OpenSSL Heartbleed Vulnerability

Summary

The Heartbleed bug is a vulnerability in a popular open-source implementation of the SSL/TLS protocol, called OpenSSL.  It may allow unauthenticated remote attackers on the Internet to read the memory of connected systems which use vulnerable versions of the OpenSSL library, which may compromise high value assets such as secret keys used to encrypt and decrypt private information. This could allow attackers, armed with these secret keys, to impersonate users and services, steal information or eavesdrop on communications.

This vulnerability is limited to specific versions of the OpenSSL library, that were made available after the bug was introduced in December 2011.  The bug is known as CVE-2014-0160.

Mitel is currently investigating its product portfolio to determine vulnerability on this issue.  This advisory will be updated on a regular basis, while we complete the investigation on the product portfolio.  The current status of the portfolio is as follows:

Products Not Vulnerable
The following products are confirmed to be not vulnerable:

  • Aastra MX-ONE Telephony System, 4.1 and 5.0, including all SPs 
  • Aastra MX-ONE Telephony Server, 4.1 and 5.0, including all SPs (MX-ONE 4.1/5.0 & 700 R2) 
  • Aastra MX-ONE Manager Provisioning, 4.1 and 5.0, including all SPs (MX-ONE 4.1/5.0 & 700 R2) 
  • Aastra MX-ONE Manager Telephony System, 4.1 and 5.0, including all SPs (MX-ONE 4.1/5.0 & 700 R2)
  • Aastra MX-ONE Manager System Performance, 4.1 and 5.0, including all SPs (MX-ONE 4.1/5.0 & 700 R2)
  • Aastra 2380ip, all versions
  • Aastra 400, all versions 
  • Aastra 5000, 5.4 and earlier (SecurityDoc 6.x.11 must not be installed)*  
  • Aastra 5300 series, all versions
  • Aastra 6700i 6800i 9000i Series SIP Phones, 3.3.1 SP3 and earlier
  • Aastra 700 R2
  • Aastra 74XXip (H323 terminal family), all versions
  • Aastra 800, pre-R10
  • Ascom A1023i , all versions
  • Aastra Alarmserver, all versions
  • Aastra AM7450, R2.4 and earlier (SecurityDoc 6.x.11 must not be installed)*
  • Aastra BluStar 8000i, 4.3.0-1096 and earlier 
  • Aastra BluStar Client, all versions
  • Aastra BluStar Server, all versions
  • Aastra BluStar Web, 8.0 and earlier 
  • Aastra Clearspan (Acme Packet Core SBC), all versions
  • Aastra Clearspan (AudioCodes eSBC / Gateway), all versions
  • Aastra Clearspan (Broadworks Platform), all versions
  • Aastra Centergy Virtual Contact Center, all versions
  • Aastra CMG, 7.5 SP4 and earlier
  • Aastra D.N.A. Application Suite, 5.6 and earlier 
  • Aastra DECT handset programming units, all versions
  • Aastra Dialog 5446ip, 4XXXip (H323 terminal family), all versions
  • Aastra DT390, DT690 and CPDM 3 (DECT), all versions
  • Aastra DT413, DT423, DT433
  • Aastra InAttend, 1.0 SP6 and earlier 
  • Aastra IP DECT A5000, R.2.1 and later
  • Aastra IP DECT OC1000, R3
  • Aastra IPBS 433/434/430/440, all versions
  • Aastra OneBox FaxMail, 5.5 and earlier
  • Aastra OneBox VoiceMail, 5.X 
  • Aastra Open Interfaces Platform all versions
  • Aastra Open Messaging, all versions
  • Aastra Opencom 1000, all versions 
  • Aastra Opencom 130, all versions 
  • Aastra Opencom 150, all versions
  • Aastra Opencom 510, all versions
  • Aastra Opencom x320, pre-R10
  • Aastra PointSpan, all versions
  • Aastra Rack Charger for DT390, 69x, 4x3, all versions
  • Aastra Redirection and Configuration Service (RCS), 1.0.22 
  • Aastra RightFax, 10.5 and earlier
  • Aastra S850i (Revolabs OEM), 2.1.6
  • Aastra SIP DECT, R 4.x and earlier
  • Aastra SIP DECT Lite, all versions 
  • Aastra Solidus eCare 7.0 SP8, 7.0 SP8 and earlier 
  • Aastra Solidus eCare 8.2 SP1, 8.2 SP1 and earlier 
  • Aastra TA7102a (terminal adapter- Mediatrix), all versions
  • Aastra TA7104a (terminal adapter- Mediatrix), all versions
  • Aastra Telephony Switch (TSW), all versions
  • Oaisys Talkument/Navigator, all versions
  • Mitel 5603/5604/5607/5624 Rack Charger (Ascom OEM), all versions
  • Mitel 3000 Communications System, released Nov 2011 and earlier
  • Mitel 3250, all versions 
  • Mitel 5603/5604/5607 Programmer (Ascom OEM), all versions
  • Mitel DECT Basestation (Ascom OEM), v1 and v2
  • Mitel ER Advisor, all versions
  • Mitel MiCollab (Audio, Web and Video Conferencing), all versions 
  • Mitel MiCollab (Speech Auto Attendant), all versions 
  • Mitel MiCollab (Unified Messaging), all versions 
  • Mitel MiCollab (Web Portal), all versions 
  • Mitel MiCollab Client (Desktop), 5.1 and higher 
  • Mitel MiCollab Mobile Client (Android), all versions
  • Mitel MiCollab Mobile Client (iOS), all versions 
  • Mitel MiCollab Server, all versions
  • Mitel MiCollab with Voice (vUCC), all versions 
  • Mitel MiContact Center Business, all versions  
  • Mitel MiContact Center Enterprise, all versions 
  • Mitel MiContact Center for Microsoft Lync, all versions 
  • Mitel MiContact Center Office, all versions
  • Mitel MiContact Center Outbound (Noetica), all versions
  • Mitel Mitel Virtualization Framework, all versions 
  • Mitel MiVoice 5603/5604/5607 IP DECT phones, all versions
  • Mitel MiVoice 5610 DECT Handset and IP DECT Stand, all versions
  • Mitel MiVoice 5624 WiFi Phone, all versions
  • Mitel MiVoice Border Gateway, 8.1 and earlier
  • Mitel MiVoice Business Dashboard, all versions 
  • Mitel MiVoice Call Accounting, all versions
  • Mitel MiVoice Communications Director, 6.0 and earlier 
  • Mitel MiVoice Conference Unit (UC360), all versions 
  • Mitel MiVoice Digital Phones 8528, 8568, all versions
  • Mitel MiVoice Enterprise Manager, 8.1 and earlier
  • Mitel MiVoice for Lync, all versions 
  • Mitel MiVoice HTML Application
  • Mitel MiVoice IP DECT Base Station, all versions
  • Mitel MiVoice IP Phones 53xx, 5560, 5540, 5505, all versions
  • Mitel MiVoice Office (Mitel 5000), 6.0 SP1 PR1 and earlier
  • Mitel MiVoice Video Unit (UC360), all versions 
  • Mitel Multi-Instance Communications Director, 1.2.1.8 and earlier 
  • Mitel Oria, all versions
  • Mitel Standard Linux, 10.0 and earlier 
  • Mitel SX-200IP ICP
  • Mitel Virtual MiVoice Communications Director, 6.0 and earlier
  • Mitel WSM, WSM-3 (Ascom OEM), all versions 

