Alcatel-Lucent Security Advisory No. SA0050 Ed.

03
Information about OpenSSL Security Fixes
Summary
Seven vulnerabilities have been reported in the popular OpenSSL cryptographic software library and security
fixes were released by the OpenSSL project in June 5th 2014.
Alcatel-Lucent Enterprise voice products using affected version of OpenSSL 0.9.8, 1.0.0 and 1.0.1 are
concerned by this security alert.
Please, note that no public exploit has been disclosed.

Information about SSL/TLS MITM vulnerability (CVE-2014-0224).

This weakness allows an attacker, exploiting a Man-in-the-middle attack, to decrypt and to alter traffic
between the SSL/TLS client and server.

Information about DTLS recursion flaw (CVE-2014-0221).

This weakness allows a remote attacker, sending invalid DTLS handshake to DTLS client, to cause a denial of
service.

Information about DTLS invalid fragment vulnerability (CVE-2014-0195).

This weakness allows a remote attacker, sending invalid DTLS fragments to DTLS client or server, to cause a
denial of service.

Information about SSL_MODE_RELEASE_BUFFERS NULL pointer dereference (CVE-2014-0198).

This weakness allows a remote attacker to cause a denial of service via a NULL pointer dereference.

Information about SSL_MODE_RELEASE_BUFFERS session injection or denial of service (CVE-

2010-5298).
This weakness allows a remote attacker to inject data across sessions or to cause a denial of service.

Information about Anonymous ECDH denial of service (CVE-2014-3470).

This weakness allows a remote attacker to cause a denial of service when SSL/TLS clients enable anonymous
ECDH ciphersuites.

Information about other issues (CVE-2014-076).

This weakness allows a remote attacker to obtain ECDSA nonces via a FLUSH+RELOAD cache side-channel
attack.

This note is for informational purpose about the vulnerabilities in OpenSSL.

References
OpenSSL Security Advisory
http://www.openssl.org/news/secadv_20140605.txt

Advisory severity
 CVSS Base score : 6.8 - AV:N/AC:M/Au:N/C:C/I:N/A:N
CVE number:

CVE-2014-0076
 CVSS Base score : 6.8 - AV:N/AC:M/Au:N/C:C/I:N/A:N

CVE-2014-0195
 CVSS Base score : 6.8 - AV:N/AC:M/Au:N/C:C/I:N/A:N

CVE-2014-0198
 CVSS Base score : 4.3 - AV:N/AC:M/Au:N/C:C/I:N/A:N

CVE-2014-0221
 CVSS Base score : 4.3 - AV:N/AC:M/Au:N/C:C/I:N/A:N

CVE-2014-0224
 CVSS Base score : 6.8 - AV:N/AC:M/Au:N/C:C/I:N/A:N

CVE-2014-3470
 CVSS Base score : 4.3 - AV:N/AC:M/Au:N/C:C/I:N/A:N

CVE-2010-5298
 CVSS Base score : 4.0 - AV:N/AC:M/Au:N/C:C/I:N/A:N

Description of the vulnerabilities

Information about SSL/TLS MITM vulnerability (CVE-2014-0224).

This weakness allows an attacker, exploiting a Man-in-the-middle attack, to decrypt and to alter traffic
between the SSL/TLS client and server.
OpenSSL 0.9.8 SSL/TLS clients and/or servers should upgrade to 0.9.8za
OpenSSL 1.0.0 SSL/TLS clients and/or servers should upgrade to 1.0.0m.
OpenSSL 1.0.1 SSL/TLS clients and/or servers should upgrade to 1.0.1h.

Information about DTLS recursion flaw (CVE-2014-0221).

This weakness allows a remote attacker, sending invalid DTLS handshake to DTLS client, to cause a denial of
service.
OpenSSL 0.9.8 DTLS clients should upgrade to 0.9.8za
OpenSSL 1.0.0 DTLS clients should upgrade to 1.0.0m.
OpenSSL 1.0.1 DTLS clients should upgrade to 1.0.1h.

Information about DTLS invalid fragment vulnerability (CVE-2014-0195).

This weakness allows a remote attacker, sending invalid DTLS fragments to DTLS client or server, to cause a
denial of service.
OpenSSL 0.9.8 DTLS clients and/or servers should upgrade to 0.9.8za
OpenSSL 1.0.0 DTLS clients and/or servers should upgrade to 1.0.0m.
OpenSSL 1.0.1 DTLS clients and/or servers should upgrade to 1.0.1h.

Information about SSL_MODE_RELEASE_BUFFERS NULL pointer dereference (CVE-2014-0198).

This weakness allows a remote attacker to cause a denial of service via a NULL pointer dereference.
OpenSSL 1.0.0 users should upgrade to 1.0.0m.
OpenSSL 1.0.1 users should upgrade to 1.0.1h.
Information about SSL_MODE_RELEASE_BUFFERS session injection or denial of service (CVE-
2010-5298).
This weakness allows a remote attacker to inject data across sessions or to cause a denial of service.
OpenSSL 1.0.0 users should upgrade to 1.0.0m.
OpenSSL 1.0.1 users should upgrade to 1.0.1h.

Information about Anonymous ECDH denial of service (CVE-2014-3470).

This weakness allows a remote attacker to cause a denial of service when SSL/TLS clients enable anonymous
ECDH ciphersuites.
OpenSSL 0.9.8 TLS clients should upgrade to 0.9.8za
OpenSSL 1.0.0 TLS clients should upgrade to 1.0.0m.
OpenSSL 1.0.1 TLS clients should upgrade to 1.0.1h

Information about other issues (CVE-2014-076).

