OpenSSL CCS CVE-2014-0224

[bstrain74]

I have 6 Mitel 5000 phone systems. I don't know much about them. I'm required to run quarterly vulnerability scans and all 6 have been flagged for the following item rated high. Does anyone know much about this, or have any official response from Mitel? Thanks so much.


Vulnerability: OpenSSL CCS Man in the Middle Security Bypass Vulnerability
Severity: High
Description: OpenSSL does not properly restrict processing of ChangeCipherSpec messages, which allows man-in-the-middle attackers to trigger use of a zero-length master key in certain OpenSSL-to-OpenSSL communications, and consequently hijack sessions or obtain sensitive information, via a crafted TLS handshake, aka the 'CCS Injection' vulnerability.
Successfully exploiting this issue may allow attackers to obtain sensitive information by conducting a man-in-the-middle attack. This may lead to other attacks.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0224

[Tech Electronics]

bstrain74,

If you are below version 5.0 you will need to be upgrade to the latest version of software. If you are 5.x or higher you will need your vendor to load the Shellshock BASH fix or upgrade to the latest version.

Thanks,

TE

[bstrain74]

I have the Mitel DB Programming on my desktop, I see the following. Looks like I have something listed here for Shellshock, but not sure if this OpenSSL CCS Man-in-the-middle vulnerability is the same as Shellshock??


Mitel 5000 Communications Platform Release Notes: Mitel_5000_6_0_SP_2_PR_5

Base Server 5000 System Packages:
Name              Version      Description               

cs-brs            6.0.68       Basic Rate Interface
cs-core-utils     6.0.55       Core Utilities Package
cs-cp-uk          6.0.11.101     UK Call Processing       
cs-cp-us          6.0.11.101     US Call Processing
cs-cp-au          6.0.11.101     AU Call Processing
cs-cp-cf-pmts     6.0.87       CP Canadian French Prompts
cs-cp-cm-pmts     6.0.87       CP common Prompts
cs-cp-jp-pmts     6.0.87       CP Japanese Prompts
cs-cp-sp-pmts     6.0.87       CP Spanish Prompts
cs-cp-uk-pmts     6.0.87       CP British English Prompts
cs-cp-us-pmts     6.0.87       CP English Prompts
cs-dei            6.0.83       Digital Endpoint Interface
cs-diags          6.0.55       Diagnostic Applications
cs-dual-t1-e1-pri 6.0.83       Dual T1/E1/PRI Application
cs-ep-html        6.0.100       Endpoint HTML Applications
cs-ep-languages   6.0.100       Endpoint Language specific support files
cs-ep-mitl        6.0.100       Mitel Endpoint Package
cs-ep-mitl2       6.0.100       Mitel Endpoint Extra Package
cs-ep-mitl-85x8   6.0.78       Mitel 85x8 digital endpoint firmware
cs-ipra           6.0.99       IP Resource Application
cs-libs           6.0.89       Shared Libraries
cs-ls             6.0.87       Loopstart Application
cs-norflash       6.0.78       System Norflash Files           
cs-olm            6.0.68       On-Line Monitor       
cs-rch            6.0.98       Resource Command Handler
cs-rmtmon         6.0.55       Customer Care
cs-release        6.0.101       mtl-5000-6_0-release-65_SP_2_PR_5   
cs-romd           6.0.63       Remote Office Monitor Daemon     
cs-shellshock-fix-bash 3.1.23      Fixes for Shellshock-vulnerabilities family
cs-sl             6.0.66       Single Line Application         
cs-slm8           6.0.55       Single Line 8                   
cs-system         6.0.83       System Drivers                   
cs-system-utils   6.0.99       System Utilities   

[Tech Electronics]

bstrain74,

Alright, I spent a little more time on this one trying to find a match on the exact vulnerability and there is not a security advisory for this specific issue. There is however one for the Heartbleed vulnerability which the 5000 was reported immune to on 6.0 SP1 PR1 and earlier; this one is not likely as severe. I think the issue here would be, "The attacker would be required to intercept and alter network traffic, and do so in real time, to exploit the flaw; in that case, the attacker could potentially view and/or modify the otherwise secured traffic".

If you wanted to try shutting down the web server and test again I guess that is possible. Go to System > IP Settings > Web/SSH Settings and from there I am sure you can figure out if you want to shut just the web portion down or both it and SSH.

If that doesn't work for you then you can have your vendor put in a ticket with Mitel so they can give you a direct answer. I do know that we haven't moved to CentOS version 6 yet, but there is a patch update for version 5 that requires OpenSSL version 0.9.8e; according to the following, but I am not sure what version of OpenSSL we use.

For CentOS 5 you should have
openssl-0.9.8e-27.el5_10.3
openssl097a-0.9.7a-12.el5_10.1

Thanks,

TE

[bstrain74]

Thanks for the info about shutting down the web server. I had no idea that a web server was running. I just connect up to the Mitel boxes using the DB Programming - what is the web server for? I shutdown the web server on one system, rescanned, and the vulnerability is now NOT showing up. Thank you again.

[Tech Electronics]

bstrain74,

The web server is used for several things. If you open a browser and go to the IP Address of the system and then use the admin credentials you will see what is in there. There are also personal web pages as well if there are users on the system that allow them to make changes to their phones.

If the web server is down you lose a lot of your diagnostics and you can't use the SAaD [System Administration and Diagnostics] portion of your tools since that is all through the web server; along with upgrades.

The way I see it is if you do not allow access to the web server outside the local network then you shouldn't have any issues and the vulnerability becomes obsolete.

Thanks,

TE