Heartbleed Detailed Info

A vulnerability in the popular OpenSSL library, popularly known as Heartbleed, could allow access to confidential information normally guarded by encryption using SSL/TLS. This advisory details the impact of SSL vulnerability on Fonality’s products.

 

If you would like the full technical details, continue reading.  Otherwise, rest assured that we have examined our own software, the software that our system depends upon (the Linux operating system and components, for example), and other products that we resell (such as routers and phones).  While some of these products are still under investigation, we have not found any evidence of an intrusion, nor do we have any reason to believe that any of our products are vulnerable.

 

Revision Information

Reference Number:

20140410-01

Release Date:

April 10, 2014

Latest Revision:

April 10, 2014: 1

 

Vulnerability Information

SSL is core component of many communication protocols and OpenSSL is a very common library used throughout different products and services. Fonality develops and sells a variety of products and services that also use SSL and this advisory will detail the impact of the vulnerability on each product and provide references as needed.

 

CONTROL PANEL

Fonality Control Panel (http://cp.fonality.com ) NOT VULNERABLE

The Control Panel (CP) is central to all Fonality Product Lines below. The Fonality control panel website itself is not vulnerable. As an extra security measure, you may chose to reset your CP passwords. Please see SSL Certificate Compromise for more details.

 

PRODUCT LINES

Connect / Connect+  NOT VULNERABLE

All versions of the Connect and Connect+ service are not vulnerable.

Unbound  NOT VULNERABLE

All versions of the Unbound service are not vulnerable.

Enterprise Pay as you Go NOT VULNERABLE

All versions of the Enterprise Pay as you Go service are not vulnerable. This service may also listed as Enterprise Hosted and Fonality Private Cloud in past product documentation.

PBXtra NOT VULNERABLE

All versions of the default installation of PBXtra are not vulnerable.

trixbox ProNOT VULNERABLE

All versions of the default installation of PBXtra are not vulnerable.

 

SSL CERTIFICATE COMPROMISE

As part of the OpenSSL vulnerability response, we have discovered a vulnerable server that had access to the Fonality SSL certificate. This server itself was not incidental to any Fonality product listed above, however, it would be prudent to consider the Fonality SSL certificate itself as compromised. This certificate was being used for other services such as HUD Web and CP.

 

We have deployed a new certificate and revoked the old one. While the likelihood of actual compromise is minimal, we would suggest that reset your HUD Web and CP passwords as an added precaution.

 

NETWORK HARDWARE

 

Along with its core product line, Fonality sells a variety of network hardware that may be susceptible to the OpenSSL vulnerability.

 

D-Link DSR 250-N UNDER INVESTIGATION

We’re currently investigating the vulnerability status with the vendor.

D-Link DSR 500-N UNDER INVESTIGATION

We’re currently investigating the vulnerability status with the vendor.

D-Link DIR 655 UNDER INVESTIGATION

We’re currently investigating the vulnerability status with the vendor.

Cisco SRP 521 UNDER INVESTIGATION

We’re currently investigating the vulnerability status with the vendor.

Cisco SRP 541 UNDER INVESTIGATION

We’re currently investigating the vulnerability status with the vendor.

Cisco RV180W Router UNDER INVESTIGATION

We’re currently investigating the vulnerability status with the vendor.

Cisco RV220W Router UNDER INVESTIGATION

We’re currently investigating the vulnerability status with the vendor.

Vega 50 VS0113 UNDER INVESTIGATION

We’re currently investigating the vulnerability status with the vendor.

Vega 50 VS0114 UNDER INVESTIGATION

We’re currently investigating the vulnerability status with the vendor.

Vega 5000 VS0150 UNDER INVESTIGATION

We’re currently investigating the vulnerability status with the vendor.

Vega 5000 VS0151 UNDER INVESTIGATION

We’re currently investigating the vulnerability status with the vendor.

Vega 5000 VS0152 UNDER INVESTIGATION

We’re currently investigating the vulnerability status with the vendor.

Vega 5000 VS0153 UNDER INVESTIGATION

We’re currently investigating the vulnerability status with the vendor.

 

PHONES

Fonality sells or has sold in the past various models of VOIP phones that are supported with our services. Please read below for information specific to each vendor.

 

Polycom Phones NOT VULNERABLE

The Polycom firmware revisions currently supported by Fonality are not believed to be vulnerable. If you have manually modified your firmware to a different version, please check with Polycom if you’re vulnerable. Fonality currently supports the following Polycom phones:

  • SoundPoint IP335

  • SoundPoint IP550

  • SoundPoint IP560

  • SoundPoint IP650

  • SoundStation IP 5000

  • SoundStation IP 6000

Yealink Phones NOT VULNERABLE

Yealink firmware revisions supported by Fonality are immune from the Heartbleed bug. This applies to all models of Yealink phones we support, including:

  • Yealink SIP-T20P

  • Yealink SIP-T32G

  • Yealink SIP-T38G

  • Yealink W52P

 

ADD-ON FEATURES/PRODUCTS

Enterprise Hosted Record All MIXED

A small percentage of our Enterprise Hosted Record All customers were provisioned on servers that were vulnerable to the Heartbleed bug. Fonality will be proactively notifying affected customers as deemed necessary. The remaining majority of customers servers have not been affected.

HUD Web (hudweb.fonality.com) NOT VULNERABLE

The HUD Web service is not vulnerable. However, as a precaution, you may chose to reset your HUD Web password. Please see SSL Certificate Compromise for more details.

Screenshare (share.fonality.com) NOT VULNERABLE

The Screenshare service is not vulnerable. However, as a precaution, you may chose to reset your HUD Web password. Please see SSL Certificate Compromise for more details.

HUD Desktop NOT VULNERABLE

The HUD Desktop product not vulnerable.

HUD Server NOT VULNERABLE

The HUD Server service is not vulnerable.

Video Collaboration (vendor: zoom.us) UNDER INVESTIGATION

We’re currently investigating the vulnerability status with the vendor.

Paperless Fax License (vendor: Concord Fax) UNDER INVESTIGATION

We’re currently investigating the vulnerability status with the vendor.

References

 

For further information, please contact Fonality Support.

 

Fonality Security team contact info: security-team@fonality.com

 

Legal Disclaimer

*Fonality maintains fraud and security monitoring protocols. However, Fonality cannot and does not warrant complete security and fraud prevention of its products/services, including any server, equipment or the Fonality network. Accordingly, Fonality disclaims any and all liability resulting from or related to unauthorized intrusions or access and related security events

 

 

Return to Documentation Home I Return to Sangoma Support