Loading... Please wait...

Categories

Heartbleed Security Alert - How it Relates to Xorcom IP-PBX

Posted


Recently, a security flaw known as the "Heartbleed" bug and tracked as CVE-2014-0160 was announced in the OpenSSL software library.

Please be advised that the Xorcom IP-PBX systems provided with the Elastix distribution, and those that are running CompletePBX v.3x are not vulnerable, since they both use earlier versions of CentOS (5.x and 6.2, respectively), which use non-vulnerable versions of OpenSSL.

On the other hand, CompletePBX v.4.x is based on CentOS 6.5 and therefore does include the vulnerable OpenSSL v.1.0.1e. However, the Xorcom default CompletePBX configuration does not use any SSL services. If the Xorcom CompletePBX has been modified to utilize the SIP TLS or other SSL-based services the system could be compromised: the intercepted LAN traffic may be decoded.

CentOS released the following fixed OpenSSL packages on April 8th:

1.0.1e-16.el6_5.7

The packages can be updated by running the following command:

yum update openssl*

After that, the private SSL key and SSL certificates must be regenerated.

Note: If the services use user name and password transmissions that are not encrypted, then the user names and passwords must be changed. This is not relevant for SIP TLS.

Please advise your clients immediately about this alert.



 

What's News

newsletter

Follow us on

Copyright 2018 Digital Techniques Australia. All Rights Reserved.
 Sitemap | BigCommerce Premium Themes by PSDCenter