Security Advisory Relating to OpenSSL Vulnerability Heartbleed on Various Polycom Products



Similar documents
Security Advisory Relating to OpenSSL Vulnerability Heartbleed on Various Polycom Products

Security Advisory Relating to Multiple OpenSSL Vulnerabilities on Various Polycom Products.

Device Certificates on Polycom Phones

Technical Bulletin 5844

Security Slots on Polycom SoundPoint IP, SoundStation IP, SoundStation Duo and VVX Series Phones

Syslog on Polycom Phones

GETTING STARTED GUIDE. 1.3 September D. Polycom RealAccess

Using the Unified Call Appearance List

Using Enhanced Feature Keys and Configurable Soft Keys on Polycom Phones

Deploying and Configuring Polycom Phones in 802.1X Environments

Edgewater Networks with Polycom RealPresence Platform and Phones

Polycom Unified Communications in RealPresence Access Director System Environments

Connectivity to Polycom RealPresence Platform Source Data

Using Multiple Appearance Directory Number - Single Call Appearance with Polycom Phones

Deploying Polycom SoundStation IP Conference Phones with Cisco Unified Communications Manager (CUCM)

Polycom Recommended Best Security Practices for Unified Communications

RealPresence Resource Manager System

Polycom Unified Communications Deployment Guide for Microsoft Environments

Supporting the Calendar, Instant Messaging, and Presence Features on Polycom Phones

A POLYCOM WHITEPAPER Polycom. Recommended Best Security Practices for Unified Communications

Polycom RealPresence Access Director System

How to Provision a Polycom Phone

Deployment Guide for the Polycom SoundStructure VoIP Interface for Cisco Unified Communications Manager (SIP)

Polycom Unified Communications Deployment Guide for Cisco Environments

Polycom RealPresence Access Director System

Using Feature Synchronized Automatic Call Distribution with Polycom Phones

Polycom Unified Communications in RealPresence Access Director System Environments

Broadcasting Audio Messages with Group Paging and Push-to-Talk

Polycom RSS 4000 / RealPresence Capture Server 1.6 and RealPresence Media Manager 6.6

Using Premium Automatic Call Distribution for Call Centers

WHITEPAPER. February A. RealPresence One. Product Definition and Licensing. Polycom, Inc. 0

How To Use A Presence Desktop On A Pc Or Mac Or Ipad (For A Non-Profit) For Free

Polycom Unified Communications Deployment Guide for Microsoft Environments

Information on Syslog For more information on syslog, see RFC Released: December 2006 Interoperability issues: None. Table 1: Syslog at a Glance

Level 1 Technical. Polycom Voice. Contents

Polycom Unified Communications Deployment Guide for Cisco Environments

Customizing the Display Background on Polycom VVX Business Media Phones

Broadcasting Audio Messages with Group Paging and Push-to-Talk

Unified Communications in RealPresence Access Director System Environments

RealPresence Platform: Installation, Configuration and Troubleshooting - RPIIT202

Configuring Optional Re-Registration on Failover Behavior

Service Manager and the Heartbleed Vulnerability (CVE )

Polycom RealPresence Content Sharing Suite

Accessibility Features on Polycom Phones

Polycom Visual Communication Solutions

RealPresence Resource Manager System

Provisioning with the Master Configuration File

Engineering Advisory Power Consumption and Management on Polycom Phones

Polycom recommends that all legacy phones be updated to the most recent patch of their last supported SIP and BootROM software versions.

RealPresence Platform Director

Polycom RealPresence DMA 7000 System, Virtual Edition

Polycom Unified Communications for Microsoft Environments

Polycom RealPresence Content Sharing Suite

Polycom Unified Communications Deployment Guide for Microsoft Environments

Polycom Unified Communications Deployment Guide for Cisco Environments

Polycom RealPresence Content Sharing Suite

Getting Started Guide Polycom RealPresence Resource Manager System, Appliance Edition

Using Polycom VVX Business Media Phones with Microsoft Lync Server 2013

PortSIP Encryption Relay Server Deployment Guide

Update Configuration. Reboot Phone To upload files to assist in diagnostics, you can choose:

