Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2014.0789 BSRT-2014-005 Information disclosure vulnerability in OpenSSL affects BlackBerry products 21 May 2014 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: BBM for Android BBM for iPhone BlackBerry Enterprise Service 10 BES10 Client for iOS BES10 Client for Android BlackBerry Link For PC BlackBerry Link for Mac Publisher: RIM Operating System: Windows OS X Apple iOS Android Impact/Access: Access Privileged Data -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2014-0160 Reference: ASB-2014.0042 ESB-2014.0461 ESB-2014.0457 ESB-2014.0458.2 Original Bulletin: http://www.blackberry.com/btsc/kb35955 - --------------------------BEGIN INCLUDED TEXT-------------------- BSRT-2014-005 Information disclosure vulnerability in OpenSSL affects BlackBerry products Article ID: KB35955 Type: BlackBerry Security Advisory First Published: 05-13-2014 Last Modified: 05-13-2014 Product(s) Affected: BBM for Android BBM for iPhone BlackBerry Enterprise Service 10 BES10 Client for iOS BES10 Client for Android BlackBerry Link For PC BlackBerry Link for Mac Overview Note: KB35955 was previously published as a Security Notice (KB35882), which addressed the OpenSSL "Heartbleed" vulnerability that was announced on April 7, 2014. The Security Notice was updated as fixes became available. Now that all the fixes have been completed, this Security Advisory replaces the Security Notice and provides full details of publicly available software updates that address the issue. To review the related Security Notice, visit KB35882. This advisory addresses an OpenSSL information disclosure vulnerability that is not currently being exploited on BlackBerry products but affects BBM for Android and iPhone, Secure Work Space for iOS and Android, BlackBerry Enterprise Service 10, and BlackBerry Link customers. BlackBerry customer risk is limited in all cases by the requirement that an attacker first gain access to an affected product in order to then mount a successful attack. Additionally, BBM for Android and iPhone, Secure Work Space, and Link, customer risk is also limited by the need for an attacker to successfully complete a man-in-the-middle attack that is capable of spoofing IP addresses. Successful exploitation requires an attacker to send a malformed request for a heartbeat reply to an SSL endpoint that is running a vulnerable version of OpenSSL. If the requirements are met for exploitation, an attacker could potentially gain access to limited but arbitrary data that is in memory. After installing the recommended software update, affected BlackBerry customers will be fully protected from this vulnerability. Who should read this advisory? BBM for Android and iPhone users Secure Work Space users BlackBerry Link users IT administrators who deploy BES10 with Secure Work Space in an enterprise Who should apply the software fix(es)? BBM for Android and iPhone users Secure Work Space users BlackBerry Link users IT administrators who deploy BES10 with Secure Work Space in an enterprise More Information Have any BlackBerry customers been subject to an attack that exploits this vulnerability? BlackBerry is not aware of any attacks targeting BlackBerry customers using this vulnerability. What factors affected the release of this security advisory? This advisory addresses a publicly known vulnerability that was previously discussed in a Security Notice (KB35882). The notice provided available details, and was updated as affected products were fixed. BlackBerry publishes full details of a software update in a security advisory after the fix for each affected product is available to the majority of our customers and wireless service provider partners. Publishing this advisory ensures that all of our customers can protect themselves by updating their software, or employing available workarounds if updating is not possible. Is the Security Notice (KB35882) still applicable? No. Given that all of the products identified in the Security Notice have been fixed and are available to our customers, the Security Notice is provided only for historical context. Where can I read more about the security of BlackBerry products and solutions? For more information on BlackBerry security, visit http://us.blackberry.com/business/enterprise-mobility/mobile-security.html and www.blackberry.com/bbsirt. Affected Software and Resolutions Read the following information to determine if your BlackBerry product is affected. Affected Software Product    Date fix was available BBM for iPhone earlier than version 2.1.1.64 April 18, 2014 BBM for Android earlier than version 2.1.1.53 April 18, 2014       Secure Work Space for iOS, versions as outlined: April 17, 2014 Work Connect earlier than version 1.0.10980.3 Work Browser earlier than version 1.1.10980.3 Secure Work Space for Android, versions as outlined: April 17, 2014 Work Space Manager earlier than version 23552_10 SWS for Android 2.3.7 earlier than version 23552_10-2.3.7 SWS for Android 4.0.4 earlier than version 23553_10-4.0.4 SWS for Android 4.4 earlier than version 23554_10-4.4 Universal Device Service component of BES10 version April 