BSRT-2014-005 Information disclosure vulnerability in OpenSSL affects BlackBerry products

Article ID: KB35955

Type:   BlackBerry Security Advisory

First Published: 05-13-2014

Last Modified: 05-13-2014

 

Product(s) Affected:

  • BBM for Android
  • BBM for iPhone
  • BlackBerry Enterprise Service 10
  • BES10 Client for iOS
  • BES10 Client for Android
  • BlackBerry Link for Windows
  • BlackBerry Link for Mac
CollapseOverview

Note: KB35955 was previously published as a Security Notice (KB35882), which addressed the  OpenSSL® “Heartbleed” vulnerability that was announced on April 7, 2014. The Security Notice was updated as fixes became available. Now that all the fixes have been completed, this Security Advisory replaces the Security Notice and provides full details of publicly available software updates that address the issue. To review the related Security Notice, visit KB35882.

This advisory addresses an OpenSSL information disclosure vulnerability that is not currently being exploited on BlackBerry® products but affects BBM™ for Android™ and iPhone®, Secure Work Space for iOS and Android™, BlackBerry® Enterprise Service 10, and BlackBerry® Link customers. BlackBerry customer risk is limited in all cases by the requirement that an attacker first gain access to an affected product in order to then mount a successful attack. Additionally, BBM for Android and iPhone, Secure Work Space, and Link, customer risk is also limited by the need for an attacker to successfully complete a man-in-the-middle attack that is capable of spoofing IP addresses.  Successful exploitation requires an attacker to send a malformed request for a heartbeat reply to an SSL endpoint that is running a vulnerable version of OpenSSL. If the requirements are met for exploitation, an attacker could potentially gain access to limited but arbitrary data that is in memory. After installing the recommended software update, affected BlackBerry customers will be fully protected from this vulnerability.

ExpandWho should read this advisory?
  • BBM for Android and iPhone users
  • Secure Work Space users
  • BlackBerry Link users
  • IT administrators who deploy BES10 with Secure Work Space in an enterprise
ExpandWho should apply the software fix(es)?
  • BBM for Android and iPhone users
  • Secure Work Space users
  • BlackBerry Link users
  • IT administrators who deploy BES10 with Secure Work Space in an enterprise
ExpandMore Information

Have any BlackBerry customers been subject to an attack that exploits this vulnerability?
BlackBerry is not aware of any attacks targeting BlackBerry customers using this vulnerability.

What factors affected the release of this security advisory?
This advisory addresses a publicly known vulnerability that was previously discussed in a Security Notice (KB35882). The notice provided available details, and was updated as affected products were fixed. BlackBerry publishes full details of a software update in a security advisory after the fix for each affected product is available to the majority of our customers and wireless service provider partners. Publishing this advisory ensures that all of our customers can protect themselves by updating their software, or employing available workarounds if updating is not possible.

Is the Security Notice (KB35882) still applicable?
No. Given that all of the products identified in the Security Notice have been fixed and are available to our customers, the Security Notice is provided only for historical context.

Where can I read more about the security of BlackBerry products and solutions?
For more information on BlackBerry security, visit http://us.blackberry.com/business/enterprise-mobility/mobile-security.html and www.blackberry.com/bbsirt.

CollapseAffected Software and Resolutions
Read the following information to determine if your BlackBerry product is affected.
ExpandAffected Software
Product    Date fix was available
BBM for iPhone earlier than version 2.1.1.64 April 18, 2014
BBM for Android earlier than version 2.1.1.53 April 18, 2014      

Secure Work Space for iOS, versions as outlined:

  • Work Connect earlier than version 1.0.10980.3
  • Work Browser earlier than version 1.1.10980.3
April 17, 2014

Secure Work Space for Android, versions as outlined:

  • Work Space Manager earlier than version 23552_10
  • SWS for Android 2.3.7 earlier than version 23552_10-2.3.7
  • SWS for Android 4.0.4 earlier than version 23553_10-4.0.4
  • SWS for Android 4.4 earlier than version 23554_10-4.4
April 17, 2014
Universal Device Service component of BES10 version 10.1.1 and later (BlackBerry Work Connect Notification Service (BWCNS) only) April 21, 2014
BlackBerry Link for Windows earlier than version 1.2.3.48 (bundle46) May 13, 2014
BlackBerry Link for Mac OS earlier than version 1.2.1.16 (bundle21)  May 13, 2014
ExpandNon-Affected Software