Polycom Visual Communications Architecture and Design Guide

PIM Benefits in Global Channel Sales- Based Model

Dell One Identity Cloud Access Manager How to Configure vworkspace Integration

Polycom RealPresence Desktop for Windows

APPENDIX C TO DIR-SDD-1466 VERIZON PRICE LIST

Polycom VMC 1000 Appliance Akamai CDN Integration Guide

Polycom RealPresence DMA 7000 System, Virtual Edition

Polycom Visual Communication Solutions

Polycom VVX 300, 310, 400 and 410 Business Media Phone

Polycom Visual Communications Architecture and Design Guide

IP Ports and Protocols used by H.323 Devices

Technical Bulletin 11572

Installing Software and Options for Polycom HDX Systems and Accessories. Overview. Polycom HDX System and Options. Polycom Touch Control

Polycom Solutions for Microsoft UC Environments. Polycom, Inc. All rights reserved.

INSTANT MESSAGING SECURITY

Dell One Identity Cloud Access Manager How to Configure for High Availability

Dell One Identity Cloud Access Manager How to Configure Microsoft Office 365

Deployment Guide for Maximum Security Environments Polycom HDX Systems, Version 3.0.5

Dell One Identity Cloud Access Manager How To Deploy Cloud Access Manager in a Virtual Private Cloud

Polycom RealPresence Desktop v3.1

Polycom Unified Communications Deployment Guide for UNIFY OpenScape Environments

Installing Software and Options for Polycom HDX Systems and Accessories

A POLYCOM WHITEPAPER Polycom and BroadSoft Help Service Providers Move from Hosted Voice to Cloud-Based Unified Communication Services

Polycom Visual Communication Solutions

Polycom Unified Communications Deployment Guide for Avaya Aura Environments

Using custom certificates with Spectralink 8400 Series Handsets

Technical Bulletin 18292

A POLYCOM WHITEPAPER Polycom Enhances Its Portfolio with Support of the Telepresence Interoperability Protocol (TIP)

How To Pass Polycom Cvvv

How to Install SSL Certificates on Microsoft Servers

Polycom Trade-in Flyer

Dell One Identity Cloud Access Manager How to Configure for SSO to SAP NetWeaver using SAML 2.0

SIP Security Controllers. Product Overview

A Detailed Guide of Polycom Video, Voice, and Infrastructure Products and Solutions

Polycom Video Edge (PVE ) 1000 Administrator Guide

Auto-Answer Configuration for Polycom HDX Systems

Transcription:

SECURITY BULLETIN CVE-2014-0160 Version 1.12 Security Advisory Relating to OpenSSL Vulnerability Heartbleed on Various Polycom Products DATE PUBLISHED: This information applies to all Polycom products using OpenSSL versions 1.0.1 through 1.01f. Please remember that this bulletin is being updated on a regular basis to address new information regarding vulnerabilities and new fixes. This bulletin is versioned and time stamped. The newest version will always be located at this URL: http://www.polycom.com/content/dam/polycom/common/documents/brochures/heartbleedsecurity-advisory-enus.pdf Vulnerability Summary A vulnerability in OpenSSL could allow a remote attacker to expose sensitive data, possibly including user authentication credentials and secret keys, through incorrect memory handling in the TLS heartbeat extension. Details Through exploiting the heartbeat feature in OpenSSL versions 1.0.1 through 1.0.1f, an attacker can capture memory from the host 64k at a time. Successive 64k sections of memory can be captured until the attacker has captured the desired data. This could include, at worst case, a copy of the server s private key. This exploit is consistent with CVE: 2014-0160 Systems Affected At this time, a list of Polycom products, their versions, and vulnerability status is outlined in the table below. This bulletin will be updated periodically until all known vulnerable Polycom systems are fixed or properly mitigated. NOTE: Any dates listed in the table below are ESTIMATES. These dates are subject to change, for better or worse, as new information becomes available to the teams in charge of each product. Vulnerability status may be subject to change pending new information.

