An update on Heartbleed Bug & ShoreTel Systems

As you may have seen in the news the last few days, security experts have discovered a security flaw called the Open SSL Heartbleed Bug, a significant potential threat that could impact a large number of websites and applications across multiple industries and companies.  While this is not a ShoreTel caused event, it is important for our customers and partners to know we are aware of the serious nature of this issue, and that we have assessed the impact to our products and services.  ShoreTel platforms not impacted: ShoreTel uses different OpenSSL versions than those affected and therefore most platforms are not impacted by the Heartbleed Bug, including:

  • ShoreTel HQ and DVS software running releases prior to ShoreTel 14
  • ShoreTel ShoreGear Switches, including V-Switches and Virtual Switches
  • ShoreTel Conferencing, including SA-100, SA-400, Virtual-SA
  • ShoreTel Mobility, including all SMR Routers
  • ShoreTel IP Phones
  • ShoreTel Sky
  • Ingate SBC

ShoreTel platforms currently impacted: ShoreTel platforms currently using the OpenSSL version software that are impacted by the Heartbleed bug include: VPN Concentrator

  • All platforms of the VPN Concentrator are impacted by this bug.

ShoreTel HQ and DVS Server 14, 14.1 and 14.2 Software Builds

  • Nginx is a binary used in the ShoreTel code for communications between the ShoreTel HQ / DVS Servers and the IP-400 series phones that’s statically linked against the OpenSSL vulnerable version 1.0.1c. It exists on HQ and DVS servers and OpenSSL is used internally for the IP-400 series phones only. Currently it is an internal service and limits customer exposure externally outside of local area networks. Releases prior to ShoreTel 14 do not use Nginx binary and are not vulnerable.

Resolution: VPN Concentrator

  • ShoreTel and our partner are currently working on a temporary hotfix which will disable the TLS Heartbeat. Hotfix and implementation instructions will be released in a separate Service Alert once available.
  • We will add back TLS Heartbeat support with next GA release i.e., containing official fix with latest OpenSSL version 1.0.1g.

Here is the quick recommendation for customers to mitigate the impact of the OpenSSL bug with the VPN Concentrator:

  • Disable SSH/HTTPS excess for WAN Interface of  VPN Concentrator
  • Change Web/SSH password all VPN Concentrator Boxes.
  • Enable Black/Whitelist MAC filtering on the box.
  • Any remote access to box for troubleshooting should be provided with Source IP based restriction
  • Customer using Local Database based Authentication should consider changing username/password.
  • There is a potential risk of using LDAP based Authentication, if using same username/password for other internal network access.
  • Best practice is to always put the VPN Concentrator behind a firewall as the unit doesn’t have firewall enabled on it. Restrict traffic on firewall from/to VPN Concentrator for port 443 only.

ShoreTel HQ and DVS Server Software

  • This has a limited exposure due to not being exposed outside of the local area networks, and therefore is considered low risk. The communication between ShoreTel Server and IP-400 phones does not contain any user pertinent data or passwords. Only releases ShoreTel 14, 14.1 and 14.2 are impacted.
  • ShoreTel will update the Nginx binary to an OpenSSL version that is not vulnerable in the next ShoreTel MTTR 19.42.2007.0 Release. This release is currently with QA Testing and is planned for a release on April 17, 2014.

In addition, customers should make sure that other important applications used from other companies do not pose a threat. Here is a list of many common websites and actions needed: http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/ Any questions or concerns, please contact our support team: support@datasharp-ic.co.uk or 08000-328274