Product   

Date fix was available

BBM for iPhone version 2.1.1.64 and later

April 18, 2014

BBM for Android version 2.1.1.53 and later

April 18, 2014      

Secure Work Space for iOS, versions as outlined:

  • Work Connect version 1.0.10980.3 and later
  • Work Browser version 1.1.10980.3 and later

April 17, 2014

Secure Work Space for Android, versions as outlined:

  • Work Space Manager earlier than version 23552_10 and later
  • SWS for Android 2.3.7 version 23552_10-2.3.7 and later
  • SWS for Android 4.0.4 version 23553_10-4.0.4 and later
  • SWS for Android 4.4 version 23554_10-4.4 and later

April 17, 2014

Universal Device Service component of BES10 version 10.1.1 and later with Interim Security Update (April 21, 2014)

April 21, 2014

BlackBerry Link for Windows version 1.2.3.48 (bundle46) and later

May 13, 2014

BlackBerry Link for Mac OS version 1.2.1.16 (bundle21) and later

May 13, 2014

 

The following software was never affected and all versions are fully protected against the vulnerability:

  • BlackBerry Device Service component of BES 10 
  • Universal Device Service component of BES 10 earlier than version 10.1.1
  • BlackBerry Enterprise Server 5
  • BlackBerry Universal Device Server 6.2 and earlier
  • BlackBerry® 10 OS
  • BlackBerry® 7.1 OS and earlier
  • BlackBerry® Infrastructure services
  • BBM for BlackBerry smartphones
  • BlackBerry® PlayBook™ tablet software
  • BlackBerry Enterprise Server for Office 365
  • BlackBerry Desktop Manager

 

ExpandAre BlackBerry smartphones affected?
No.
ExpandResolution

BlackBerry has now issued fixes for all products that were affected by this vulnerability, which are included in:

 

Product   

Date fix was available

BBM for iPhone version 2.1.1.64 and later

April 18, 2014

BBM for Android version 2.1.1.53 and later

April 18, 2014      

Secure Work Space for iOS, versions as outlined:

  • Work Connect version 1.0.10980.3 and later
  • Work Browser version 1.1.10980.3 and later

April 17, 2014

Secure Work Space for Android, versions as outlined:

  • Work Space Manager earlier than version 23552_10 and later
  • SWS for Android 2.3.7 version 23552_10-2.3.7 and later
  • SWS for Android 4.0.4 version 23553_10-4.0.4 and later
  • SWS for Android 4.4 version 23554_10-4.4 and later

April 17, 2014

Universal Device Service component of BES10 version 10.1.1 and later with Interim Security Update (April 21, 2014)

April 21, 2014

BlackBerry Link for Windows version 1.2.3.48 (bundle46) and later

May 13, 2014

BlackBerry Link for Mac OS version 1.2.1.16 (bundle21) and later

May 13 2014

 

These software updates resolve this vulnerability on affected versions of the listed products. Update the listed software to the specified version or later to be fully protected from this issue.
See the Mitigations section of this advisory for information on how to manage potential risk until the software update can be installed.

CollapseVulnerability Information

Note: KB35955 was previously published as a Security Notice (KB35882), which addressed the  OpenSSL® “Heartbleed” vulnerability that was announced on April 7, 2014. The Security Notice was updated as fixes became available. Now that all the fixes have been completed, this Security Advisory replaces the Security Notice and provides full details of publicly available software updates that address the issue.

A vulnerability exists in the OpenSSL implementation included with affected BlackBerry products. The popular OpenSSL cryptographic software library is open-source software used to secure client/server transactions.

Successful exploitation of this vulnerability could potentially result in an attacker gaining access to limited but arbitrary data that is in memory. This data could include the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet.

In order to exploit this vulnerability, an attacker must send a malformed request for a heartbeat reply to an SSL endpoint that is running a vulnerable version of OpenSSL.

This vulnerability has multiple Common Vulnerability Scoring System (CVSS) scores, depending on the affected product. View the linked Common Vulnerabilities and Exposures (CVE) identifier for a description of the security issue that this security advisory addresses.
  

