BlackBerry response to OpenSSL vulnerabilities

Article ID: KB36051

Type:   BlackBerry Security Notice

First Published:

06-24-2014

Last Modified: 06-26-2014

 

Product(s) Affected:

  • BBM for Android
  • BBM for iPhone
  • BlackBerry 10
  • BlackBerry Enterprise Service 10
  • BES10 Client for iOS
  • BES10 Client for Android
  • BlackBerry Link for Windows
  • BlackBerry Link for Mac
CollapseOverview
This security notice addresses OpenSSL® vulnerabilities that were announced on June 5, 2014. BlackBerry® is diligently working to investigate the vulnerabilities, resolve the related issues as quickly as possible, and communicate the findings and resolution to our customers. We will continue to update this security notice as new information and resolutions become available.
ExpandWho should read this notice?
  • BlackBerry smartphone users
  • BBM™ for iOS and Android users
  • Secure Work Space for iOS and Android™ users
  • IT administrators who deploy BlackBerry smartphones, BlackBerry® Enterprise Server 5, BlackBerry® Enterprise Service 10, or Secure Work Space for iOS and Android in an enterprise
ExpandMore Information

Have any BlackBerry customers been subject to an attack that exploits these vulnerabilities?
BlackBerry is not aware of any attacks targeting BlackBerry customers using these vulnerabilities.

When will BlackBerry fix the BlackBerry products affected by the OpenSSL vulnerabilities?
For those products that are affected, we are diligently working to determine the full impact of the issue and confirm the best approach for protecting customers.

When will BlackBerry provide more updates about these issues?
BlackBerry will provide further updates as needed while our ongoing investigation continues. This notice will also be updated as affected BlackBerry products are fixed.

Is this the same as “Heartbleed”?
No.  The “Heartbleed” vulnerability (CVE-2014-0160) was disclosed by the OpenSSL Project on April 7th, 2014 and was an entirely different software defect. The vulnerability disclosed in CVE-2014-0160 has been fixed in all affected BlackBerry software. Please refer to the related Security Advisory by visiting KB35955.

Where can I read more about the security of BlackBerry products and solutions?
For more information on BlackBerry security, visit http://us.blackberry.com/business/topics/security.html and www.blackberry.com/bbsirt.

CollapseAffected Software

Our investigation has revealed that multiple products are affected, but that not all vulnerabilities in the OpenSSL advisory affect all products. As a result, please consult the following table, which outlines both the affected products, and the vulnerabilities that affect each one.

Product 

Applicable CVEs

BlackBerry® 10 OS

CVE-2014-3470, CVE-2014-0224, CVE-2014-0221, 
CVE-2014-0198, CVE-2014-0195, CVE-2010-5298

Universal Device Service component of BlackBerry Enterprise Service 10
version 10.1.0 to 10.2.0

CVE-2014-0224, CVE-2014-0221, CVE-2014-0195

BlackBerry® Link

CVE-2014-3470, CVE-2014-0224, CVE-2014-0221, 
CVE-2014-0198, CVE-2014-0195, CVE-2010-5298

BBM™ for Android earlier than version 2.2.1.40

CVE-2014-0224

BBM™ for iPhone earlier than version 2.2.1.24

CVE-2014-0224

WorkConnect component of Secure Work Space for iOS and Android

CVE-2014-3470, CVE-2014-0224

ExpandNon-Affected Software

The following products are either unaffected by the vulnerabilities, or have been updated to fix the vulnerability:

  • BlackBerry Device Service component of BlackBerry Enterprise Service 10
  • Universal Device Service component of BlackBerry Enterprise Service 10 versions 10.0.0 and 10.2.1 and later BlackBerry® Enterprise Server 5
  • BlackBerry OS version 7.1 and earlier
  • BlackBerry® Desktop Software
  • BBM on BlackBerry smartphones
  • BBM Protected
  • BBM for Android version 2.2.1.40 (released June 17, 2014)
  • BBM for iPhone version 2.2.1.24 (released June 18, 2014)
ExpandAre BlackBerry smartphones affected?
Yes. BlackBerry 10 smartphones are affected.
CollapseVulnerability Information

BlackBerry is currently investigating the customer impact of the recently announced OpenSSL vulnerabilities. A list of known affected and unaffected products is supplied in this notice, and may be updated as we complete our investigation.

The June 5 public advisory detailed multiple vulnerabilities in the popular OpenSSL cryptographic software library. The vulnerabilities will potentially affect applications that use OpenSSL to terminate SSL/TLS traffic. Depending on the vulnerabilities a product is impacted by, an attacker could potentially:

  • intercept an encrypted data stream, and decrypt, view or manipulate the data; this requires that an attacker also complete a successful man-in-the-middle (MITM) attack
  • cause a denial of service (DOS) condition
  • inject data across sessions or execute arbitrary code

Further investigation into affected products is ongoing, and BlackBerry is working to determine the full impact of the issue and confirm the best approach for protecting customers. As fixes become available, this notice will be updated.

View the linked CVE identifier for a description of each security issue that this security notice addresses.

CVE identifier
CVE-2014-3470
CVE-2014-0224
CVE-2014-0221
CVE-2014-0198
CVE-2014-0195
CVE-2010-5298

The list of defects as published by the OpenSSL Project can be found at the following link: https://www.openssl.org/news/secadv_20140605.txt

Mitigations

Mitigations are existing conditions that a potential attacker would need to overcome to mount a successful attack or that would limit the severity of an attack. Examples of such conditions include default settings, common configurations and general best practices.

