BlackBerry response to OpenSSL “Heartbleed” vulnerability

Article ID: KB35882

Type:   BlackBerry Security Notice

First Published: 04-10-2014

Last Modified: 05-13-2014

 
CollapseOverview

Note: This Security Notice was updated as fixes became available. Now that all the fixes have been completed, this Security Notice has been replaced by a Security Advisory (KB35955 - BSRT-2014-005 Information disclosure vulnerability in OpenSSL affects BlackBerry products), which provides full details of publicly available software updates that address the issue. The information in this Notice is now outdated; please refer to the Security Advisory by visiting KB35955.


This security notice addresses the OpenSSL® vulnerability that was announced on April 7, 2014. BlackBerry® is continuing to investigate the Heartbleed vulnerability, is diligently working to resolve the related issues as quickly as possible, and is providing the findings and resolutions to help protect customers from this issue. We will continue to update this security notice as new information and fixes become available.

ExpandWho should read this notice?
  • BlackBerry smartphone and tablet users
  • BBM™ for iOS and Android users
  • Secure Work Space for iOS and Android™ users
  • IT administrators who deploy BlackBerry smartphones or tablets, BlackBerry Enterprise Server, BlackBerry Enterprise Service, or Secure Work Space for iOS and Android in an enterprise
ExpandMore Information

Have any BlackBerry customers been subject to an attack that exploits this vulnerability?
BlackBerry is not aware of any attacks targeting BlackBerry customers using this vulnerability.

When will BlackBerry fix the BlackBerry products affected by the OpenSSL heartbeat extension read overflow vulnerability?
Most BlackBerry products, including BlackBerry Enterprise Service 10 versions earlier than 10.1.1, BlackBerry Enterprise Server 5, and BlackBerry smartphones, are not affected by the vulnerability and no fix is required. For those products that are still affected, we are diligently working to determine the full impact of the issue and confirm the best approach for protecting customers.

When will BlackBerry provide more updates about this issue?
BlackBerry may provide further updates as needed while our ongoing investigation continues. This notice is being updated as affected BlackBerry products are fixed.

Where can I read more about the security of BlackBerry products and solutions?
For more information on BlackBerry security, visit http://us.blackberry.com/business/topics/security.html and www.blackberry.com/bbsirt.

CollapseAffected Software
  • BBM for iOS earlier than version 2.1.1.64 (fix available)
  • BBM for Android earlier than version 2.1.1.53 (fix available)
  • Secure Work Space for iOS, versions as outlined: (fix available)
    • Work Connect earlier than version 1.0.10980.3
    • Work Browser earlier than version 1.1.10980.3
  • Secure Work Space for Android, versions as outlined: (fix available)
    • Work Space Manager earlier than version 23552_10
    • SWS for Android 2.3.7 earlier than version 23552_10-2.3.7
    • SWS for Android 4.0.4 earlier than version 23553_10-4.0.4
    • SWS for Android 4.4 earlier than version 23554_10-4.4
  • Universal Device Service component of BlackBerry Enterprise Service 10 version 10.1.1 and later (fix available)
  • BlackBerry Link for Windows
  • BlackBerry Link for Mac OS
ExpandNon-Affected Software
  • BBM for iOS version 2.1.1.64 and later
  • BBM for Android version 2.1.1.53 and later
  • Secure Work Space for iOS, versions as outlined:
    • Work Connect version 1.0.10980.3 and later
    • Work Browser version 1.1.10980.3 and later
  • Secure Work Space for Android, versions as outlined:
    • Work Space Manager version 23552_10 and later
    • SWS for Android 2.3.7 version 23552_10-2.3.7 and later
    • SWS for Android 4.0.4 version 23553_10-4.0.4 and later
    • SWS for Android 4.4 version 23554_10-4.4 and later
  • BlackBerry Device Service component of BlackBerry Enterprise Service 10
  • Universal Device Service component of BlackBerry Enterprise Service 10 earlier than version 10.1.1 
  • BlackBerry Enterprise Server 5
  • BlackBerry Universal Device Server 
  • BlackBerry®  10 OS 
  • BlackBerry® 7.1 OS and earlier
  • BlackBerry® Infrastructure services
  • BBM for BlackBerry smartphones
  • BlackBerry® PlayBook™ tablet software
ExpandAre BlackBerry smartphones affected?
No.
CollapseVulnerability Information

BlackBerry is currently investigating the customer  impact of the recently announced OpenSSL vulnerability. A list of known affected and unaffected products is supplied in this notice, and may be updated as we complete our investigation.