 

*Note: If "SecurityDoc 6.x.11 was installed, a corrective patch "SecurityDoc 6.x.13" is available.

 

 

Products Confirmed As Vulnerable

The following products are confirmed to be vulnerable.  Patch versions, if available, are specified.

  • Aastra 100, R 11.1; an update will be available April 30 through Aastra support 
  • Aastra 340w and 342w, all versions prior to 4.3.1G.0189; an update will be available May 15 through Aastra support
  • Aastra 800, R10 and later; an update will be available April 30 through Aastra support 
  • Aastra AMCC, versions 10684.16.5 to 10684.18.3; an update is available through Aastra support 
  • Aastra Clearspan (Edgewater eSBC), several versions; contact Aastra support for remediation information
  • Aastra OpenCom x320, R10 and later; an update will be available April 30 through Aastra support 
  • Aastra SIP DECT, R 5.0; an update will be available May 31 through Aastra support

Products under Investigation

We have not yet completed investigation on the following products:

  • Aastra MX-ONE Manager Availability, 1.0 (MX-ONE 4.1/5.0)
  • Mitel 3000 Communications System, released Dec 2011 and later

For customers using any of these products packaged as a virtualized VMWare appliance, please consult VMWare support to ensure that the underlying version of VMWare is not susceptible to the HeartBleed vulnerability (http://www.vmware.com/security/advisories/VMSA-2014-0004.html).

 

source: Mitel