CVE    

Affected Products

CVE-2014-3470

BlackBerry 10 OS, BlackBerry Link

CVE-2014-0224

BlackBerry 10 OS, BES10 (affected component versions), BlackBerry Link,
BBM for Android and iPhone (affected versions), Secure Work Space for iOS and Android

CVE-2014-0221

BlackBerry 10 OS, BES10 (affected component versions), BlackBerry Link

CVE-2014-0198

BlackBerry 10 OS, BlackBerry Link

CVE-2014-0195

BlackBerry 10 OS, BES10 (affected component versions), BlackBerry Link

CVE-2010-5298

BlackBerry 10 OS, BlackBerry Link

CVE-2014-3470 (see the table above for products affected by this CVE)
This issue is mitigated by the requirement that an attacker must gain control over an existing connection that is affected by the vulnerability, as there is normally no way for an attacker to force a customer to initiate the connection. Additionally, while an attacker could cause the client to crash, the underlying operating system would survive the crash and the client could be restarted. Once a crash has occurred, it is difficult for an attacker to repeat the attack, because the attacker cannot generally cause a service to initiate the connection. The issue is further mitigated in that the type of connection that is affected by the vulnerability is rarely used in practice.

CVE-2014-0224 (see the table above for products affected by this CVE)
This issue is mitigated by the requirement that an attacker must intercept and modify network traffic between servers and clients that are using specific versions of OpenSSL. This means that any attack would need to be extremely targeted. Additionally, an attacker is limited to accessing data in transit over an attacker-controlled network; data at rest is not affected.

CVE-2014-0221 (see the table above for products affected by this CVE)
This issue is mitigated by the requirement that an attacker targeting a client must cause a service to initiate a connection in order for the attacker to send malicious traffic to the client. There is no way for an attacker to force a connection. Additionally, while an attacker could cause the client to crash, the underlying operating system would survive the crash and the client could be restarted. Once a crash has occurred, it is difficult for an attacker to repeat the attack, because the attacker cannot generally force a service to initiate the connection.

CVE-2014-0198 (see the table above for products affected by this CVE)
This issue is mitigated by the requirement that an attacker targeting a client must cause a service to initiate a connection in order for the attacker to send malicious traffic to the client. There is no way for an attacker to force a connection. Additionally, while an attacker could cause the client to crash, the underlying operating system would survive the crash and the client could be restarted. Once a crash has occurred, it is difficult for an attacker to repeat the attack, because the attacker cannot generally force a service to initiate the connection.

CVE-2014-0195 (see the table above for products affected by this CVE)
This issue is mitigated by the requirement that an attacker targeting a client must cause a service to initiate a connection to a malicious server. There is no known way for an attacker to force a connection. Additionally, in order to do more than crash the client, an attacker would need to develop an attack for each specific client and a successful attack would only offer limited access to the affected system.

CVE-2010-5298 (see the table above for products affected by this CVE)
This issue is mitigated by the requirement that an attacker targeting a client must cause a service to initiate a connection while the process is communicating with a legitimate server in order for the attacker to send malicious traffic to the client. There is no known way for an attacker to force a connection. This vulnerability requires a combination of very specific network conditions and a timing related attack to interact with another thread within the same process. The attacker has no apparent method of forcing the timing of the attack and so it is extremely unlikely that his attack could be performed in practice.

BlackBerry 10 OS
Android applications running on BlackBerry 10 are not subject to CVE-2014-0221 or CVE-2014-195 as the Android runtime does not support DTLS. Native applications may be affected if they support DTLS.

Universal Device Service component of BES10 version 10.1.0 to 10.2.0
These vulnerabilities are further mitigated by the requirement that the attacker must persuade the customer to connect to the service with a vulnerable browser. In addition, only the BWCNS service is subject to CVE-2014-0224 and this service is only used on installations that support iOS clients. It should be noted that that all BES10 components run within a corporate network and would not be subject to attacks from the Internet.

BBM for Android and iPhone (affected versions) and Secure Work Space
These services only connect to known endpoints and an attacker would need to be able to spoof fixed IP addresses to exploit any of these issues. This would require the attacker to effectively have complete control over the network.

ExpandWorkarounds

Workarounds are settings or configuration changes that a user or administrator can apply to help protect against an attack.

There are no workarounds for these vulnerabilities for affected versions of BlackBerry 10 OS, BES10, BBM for Android and iPhone and Secure Work Space.

BlackBerry Link customers can reduce their exposure by not setting up shared files. This will protect against an attacker attempting to gain access to data shared between the customer’s computer and the BlackBerry 10 smartphone.

ExpandMore Information

What is OpenSSL?
OpenSSL is an open-source implementation of the SSL and TLS protocols. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).
CollapseChange Log

06-24-2014

Initial publication

06-26-2014

Clarified the version information for unaffected BlackBerry OS versions.

Disclaimer

By downloading, accessing or otherwise using the Knowledge Base documents you agree:

   (a) that the terms of use for the documents found at www.blackberry.com/legal/knowledgebase apply to your use or reference to these documents; and

   (b) not to copy, distribute, disclose or reproduce, in full or in part any of the documents without the express written consent of RIM.


Visit the BlackBerry Technical Solution Center at www.blackberry.com/btsc.