The OpenSSL heartbeat extension read overflow is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows an attacker to steal the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. This issue was addressed in OpenSSL 1.0.1g and a fix is available for integration into affected BlackBerry products. The vulnerability is detailed in CVE-2014-0160.

Further investigation into affected products is ongoing, and BlackBerry is working to determine the full impact of the issue and confirm the best approach for protecting customers. As fixes become available, this notice will be updated.

Mitigations

Mitigations are existing conditions that a potential attacker would need to overcome to mount a successful attack or that would limit the severity of an attack. Examples of such conditions include default settings, common configurations and general best practices.

Universal Device Service component of BlackBerry Enterprise Service 10 (affected versions)
This vulnerability is mitigated by the requirement that an attacker would need to be on the same network with access to the Tomcat instance associated with the BlackBerry Work Connect Notification Service (BWCN), which is a component that handles message notifications for Secure Work Space for iOS. If the service is disabled or not reachable, the system is not vulnerable.

Secure Work Space (affected versions)
This vulnerability is mitigated by the connection architecture, in that the service only connects to a known and trusted end point.

BBM on Android (affected versions)
This vulnerability is mitigated by the connection architecture, in that the service only connects to a known and trusted end point.

BBM on iOS (affected versions)
This vulnerability is mitigated by the connection architecture, in that the service only connects to a known and trusted end point.

BlackBerry Link
This issue is mitigated for BlackBerry Link for Mac OS and BlackBerry Link for Windows due to the fact that, typically, these systems are not visible to the Internet and external traffic is sent via a proxy in a business environment. This significantly raises the difficulty of exploiting these systems.

ExpandWorkarounds

Workarounds are settings or configuration changes that a user or administrator can apply to help protect against an attack.

IT administrators running affected versions of Universal Device Service component of BlackBerry Enterprise Service 10 can apply the Interim Security Update. Visit the software download page to download the Interim Security Update. 

There are no workarounds for this vulnerability for affected versions of BBM on iOS and Android and Secure Work Space for iOS and Android. Updates are now available, and customers should update to the latest version.

BlackBerry Link customers can employ their firewall system to filter out heartbeat requests.

ExpandMore Information

What is OpenSSL?
OpenSSL is an open-source implementation of the SSL and TLS protocols. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).

What is the OpenSSL “Heartbleed” vulnerability?
The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users. This issue was addressed in OpenSSL 1.0.1g.

CollapseChange Log

04-10-2014

Initial publication.

04-10-2014

Changes made: 

  • Updated Overview and Vulnerability Information to reflect that BlackBerry Infrastructure services and BlackBerry PlayBook tablet software are not affected
  • Updated Who should read this notice to include BlackBerry PlayBook users
  • Added BlackBerry Infrastructure services and BlackBerry PlayBook tablet software to unaffected products list
  • Updated mitigations for Secure Work Space and BBM for iOS and Android

04-21-2014

Changes made:

  • Added affected and non-affected versions for Universal Device Service component of BlackBerry Enterprise Service 10.
  • Added fixed versions of Secure Work Space for iOS and Android and BBM for iOS and Android to Non-Affected Software
  • Added version information for Secure Work Space for iOS and Android and BBM for iOS and Android in Affected Software
  • Updated Workarounds and Mitigations:
    • added instructions for applying the fix to Universal Device Service version 10.1.1. and later to Workarounds
    • added mitigations for affected Universal Device service versions
    • specified that they apply only to affected versions of Secure Work Space for iOS and Android, BBM for iOS and Android

Disclaimer

By downloading, accessing or otherwise using the Knowledge Base documents you agree:

   (a) that the terms of use for the documents found at www.blackberry.com/legal/knowledgebase apply to your use or reference to these documents; and

   (b) not to copy, distribute, disclose or reproduce, in full or in part any of the documents without the express written consent of RIM.


Visit the BlackBerry Technical Solution Center at www.blackberry.com/btsc.