This weakness allows a remote attacker to obtain ECDSA nonces via a FLUSH+RELOAD cache side-channel
attack.
Fixed in OpenSSL 0.9.8za / OpenSSL 1.0.0m / OpenSSL 1.0.1g

Alcatel-Lucent Enterprise voice products using affected version of OpenSSL 0.9.8, 1.0.0 and 1.0.1 are
concerned by this security alert.
Please, note that no public exploit has been disclosed.

Status on Alcatel-Lucent Enterprise products

Products affected by the OpenSSL updates:

Alcatel-Lucent 8 Series IP Touch Phones Up to 4.33.20

Alcatel-lucent Premium Deskphones R100
8002/8012 Deskphone Up to R110
OmniTouch 8082 My IC Phone Up to R300
OpenTouch Connection Up to 2.0.440.002
OpenTouch Conversation Up to 2.0.044.006
OpenTouch Edge Server Up to 2.0
OmniTouch 8460 Advanced Communications Server 9.1
Note: concerns only standalone installation
OmniTouch 8660 My Teamwork Unified Messaging 6.7
OmniTouch 8670 Automated Message Delivery System 6.7
Omnivista 4760 Network Management system Up to 5.x
Omnivista 8770 Network Management system Up to 2.0
VitalSuite Performance Management From12.0 to 12.5 (inclusive)
Note: concerns only standalone installation
OpenTouch Business Edition Up to 2.0
OpenTouch Multimedia Services Up to 2.0
OpenTouch Session Border Controller Up to 2.0
OmniTouch Contact Center Standard Edition Up to 10.0
OmniTouch 8400 Instant Communications Suite Up to 6.x
IP Touch Security Solution Up to R11.0
 Note: concerns only SIP-TLS

Products NOT affected by the OpenSSL updates:

OmniPCX Enterprise Communication Server Up to 11.x

Note: does not include IP Touch Security Solution
OmniPCX Office Rich Communication Edition Up to 9.2
OmniTouch 8460 Advanced Communications Server 9.2
Genesys Compact Edition Up to 1.1
VitalQIP Up to 7.2
OpenTouch Conversation Web No OpenSSL package

Solution for affected products

Fixed Software Versions/Patches

Alcatel-Lucent 8 Series IP Touch Phones Engineering fixes are not yet

available
Alcatel-lucent Premium Deskphones Engineering fixes are not yet
available
8002/8012 Deskphone Engineering fixes are not yet
available
OmniTouch 8082 My IC Phone Engineering fixes are not yet
available
OpenTouch Connection Engineering fixes for release
OT 2.0.2 (build) will be
available in August, 2014.
OpenTouch Conversation Engineering fixes for release
OT 2.0.2 (build 2.0.201.000)
will be available in August,
2014.
OpenTouch Edge Server Engineering fixes for
- release 1.3.000.090
(hotfixe) and
1.3.000.091 have
been available since
August 1st, 2014
- release 2.0.2 will be
available mid of
November 2014
OmniTouch 8460 Advanced Communications Server Engineering fixes for release
9.1 (build ACS9.1.0b7051)
have been available since
July 18th, 2014
OmniTouch 8660 My Teamwork Unified Messaging Engineering fixes for release
6.7 (build ACS9.1.0b7051)
have been available since
July 18th, 2014
OmniTouch 8670 Automated Message Delivery System Engineering fixes for release
6.7 (build ACS9.1.0b7051)
have been available since
 July 18th, 2014
Omnivista 4760 Network Management system No corrections due to phase-
out
Omnivista 8770 Network Management system No corrections for 8770 R1.3
due to phase-out in October
2014.

Engineering fixes for 8770

VitalSuite Performance Management
Note: concerns only standalone installation
OpenTouch Business Edition
OpenTouch Multimedia Services
release 2.0.16 will be
available in October 2014
Engineering fixes for releases
from12.0 to 12.5 (inclusive)
have been available since
June 13th, 2014.
No corrections for
1.1.000.091 and
1.2.000.054 because OT 1.1
and OT1.2 are phased out.

Engineering fixes for

- release
1.3.000.090
(hotfixe) and
1.3.000.091 have
been available since
August 1st, 2014
- release 2.0.2 will
be available mid of
November 2014
OpenTouch Session Border Controller Engineering fixes for OTSBC
2.0 (build 6.8A.234.004)
have been available since
August 8th, 2014
OmniTouch Contact Center Standard Edition Engineering fixes for CCA
release 10.2.8.0 will be
available in October 2014.

Engineering fixes, included in

OT release 2.1, will be
available in Q1 2015.
OmniTouch 8400 Instant Communications Suite Engineering fixes for release
6.7.400.200.d will be
available end of September
2014
IP Touch Security Solution Engineering fixes for
- release 10.1.1
MD8 (J2.603.35) will
be available in
December 19th,
2014
- release 11.0.1
MD3 (K1.520.34) will
be available in
January 2nd, 2015
- release 11.1 MD1
 (L1) will be available
in January 12th, 2015
OmniTouch 8450 Fax Software Engineering fixes for release
OFS 7.5.2 will be available
in Q1 2015.

Will be also included in OT

release 2.1 in Q1 2015.
MyIC PC Engineering fixes for
5.2.040.003, included in OT
releases 1.3.000.090
(hotfixe) and 1.3.000.091
have been available since
August 1st, 2014
VitalQIP Although not affected, as a
precautionary measure,
OpenSSL will be upgraded to
1.0.1h
- VitalQIP 8.0 Patch
Release 3
- VitalQIP 7.3 Patch
Release 4

Software patches are available on Alcatel-lucent Enterprise Business Portal

https://businessportal.alcatel-lucent.com

History
Ed.01 (2014 June 11th) : Vulnerability Information Creation
Ed.02 (2014 July 21st) : Release updates
Ed.03 (2014 September 29th) : Release updates