright, I spent a little more time on this one trying to find a match on the exact vulnerability and there is not a security advisory for this specific issue. There is however one for the Heartbleed vulnerability which the 5000 was reported immune to on 6.0 SP1 PR1 and earlier; this one is not likely as severe. I think the issue here would be, "The attacker would be required to intercept and alter network traffic, and do so in real time, to exploit the flaw; in that case, the attacker could potentially view and/or modify the otherwise secured traffic".
If you wanted to try shutting down the web server and test again I guess that is possible. Go to System > IP Settings > Web/SSH Settings and from there I am sure you can figure out if you want to shut just the web portion down or both it and SSH.
If that doesn't work for you then you can have your vendor put in a ticket with Mitel so they can give you a direct answer. I do know that we haven't moved to CentOS version 6 yet, but there is a patch update for version 5 that requires OpenSSL version 0.9.8e; according to the following, but I am not sure what version of OpenSSL we use.
For CentOS 5 you should have
openssl-0.9.8e-27.el5_10.3
openssl097a-0.9.7a-12.el5_10.1
Thanks,
TE
-
Thanks for the info about shutting down the web server. I had no idea that a web server was running. I just connect up to the Mitel boxes using the DB Programming - what is the web server for? I shutdown the web server on one system, rescanned, and the vulnerability is now NOT showing up. Thank you again.
-
bstrain74,
The web server is used for several things. If you open a browser and go to the IP Address of the system and then use the admin credentials you will see what is in there. There are also personal web pages as well if there are users on the system that allow them to make changes to their phones.
If the web server is down you lose a lot of your diagnostics and you can't use the SAaD [System Administration and Diagnostics] portion of your tools since that is all through the web server; along with upgrades.
The way I see it is if you do not allow access to the web server outside the local network then you shouldn't have any issues and the vulnerability becomes obsolete.
Thanks,
TE