Is ShoreTel affected by the Heartbleed bug, Yes, ShoreTel release 14.x and all version of the Concentrator are affected, ShoreTel’s words:
- All platforms of the VPN Concentrator are impacted by this Heartbleed bug.
ShoreTel HQ and DVS Server 14, 14.1 and 14.2 Software Builds
- Nginx is a binary used in the ShoreTel code for communications between the ShoreTel HQ / DVS Servers and the IP-400 Series Phones that’s statically linked against the OpenSSL vulnerable version 1.0.1c. It exists on HQ and DVS servers and OpenSSL is used internally for the IP-400 Series phones only. Currently it is an internal service and limits our customer exposure externally outside of local area networks. Releases prior to ShoreTel 14 do not use Nginx binary and are not vulnerable.
To resolve ShoreTel’s Heartbleed vulnerability you should upgrade ASAP. A link for the firmware is here: http://support.shoretel.com/products/vpn_concentrator/
The ShoreTel UC Platform
The ShoreTel Heartbleed vulnerability is between IP400 range phones and the windows servers (HQ and DVSs). The only people who can take advantage of the vulnerability are users on your own LAN (assuming your firewall is keeping all internet users out!). So because it is a minor issue, which can only be exploited by your own users, I don’t see a huge need to panic. If you do want fix this, then ShoreTel has applied the fix to ShoreTel 14.2 with build 19.42.2008.0 and above. You will need to download the latest release from the support FTP site, the link can be found in this document. http://support.shoretel.com/alerts/downloads/2014-05-01.pdf. The download link in the normal ShoreTel UC Platform is still build number 19.42.2005.0, so still affected by this bug.
For more information on the Heartbleed bug in general click on the log below to be directed to the Heartbleed information site.
UPDATE [19/05/14]: Since ShoreTel upgrade their support website over the weekend of the 17th of may, the link to the Shoretel document is no longer working and the heartbleed information seems to be missing from the support site along with the upgrade. As mentioned above, for the UC platform, it is not really a huge vulnerability and waiting for the next GA release should be be fine.