ShoreTel Service Alert - Open SSL Heartbleed Bug
Subject: OpenSSL Heartbleed Bug
Date: April 10, 2014
Security researchers announced a security flaw, known as the Heartbleed Bug, in OpenSSL, a popular data encryption standard. The bug allows for reading memory of systems protected by the vulnerable OpenSSL versions and could allow for disclosure of otherwise encrypted confidential information as well as the encryption keys themselves.
OpenSSL GA versions with the vulnerability include: v1.0.1 – v1.0.1f, 1.0.2-beta, and 1.0.2-beta1 releases. Source: http://heartbleed.com/
ShoreTel Platforms not impacted:
- ShoreTel uses different OpenSSL versions than those affected and therefore are not impacted by the Heartbleed Bug include:
- ShoreTel HQ and DVS software running releases prior to ShoreTel 14.
- ShoreTel ShoreGear Switches, including V-Switches and Virtual Switches
- ShoreTel Conferencing, including SA-100, SA-400, Virtual-SA
- ShoreTel Mobility, including all SMR Routers
- ShoreTel IP Phones
- Ingate SBC
ShoreTel Platforms currently impacted:
ShoreTel platforms currently using the OpenSSL version software that is impacted by the Heartbleed bug includes:
- All platforms of the VPN Concentrator are impacted by this Heartbleed bug.
ShoreTel HQ and DVS Server 14, 14.1 and 14.2 Software Builds
- Nginx is a binary used in the ShoreTel code for communications between the ShoreTel HQ / DVS Servers and the IP-400 Series Phones that's statically linked against the OpenSSL vulnerable version 1.0.1c. It exists on HQ and DVS servers and OpenSSL is used internally for the IP-400 Series phones only. Currently it is an internal service and limits our customer exposure externally outside of local area networks. Releases prior to ShoreTel 14 do not use Nginx binary and are not vulnerable.
- VPN Concentrator
ShoreTel and our OEM Partner Edgewater are currently working on temporary hotfix which will disable the TLS Heartbeat. Hotfix and implementation instructions will be released has a separate Service Alert once we have the Hotfix readily available.
- Edgewater will add back TLS heartbeat support with next GA release i.e. 18.104.22.168, containing official fix with latest OpenSSL version 1.0.1g.
- Here is the quick recommendation for customers to mitigate the impact of the OpenSSL Bug with the VPN Concentrator:
- Disable SSH/HTTPS access for WAN Interface of VPN Concentrator
- Change Web/SSH password all VPN Concentrator Boxes.
- Enable Black/Whitelist MAC filtering on the box.
- Any remote access to box for troubleshooting should be provided with Source IP based restriction
- Customers using Local Database based Authentication should consider changing username/password.
There is a potential risk of using LDAP based Authentication, if using same username/password for other internal network access.
Best practice is to always put the VPN Concentrator behind firewall as the unit doesn't have firewall enabled on it. Restrict traffic on firewall from/to VPN Concentrator for port 443 only.
- ShoreTel HQ and DVS Server Software
This has a limited exposure due to not being exposed outside of the local area networks, and therefore is considered low risk. The communication between ShoreTel Server and IP400 phones does not contain any user pertinent data or passwords. Only releases ShoreTel 14, 14.1 and 14.2 are impacted.
ShoreTel will update the Nginx binary to an OpenSSL version that is not vulnerable in the next ShoreTel MTTR 19.42.2007.0 Release. This release is currently with QA Testing and is planned for a release on April 17, 2014.
How do I engage TAC?
Create new Service Request (SR) at http://support.ncanet.com
Call NCA ShoreTel Support at 1-877-864-7622