As of August 29, 2022, HP Inc. completed the acquisition of Poly. For HP product support, please visit the HP Customer Support site.
Vulnerability Summary
Vulnerabilities in OpenSSL could allow a remote attacker to expose sensitive data, inject data across sessions, or perform a denial of service.
Details
CVE 2014-0224 - SSL/TLS MITM vulnerability
An attacker using a carefully crafted handshake can force the use of weak keying material in OpenSSL SSL/TLS clients and servers. This can be exploited by a Man-in-the-middle (MITM) attack where the attacker can decrypt and modify traffic from the attacked client and server. The attack can only be performed between a vulnerable client *and* server. OpenSSL clients are vulnerable in all versions of OpenSSL. Servers are only known to be vulnerable in OpenSSL 1.0.1 and 1.0.2-beta1. Users of OpenSSL servers earlier than 1.0.1 are advised to upgrade as a precaution.
CVE 2014-0221 - DTLS recursion flaw
By sending an invalid DTLS handshake to an OpenSSL DTLS client the code can be made to recurse eventually crashing in a DoS attack. Only applications using OpenSSL as a DTLS client are affected.
CVE 2014-0195 - DTLS invalid fragment vulnerability
A buffer overrun attack can be triggered by sending invalid DTLS fragments to an OpenSSL DTLS client or server. This is potentially exploitable to run arbitrary code on a vulnerable client or server. Only applications using OpenSSL as a DTLS client or server affected.
CVE 2014-0198 - SSL_MODE_RELEASE_BUFFERS NULL pointer dereference
A flaw in the do_ssl3_write function can allow remote attackers to cause a denial of service via a NULL pointer dereference. This flaw only affects OpenSSL 1.0.0 and 1.0.1 where SSL_MODE_RELEASE_BUFFERS is enabled, which is not the default and not common.
CVE 2010-5298 - SSL_MODE_RELEASE_BUFFERS session injection or denial of service
A race condition in the ssl3_read_bytes function can allow remote attackers to inject data across sessions or cause a denial of service. This flaw only affects multithreaded applications using OpenSSL 1.0.0 and 1.0.1, where SSL_MODE_RELEASE_BUFFERS is enabled, which is not the default and not common.
CVE 2014-3470 - Anonymous ECDH denial of service
OpenSSL TLS clients enabling anonymous ECDH cipher suites are subject to a denial-of-service attack.
CVE 2014-0076 - ECDSA NONCE side-channel recovery attack
The Montgomery ladder implementation in OpenSSL through 1.0.0l does not ensure that certain swap operations have a constant-time behavior, which makes it easier for local users to obtain ECDSA nonces via a FLUSH+RELOAD cache side-channel attack.
Published
Last Update: 3/4/2022
Initial Public Release: 6/13/2014
Advisory ID: PLYGN14-02
CVE ID: CVE-2014-0224
CVSS Score: 7.4
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
CVE ID: CVE-2014-0221
CVSS Score: 4.3
CVSS:2.0/AV:N/AC:M/Au:N/C:N/I:N/A:P
CVE ID: CVE-2014-0195
CVSS Score: 6.8
CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:P/A:P
CVE ID: CVE-2014-0198
CVSS Score: 4.3
CVSS:2.0/AV:N/AC:M/Au:N/C:N/I:N/A:P
CVE ID: CVE-2010-5298
CVSS Score: 4.0
CVSS:2.0/AV:N/AC:H/Au:N/C:N/I:P/A:P
CVE ID: CVE-2014-3470
CVSS Score: 4.3
CVSS:2.0/AV:N/AC:M/Au:N/C:N/I:N/A:P
CVE ID: CVE-2014-0076
CVSS Score: 1.9
CVSS:2.0/AV:L/AC:M/Au:N/C:P/I:N/A:N
Product Affected
| Product | Status |
|---|---|
| RealPresence DistributedMedia Application (DMA) | Not vulnerable |
| RealPresence MediaManager | Not vulnerable |
| RealPresence CaptureStation | Not vulnerable |
| CSS Gateway | Not vulnerable |
| RealPresence ResourceManager (RPRM) | Not vulnerable |
| CMA | Not vulnerable |
| CX Video Products OtherThan CX5500 | Not vulnerable |
| RealPresence Mobile (RPM) | Fixed by version 3.2.1 |
| RealPresence Desktop (RPD) | Fixed by version 3.2.1 |
| M100 | Fixed by version 1.0.7 |
| CMAD | Fixed by version 5.2.6 |
| CSS | Fixed by version 1.3.1 |
| Group Series | Fixed by version 4.1.4 |
| Video Border Proxy (VBP) | Fixed by version 11.2.18 |
| RSS 4000 | Fixed by version 8.5.2 |
| Poly Touch Control(PTC) | Fixed by version 4.1.4 |
