Modern ICT infrastructures rely on almost exclusively IP-based communication which is often coded using SSL/TLS encryption via the OpenSSL library. As a leading supplier of Unified Communications software, C4B attaches great importance to security, consistently using modern encryption technologies and subjecting all of its products to intensive testing.
A few days ago, a serious security flaw (the Heartbleed bug) was detected in OpenSSL which is the most popular encryption software available. The Heartbleed bug (www.heartbleed.com) represents a serious security flaw in the popular OpenSSL encryption software. SSL/TLS encryption is used for coded communication online and serves to protect against unauthorised access to personal and company-critical information for applications such as Web, e-mail, instant messaging, VPN (Virtual Private Network) and many more.
Modern ICT infrastructures rely on almost exclusively IP-based communication which is often coded using SSL/TLS encryption via the OpenSSL library. Companies should therefore urgently examine their encryption software. PBX systems based on Linux or Open Source in particular often use OpenSSL for encryption with the result that examination is very much recommended here. Furthermore, the connection between the PBX and the TSP (TAPI service-provider) can also be affected.
As a leading supplier of Unified Communications solutions, C4B reacted swiftly and examined all of its XPhone solutions. "Our company attaches a great deal of importance to security and consistently uses modern encryption technologies so it goes without saying that we have subjected all of our products to intensive testing", claimed David Williams, Product Manager at C4B. "Access by XPhone clients to XPhone servers is safe as the server only uses Microsoft components for encrypted communication and not OpenSSL. And the Web sites supplied by the XPhone server are also safe as neither the Microsoft IIS nor the Web server deployed in the XPhone server use OpenSSL", adds Williams.
This security flaw in the OpenSSL library enables it to import the memories of affected systems online. This impairs the secret codes used for logging in to service-providers and encrypting data traffic as well as user names and passwords and the actual contents of the system. Attackers are therefore capable of hacking communication, stealing data from services and users, obtaining access to systems or logging in as users to the corresponding services in order to abuse them.
Official information on the OpenSSL versions affected and what countermeasures can be taken can be found on the official Web site: www.openssl.org.