Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
Shellshock Worm
- Thread starter 619Tech
- Start date
I just opened a case with Windstream to get to Mitel .
I have a medium level meeting this pm with a few folks so I will make mention of it .
I will blog later with anything that I find but I am sure they will tell me its being reviewed and no further info available .......
A couple of articles with some interesting ,links to a LOT more information on this ...
I have a medium level meeting this pm with a few folks so I will make mention of it .
I will blog later with anything that I find but I am sure they will tell me its being reviewed and no further info available .......
A couple of articles with some interesting ,links to a LOT more information on this ...
- Thread starter
- #3
- Thread starter
- #6
Here is the Mitel reply to my ticket:
"We do have this vulnerability. But this isn't exploitable remotely. By default, MSL turn off the SSH connection to public network (and we also suggest that).
You could double check on your system, in Server-manager--Security--Remote access--secure shell setting, make sure we are not allowing public access. If so, we don't need worry about this by now.
Our design is also working on this to get it patched in next version."
"We do have this vulnerability. But this isn't exploitable remotely. By default, MSL turn off the SSH connection to public network (and we also suggest that).
You could double check on your system, in Server-manager--Security--Remote access--secure shell setting, make sure we are not allowing public access. If so, we don't need worry about this by now.
Our design is also working on this to get it patched in next version."
Remote Code Execution Vulnerability in BASH Interpreter
#2014-1004-04
Remote Code Execution Vulnerability in BASH Interpreter
Oct 1, 2014
Background
The ShellShock bug is a group of serious vulnerabilities in the popular BASH shell interpreter. It is also widespread, existing in most Linux-based products. Since the initial vulnerability was first announced and patched, new aspects of the vulnerability have been discovered. These are being tracked as CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277, and CVE-2014-6278.
The flaw involves improper processing of environment variables. In certain configurations, the ShellShock vulnerability may allow an unauthenticated remote attacker to execute malicious code on a targeted system. Of particular concern are services that receive a request via HTTP and use BASH to execute commands on the server. In some configurations, this vulnerability could be used to install malware on a server. Independent reports indicate that vulnerable systems are being targeted and compromised to be used in botnets.
Summary
Mitel is monitoring this dynamic situation very carefully. We are conducting a thorough investigation of its entire portfolio to ascertain which of our products may be susceptible. This security advisory will be updated as new information emerges and as our investigation progresses.
The following products that may be vulnerable
Customers are advised to contact Mitel or Aastra support.
Mitel MiVoice Border Gateway
Mitel MiVoice Office (Mitel 5000)
Mitel Oria
Aastra MX-ONE Telephony System
Aastra MX-ONE Telephony Server
Aastra 5000 Call Manager
Aastra 5000 Compact
Aastra 5000 Gateway
Aastra 700
Aastra AM7450 Management Center
The following products are not vulnerable
Mitel 3250
Mitel ER Advisor
Mitel MiContact Center Business
Mitel MiContact Center Enterprise
Mitel MiContact Center for Microsoft Lync
Mitel MiContact Center Office
Mitel Virtualization Framework
Mitel MiVoice Business Dashboard
Mitel MiVoice Call Accounting
Mitel MiVoice Communications Director (3300)
Mitel MiVoice Conference Unit (UC360)
Mitel MiVoice Digital Phones 8528, 8568
Mitel MiVoice Enterprise Manager
Mitel MiVoice for Lync
Mitel MiVoice HTML Application
Mitel MiVoice IP Phones 53xx, 5560, 5540, 5505
Mitel MiVoice Video Unit (UC360)
Aastra MX-ONE Manager Provisioning
Aastra MX-ONE Manager Telephony System
Aastra MX-ONE Manager System Performance
Aastra MX-ONE Manager Availability
Aastra 2380ip
Aastra 400
Aastra 67XX & 68XX Series SIP Phones
Aastra 6700i 6800i 9000i Series SIP Phones
Aastra 74XXip (H323 terminal family)
Aastra 800 (also A800)
Aastra Alarmserver
Aastra BluStar Client
Aastra BluStar Server
Aastra Open Interfaces Platform
Aastra OpenCom 1000 family
Aastra OpenCom 100
Aastra OpenCom 130
Aastra OpenCom 150
Aastra OpenCom 510
Aastra OpenCom x320
Aastra SIP DECT
Aastra Open Mobility Manager (SIP DECT)
Aastra OpenMobility (RFP32/35/36/37/42/43)
Aastra OpenPhone 7x IP
Aastra TA7102a
Aastra TA7104a
The following products are under investigation
Mitel 5603/5604/5607/5624 Rack Charger (Ascom OEM)
Mitel 1000
Mitel 3000 Communications System
Mitel 5603/5604/5607 Programmer (Ascom OEM)
Mitel DECT Basestation (Ascom OEM)
Mitel MiCollab (Audio, Web and Video Conferencing)
Mitel MiCollab (Speech Auto Attendant)
Mitel MiCollab (Unified Messaging)
Mitel MiCollab (Web Portal)
Mitel MiCollab Client (Desktop)
Mitel MiCollab Mobile Client (Android)
Mitel MiCollab Mobile Client (iOS)
Mitel MiCollab Server
Mitel MiCollab with Voice (vUCC)
Mitel MiContact Center Outbound (Noetica)
MItel MiContact Center Live (LiveOps)
Mitel MiVoice 5603/5604/5606/5607 IP DECT phones
Mitel MiVoice 5610 DECT Handset and IP DECT Stand
Mitel MiVoice 5624 WiFi Phone
Mitel MiVoice Communications Director (Stratus)
Mitel MXE Server
Mitel MiVoice Communications Director (ISS)
Mitel MiVoice IP DECT Base Station
Mitel Multi-Instance Communications Director
Mitel Standard Linux
Mitel SX-200IP ICP
Mitel Virtual MiVoice Communications Director
Mitel WSM, WSM-3 (Ascom OEM)
Aastra 340w and 342w
Aastra 5300 series
Aastra A1023i
Aastra AMCC (Aastra Mobile Clients & Controller)
Aastra BluStar 8000i
Aastra BluStar Web
Aastra Clearspan (Acme Packet Core SBC)
Aastra Clearspan (AudioCodes eSBC / Gateway)
Aastra Clearspan (Broadworks Platform)
Aastra Clearspan (Edgewater eSBC)
Aastra Centergy Virtual Contact Center
Aastra CMG
Aastra D.N.A. Application Suite
Aastra DECT handset programming units
Aastra Dialog 5446ip, 4XXXip (H323 terminal family)
Aastra DT390, DT690 and CPDM 3 (DECT)
Aastra DT413, DT423, DT433
Aastra InAttend
Aastra IP-DECT for OC1000 family
Aastra IPBS 433/434/430/440
Aastra OneBox FaxMail
Aastra OneBox VoiceMail
Aastra Open Messaging
Aastra PointSpan
Aastra Rack Charger for DT390, 69x, 4x3
Aastra Redirection and Configuration Service (RCS)
Aastra RightFax
Aastra S850i (Revolabs OEM)
Aastra SIP DECT Lite
Aastra Solidus eCare 7.0 SP8
Aastra Solidus eCare 8.2 SP1
Aastra Telephony Switch (TSW)
**********************************************
What's most important is that you realise ... There is no spoon.
- Status