CVE identifier Affected Products CVSS score
CVE-2014-0160 Universal Device Service component of BES10 version 10.1.1 and later  3.3
Affected versions of BBM for Android and iPhone
Affected versions of Secure Work Space for iOS and Android
Affected versions of BlackBerry Link for Windows and Mac OS
1.8

 
To review the related Security Notice, visit KB35882.

Mitigations

Mitigations are existing conditions that a potential attacker would need to overcome in order to mount a successful attack or that would limit the severity of an attack. Examples of such conditions include default settings, common configurations and general best practices. 
 
Universal Device Service component of BES10 version 10.1.1. and later
This vulnerability is mitigated by the requirement that an attacker would need to be on the same network with access to the Tomcat instance associated with the BlackBerry Work Connect Notification Service (BWCNS), which is a component that handles message notifications for Secure Work Space for iOS. If the service is disabled or not reachable, the system is not vulnerable.

Secure Work Space
This vulnerability is mitigated by the connection architecture, in that the service only connects to a known and trusted end point.

BBM for Android
This vulnerability is mitigated by the connection architecture, in that the service only connects to a known and trusted end point.

BBM for iPhone
This vulnerability is mitigated by the connection architecture, in that the service only connects to a known and trusted end point.

BlackBerry Link
This issue is mitigated for BlackBerry Link for Mac OS and BlackBerry Link for Windows by the requirement that an attacker must first gain control of the local network before launching an attack. Additionally, these systems are not typically visible to the Internet and external traffic is sent via a proxy in a business environment. This significantly raises the difficulty of exploiting these systems.

ExpandWorkarounds

Workarounds are settings or configuration changes that a user or administrator can apply to help protect against an attack. BlackBerry recommends that all users apply the appropriate software updates to fully protect their system. All workarounds should be considered temporary measures for customers to apply if they cannot install the update immediately or must perform standard testing and risk analysis. BlackBerry recommends that customers who are able to do so install the update to secure their systems.

BlackBerry Link customers can employ their firewall system to filter out heartbeat requests.

There are no workarounds for this vulnerability for affected versions of the Universal Device Service component of BES10, affected versions of BBM for Android and iPhone and affected versions of Secure Work Space.

ExpandMore Information

What is OpenSSL?
OpenSSL is an open-source implementation of the SSL and TLS protocols. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).

What is the OpenSSL “Heartbleed” vulnerability?
The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users. This issue was addressed in OpenSSL 1.0.1g.

What is the difference between a BlackBerry Security Advisory and Security Notice?
A Security Advisory publicly notifies BlackBerry customers of the availability of a software update to address a confirmed vulnerability in BlackBerry products, and it provides technical details regarding the vulnerability in combination with additional mitigations and workarounds to protect customers.
In comparison, a Security Notice informs customers about software vulnerabilities that we are either working to address, or that we do not believe warrant a security update, given the low risk and severity. We do not follow a set schedule for issuing security notices, but rather release these notifications as needed to provide customers with information on how to best secure their device.


 

CollapseDefinitions

CVE
Common Vulnerabilities and Exposures (CVE) is a dictionary of common names (CVE Identifiers) for publicly known information security vulnerabilities maintained by the MITRE Corporation.

CVSS
CVSS is a vendor agnostic, industry open standard designed to convey the severity of vulnerabilities. CVSS scores may be used to determine the urgency for update deployment within an organization. CVSS scores can range from 0.0 (no vulnerability) to 10.0 (critical). BlackBerry uses CVSS in vulnerability assessments to present an immutable characterization of security issues. BlackBerry assigns all relevant security issues a non-zero score. Customers performing their own risk assessments of vulnerabilities that may impact them can benefit from using the same industry-recognized CVSS metrics.

CollapseChange Log

05-13-2014

Initial publication of security advisory closing KB35882

Disclaimer

By downloading, accessing or otherwise using the Knowledge Base documents you agree:

   (a) that the terms of use for the documents found at www.blackberry.com/legal/knowledgebase apply to your use or reference to these documents; and

   (b) not to copy, distribute, disclose or reproduce, in full or in part any of the documents without the express written consent of RIM.


Visit the BlackBerry Technical Solution Center at www.blackberry.com/btsc.