Comprehensive Vulnerability Assessment of Polycom Products (4 Parts) Product Name Version Vulnerable Notes and/or FIX/FIXED Dates Management Applications CMA All Not Vulnerable RealPresence Distributed Media Application (DMA) All Not Vulnerable RealPresence Resource Manager (RPRM) All Not Vulnerable RealPresence Video DualManager 400 (RPDM) All Not Vulnerable RealPresence Platform Suite (SoftRPP) All Not Vulnerable Telepresence Rooms VSX Series All Not Vulnerable HDX Series HDX 3.0.x and Older Versions Not Vulnerable HDX 3.1.x and Greater Vulnerable FIXED in version 3.1.3.2 HDX 3.1.3.2 Not Vulnerable Fixes Earlier 3.x Vulnerable Versions - NOT currently recommended for CMS/Halo QDX 6000 All Not Vulnerable RealPresence Group Series All Versions Vulnerable See below. 4.1.3.2 fixes all 4.1 versions. 4.0.2.2 fixes all 4.0 versions RealPresence Group Series 4.0.2.2 Not Vulnerable Fixes all 4.0 versions RealPresence Group Series 4.1.3.2 Not Vulnerable Fixes all 4.1 versions Unified Conference & Collaboration Stations CX5000, CX5100, CX5500, CX7000, CX8000 All Not Vulnerable

Product Name Version Vulnerable Notes and/or FIX/FIXED Dates Immersive Telepresence ITP with HDX (ATX, OTX, RPX, TPX) - See HDX Section for Any Fixes ITP 2.7.1 Not Vulnerable Uses HDX 2.6.1.3_itp271-5267 ITP 3.0.1 Not Vulnerable Uses HDX 3.0.1-10628 ITP 3.0.2 Not Vulnerable Uses HDX 3.0.2-11176 ITP 3.0.3 Not Vulnerable Uses HDX 3.0.3-14451 ITP 3.0.5 Not Vulnerable Uses HDX 3.0.5-22695 ITP 3.1 Vulnerable Fixed by HDX 3.1.3.2 ITP 3.1.2 Vulnerable Fixed by HDX 3.1.3.2 ITP 3.1.3 Vulnerable Fixed by HDX 3.1.3.2 ITP with Group Series (Immersive Studio) - See Group Series Section for Any Fixes RPIS 4.1.2 Vulnerable Fixed by Group Series 4.1.3.2 RPIS 4.1.3 Vulnerable Fixed by Group Series 4.1.3.2 CMS/Halo All Vulnerable HDX and RMX are the only vulnerable components. Desktop & Mobile Video Conferencing RealPresence Desktop All Versions Not Vulnerable RealPresence Mobile All Versions Not Vulnerable CMA Desktop All Versions Not Vulnerable Collaboration Servers RealPresence Collaboration Server 1500, 1800, 2000 and 4000 (RMX) RMX All Versions Prior to 8.1 Not Vulnerable RMX 8.1.4.x Vulnerable Fixed with Hotfix 8.1.7.37.022.543.002 RMX 8.1.7.x Vulnerable Fixed with Hotfix 8.1.7.37.022.543.002 RMX 8.2.x Vulnerable Fixed with Hotfix 8.2.0.85.13.544.002 RMX 8.3.x Vulnerable NEW 8.3.0.246 fix REPLACES8.3.0.245.477.003 RMX 8.2.0.85.13.544.002 Not Vulnerable Fixes 8.2.x RMX 8.3.0.245.477.003 (Hotfix) Not Vulnerable EXPIRED Fix for 8.3.x RMX 8.3.0.246 Not Vulnerable Fix for 8.3x MGC-25, MGC-50, MGC-100 All Not Vulnerable RealPresence Collaboration Server, Virtual Edition (SoftMCU) 8.3.x Not Vulnerable S4GW Serial Gateway for RMX All Not Vulnerable

Product Name Version Vulnerable Notes and/or FIX/FIXED Dates Media Capture & Sharing Recording and Streaming Server (RSS) 4000 All Versions Not Vulnerable Recording and Streaming Server (RSS) 2000 All Versions Not Vulnerable RealPresence Capture Server All Versions Not Vulnerable RealPresence Capture Station Pro All Not Vulnerable RealPresence Capture Station Portable Pro All Not Vulnerable RealPresence Media Manager All Not Vulnerable Media Editor All Not Vulnerable CSS Client All Versions Not Vulnerable CSS Server All Versions Not Vulnerable Firewall Traversal & Security Video Border Proxy (VBP) E & ST Series VBP 11.1.x Not Vulnerable VBP 11.2.11 - Hotfix Not Vulnerable VBP 11.2.12 - GA Vulnerable FIXED with version 11.2.17 VBP 11.2.16 - GA Vulnerable FIXED with version 11.2.17 VBP 11.2.17 Not Vulnerable Fixes Earlier Vulnerable Versions RealPresence Access Director (RPAD) All Versions Not Vulnerable CloudAXIS CloudAXIS MEA (Web experience portal) All Versions Not Vulnerable CloudAXIS WSP (Web service portal) All Versions Not Vulnerable RealPresence Platform Director All Versions Not Vulnerable