| HDX | Fixed by version 3.1.5 |
| VVX & SoundStructure | Fixed by version 5.1.2.1801 |
| SoundPoint &SoundStation | Fixed by version 4.0.7.2514 |
| Group Series & Poly Touch Control | Fixed by version 4.1.4 |
| CloudAXIS Edge Service& Edge Experience Portals | Fixed by version 1.6.1 |
| RSS 4000 | Fixed by version 8.5.2 |
| Capture Server | Fixed by version 1.7 |
| CX 5100/5500 | Fixed by version 1.1.1 |
| RPAD | Fixed by version 4.0.1 |
| CSS Server & Client | Fixed by version 1.3.1 |
| RMX 4000/2000/1500 | Fixed by version 8.4.1 |
| RMX 1800/CollaborationServer, Virtual Edition | Fixed by version 8.4.1 |
| Platform Director | Under investigation |
Solution
As fixes become available for a given product, that information will appear in this bulletin in subsequent releases. Polycom will continue updating this bulletin until all fixes are in place. Polycom recommends that users of any Polycom product listed in the table above as being vulnerable update to the “FIXED” version of their product as soon as such a version becomes available.
Workaround
Poly recommends that customers use the latest versions of OpenSSL clients (0.9.8za, 1.0.0m, and 1.0.1h) to protect against CVE-2014-0224, CVE-2014-0221, CVE-2014-0195, CVE-2014-3470, and CVE- 2014-0076.
In addition, Poly recommends that customers evaluate network access control lists, firewalls, and other network protections to ensure that they have been deployed in a manner that is consistent with security best practices. The risk presented by this potential vulnerability to Poly products, as well as other networked devices, may be mitigated by these controls. Customers should also ensure that Poly products have been configured as recommended by Poly implementation guides. Customers may wish to implement additional event monitoring and review until such time that an update is installed.
Contact
Any customer using an affected system who is concerned about this vulnerability within their deployment should contact Poly Technical Support – (888) 248-4143, (916) 928-7561, or visit the Poly Support Site.
RECOGNITION
Poly would like to thank Caleb Jaren and Brendan Saunders from Microsoft for reporting security vulnerabilities to us and for their coordinated disclosure.
Revision History
| VERSION | DATE | DESCRIPTION |
|---|---|---|
| 1.0 | 6/30/2014 | Initial release |
| 1.1 | 8/5/2014 | RPM, RPD, M100, CMAD, CSS, Group Series announced |
| 1.2 | 9/15/2014 | HDX announced |
| 2.0 | 10/1/2020 | Format changes |
©2022 Plantronics, Inc. All rights reserved.
Trademarks
Poly, the propeller design, and the Poly logo are trademarks of Plantronics, Inc. All other trademarks are property of their respective owners. No portion hereof may be reproduced or transmitted in any form or by any means, for any purpose other than the recipient's personal use, without the express written permission of Poly.
Disclaimer
While Poly uses reasonable efforts to include accurate and up-to-date information in this document, Poly makes no warranties or representations as to its accuracy. Poly assumes no liability or responsibility for any typographical errors, out of date information, or any errors or omissions in the content of this document. Poly reserves the right to change or update this document at any time. Individuals are solely responsible for verifying that they have and are using the most recent Technical Bulletin.
Limitation of Liability
Poly and/or its respective suppliers make no representations about the suitability of the information contained in this document for any purpose. Information is provided "as is" without warranty of any kind and is subject to change without notice. The entire risk arising out of its use remains with the recipient. In no event shall Poly and/or its respective suppliers be liable for any direct, consequential, incidental, special, punitive, or other damages whatsoever (including without limitation, damages for loss of business profits, business interruption, or loss of business information), even if Poly has been advised of the possibility of such damages.