Product Name Version Vulnerable Notes and/or FIX/FIXED Dates Desktop Video & Voice Solutions Soundpoint, Soundstation, SoundStructure, VVX SoundPoint, SoundStation, VVX and SoundStructure (VoIP Interface) Families All versions 4.0.x Not Vulnerable SoundPoint, SoundStation, VVX Families UCS 3.3.0.1098 rts35 - UCS 3.3.4.0085 rts6 Not Vulnerable SoundPoint, SoundStation, VVX Families SIP 3.2.0 rts44 - SIP 3.2.7.0198 rts10 Not Vulnerable SoundPoint, SoundStation, and SoundStructure (VoIP Interface) Families VVX and SoundStructure (VoIP Interface) Families UCS 4.1.0.84959 rts42 I - UCS 4.1.6.4835 rts50 UCS 4.1.3.7864 rts21g - UCS 5.0.1.7396 rts56 Q Vulnerable & FIXED Vulnerable & FIXED UCS 4.1.6 patch FIX delivered; UCS 5.0.2 patch FIX delivered; UCS 4.1.0 patch FIX delivered; UCS 5.1.0 patch delivered; UCS 4.1.7 patch delivered UCS 4.1.6 patch FIX delivered; UCS 5.0.2 patch FIX delivered; UCS 4.1.0 patch FIX delivered; UCS 5.1.0 patch delivered; UCS 4.1.7 patch delivered Zero Touch Provisioning Solution - ZTP (User Portal) N/A Not Vulnerable FIXED as of April 11, 2014 Unified Conference & Collaboration Stations CX100, CX300, CX500, CX600, CX3000 All Not Vulnerable Accessories TouchControl (PTC) All Not Vulnerable People + Content IP (PPCIP) All Not Vulnerable Mitigation At this time, many affected products have older versions to which you can temporarily regress (install older version). If you can temporarily run an older product version, this is recommended. For some products, mitigations exist solely in the realm of controlling the presence of encrypted traffic on any system that uses a vulnerable version of OpenSSL. Basic suggestions at this time are to: 1. Place the Polycom product behind a firewall whenever possible, such that outsiders do not have access to ports used by OpenSSL on the device (usually only HTTPS, but sometimes other protocols that use TLS such as secure LDAP or secure SIP are involved). 2. Turn off any services that use OpenSSL (if relevant) if at all possible. When new fixes become available, new certificates can be issued for your system, thus occluding any knowledge an attacker might have gained with regards to your old encryption certificates or keys. For the voice products currently listed as vulnerable, a mitigation specific to these products is available: Set your httpd.enabled flag to = 0 (zero). This disables web access of all kinds, and blocks known heartbeat vectors into the system. Note that Polycom s Product Security Office is working rapidly and efficiently to assist product teams in delivering fixes in as rapid a manner as possible.

Solution As fixes become available for a given product, that information will appear in this bulletin in subsequent releases. Polycom will continue updating this bulletin until all fixes are in place. Polycom recommends that users of any Polycom product listed in the table above as being vulnerable update to the FIXED version of their product as soon as such a version becomes available. CVSS v2 Base Metrics: To assist our customers in the evaluation of this vulnerability; Polycom leverages the Common Vulnerability Scoring System (CVSS). This system provides an open framework for communicating the characteristics and impacts of information technology vulnerabilities that better enable our customers to make informed decisions and assess the impact on their environment. Base CVSS v2 Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N) Access Vector Access Authentication Confidentiality Integrity Impact Availability Complexity Impact Impact Network Low None Partial None None Severity: High Rating Critical High Medium Low Definition A vulnerability, which, if exploited would allow malicious code to execute, potentially without a user being aware. A vulnerability, which, if exploited could impact the confidentiality, integrity, or availability of data, or of the integrity or availability of resources. A vulnerability that is limited to a significant degree by factors such as default configuration, auditing, or is difficult to exploit. A vulnerability that has minimal impact to the system and is extremely difficult to exploit.

Contact Any customer using an affected system who is concerned about this vulnerability within their deployment should contact Polycom Technical Support either call 1-800-POLYCOM or visit: http://support.polycom.com/polycomservice/support/us/support/documentation/security_center.html for the latest information. You might also find value in the high-level security guidance and security news located at: http://www.polycom.com/security Please remember that this bulletin is being updated on a regular basis to address new information regarding vulnerabilities and new fixes. This bulletin is versioned and time stamped. The newest version will always be located at this URL: http://www.polycom.com/content/dam/polycom/common/documents/brochures/heartbleedsecurity-advisory-enus.pdf Acknowledgment Polycom discovered this vulnerability through the CVE database. Revision History Security Bulletin CVE-2014-0160 Version 1.0 2014-04-09-15:20 Initial release with 90% complete list of products and their vulnerability status Version 1.1 2014-04-10-20:00 More detail for more products and first estimates for fix dates. Improved mitigation detail. Version 1.2 Version 1.3 Version 1.4 2014-04-14-12:21 2014-04-14-21:17 2014-04-15-07:24 More products, better detail, better listings for affected members of Soundpoint family Product list condensation ( versions older than ). HDX and Group Series fix date estimates published. Incorrect mitigation advice for RMX posted. More condensation and accuracy. Mitigation advice removed from RMX.

Version 1.5 Version 1.6 2014-04-17-12:38 2014-04-18-10:27 RMX estimate for fix date, HDX fix date estimate moved in, mitigation for those members of Soundpoint family affected Added UCS fix dates for the affected VVX, Soundstation, Soundstructure systems. Added new language at the top and bottom of the document remding that it is a living doc, updates of which can be found on Polycom s website Version 1.7 2014-04-22-21:47 New formatting, fix announcements for HDX and RMX, condensed table format Version 1.8 2014-04-26-06:07 Group Series fix announced. More detail for RMX fixes for older versions. Added PPCIP. Note about ITP and HDX fix. Changed dates on UCS phones. Version 1.9 2014-04-28-13:19 Clarification on HDX/ITP and HDX/CMS, Fixes for many of the UCS phones, CMS/Halo & S4GW added as their own items. Version 1.10 2014-05-06-05:13 RMX 8.2, Group Series 4.0, RPIS Version 1.11 2014-05-15-15:14 All RMX fixes finalized, RMX 8.3 fix replaced with new RMX 8.3 fix. One more set of phone fixes has arrived. Version 1.12 2014-06-05-12:15 Final version UCS 4.0.x clarified and UCS 4.1.7 listed as fixed 2013, Polycom, Inc. All rights reserved. Trademarks POLYCOM, the Polycom logo and all names and marks associated with Polycom and Polycom's products are trademarks and/or service marks of Polycom, Inc. and are registered and/or common law marks in the United States and various other countries. All other trademarks are property of their respective owners. No portion hereof may be reproduced or transmitted in any form or by any means, for any purpose other than the recipient's personal use, without the express written permission of Polycom. Disclaimer While Polycom uses reasonable efforts to include accurate and up-to-date information in this document, Polycom makes no warranties or representations as to its accuracy. Polycom assumes no liability or responsibility for any typographical errors, out of date information, or any errors or omissions in the content of this document. Polycom reserves the right to change or update this document at any time. Individuals are solely responsible for verifying that they have and are using the most recent Technical Bulletin.

Limitation of Liability Polycom and/or its respective suppliers make no representations about the suitability of the information contained in this document for any purpose. Information is provided "as is" without warranty of any kind and is subject to change without notice. The entire risk arising out of its use remains with the recipient. In no event shall Polycom and/or its respective suppliers be liable for any direct, consequential, incidental, special, punitive or other damages whatsoever (including without limitation, damages for loss of business profits, business interruption, or loss of business information), even if Polycom has been advised of the possibility of such damages.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information