21, 2014 10.1.1 and later (BlackBerry Work Connect Notification Service (BWCNS) only) BlackBerry Link for Windows earlier than May 13, 2014 version 1.2.3.48 (bundle46) BlackBerry Link for Mac OS earlier than May 13, 2014 version 1.2.1.16 (bundle21) Non-Affected Software Product    Date fix was available BBM for iPhone version 2.1.1.64 and later April 18, 2014 BBM for Android version 2.1.1.53 and later April 18, 2014       Secure Work Space for iOS, versions as outlined: April 17, 2014 Work Connect version 1.0.10980.3 and later Work Browser version 1.1.10980.3 and later Secure Work Space for Android, versions as outlined: April 17, 2014 Work Space Manager earlier than version 23552_10 and later SWS for Android 2.3.7 version 23552_10-2.3.7 and later SWS for Android 4.0.4 version 23553_10-4.0.4 and later SWS for Android 4.4 version 23554_10-4.4 and later Universal Device Service component of BES10 April 21, 2014 version 10.1.1 and later with Interim Security Update (April 21, 2014) BlackBerry Link for Windows version 1.2.3.48 May 13, 2014 (bundle46) and later BlackBerry Link for Mac OS version 1.2.1.16 May 13, 2014 (bundle21) and later The following software was never affected and all versions are fully protected against the vulnerability: BlackBerry Device Service component of BES 10 Universal Device Service component of BES 10 earlier than version 10.1.1 BlackBerry Enterprise Server 5 BlackBerry Universal Device Server 6.2 and earlier BlackBerry 10 OS BlackBerry 7.1 OS and earlier BlackBerry Infrastructure services BBM for BlackBerry smartphones BlackBerry PlayBook tablet software BlackBerry Enterprise Server for Office 365 BlackBerry Desktop Manager Are BlackBerry smartphones affected? No. Resolution BlackBerry has now issued fixes for all products that were affected by this vulnerability, which are included in: Product    Date fix was available BBM for iPhone version 2.1.1.64 and later April 18, 2014 BBM for Android version 2.1.1.53 and later April 18, 2014       Secure Work Space for iOS, versions as outlined: April 17, 2014 Work Connect version 1.0.10980.3 and later Work Browser version 1.1.10980.3 and later Secure Work Space for Android, versions as outlined: April 17, 2014 Work Space Manager earlier than version 23552_10 and later SWS for Android 2.3.7 version 23552_10-2.3.7 and later SWS for Android 4.0.4 version 23553_10-4.0.4 and later SWS for Android 4.4 version 23554_10-4.4 and later Universal Device Service component of BES10 version April 21, 2014 10.1.1 and later with Interim Security Update (April 21, 2014) BlackBerry Link for Windows version 1.2.3.48 May 13, 2014 (bundle46) and later BlackBerry Link for Mac OS version 1.2.1.16 May 13 2014 (bundle21) and later These software updates resolve this vulnerability on affected versions of the listed products. Update the listed software to the specified version or later to be fully protected from this issue. See the Mitigations section of this advisory for information on how to manage potential risk until the software update can be installed. Vulnerability Information Note: KB35955 was previously published as a Security Notice (KB35882), which addressed the OpenSSL "Heartbleed" vulnerability that was announced on April 7, 2014. The Security Notice was updated as fixes became available. Now that all the fixes have been completed, this Security Advisory replaces the Security Notice and provides full details of publicly available software updates that address the issue. A vulnerability exists in the OpenSSL implementation included with affected BlackBerry products. The popular OpenSSL cryptographic software library is open-source software used to secure client/server transactions. Successful exploitation of this vulnerability could potentially result in an attacker gaining access to limited but arbitrary data that is in memory. This data could include the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. In order to exploit this vulnerability, an attacker must send a malformed request for a heartbeat reply to an SSL endpoint that is running a vulnerable version of OpenSSL. This vulnerability has multiple Common Vulnerability Scoring System (CVSS) scores, depending on the affected product. View the linked Common Vulnerabilities and Exposures (CVE) identifier for a description of the security issue that this security advisory addresses. CVE identifier Affected Products CVSS score CVE-2014-0160 Universal Device Service component of BES10 version 10.1.1 and later  3.3 Affected versions of BBM for Android and iPhone 1.8 Affected versions of Secure Work Space for iOS and Android Affected versions of BlackBerry Link for Windows and Mac OS To review the related Security Notice, visit KB35882. Mitigations Mitigations are existing conditions that a potential attacker would need to overcome in order to mount a successful attack or that would limit the severity of an attack. Examples of such conditions include default settings, common configurations and general best practices. Universal Device Service component of BES10 version 10.1.1. and later This vulnerability is mitigated by the requirement that an attacker would need to be on the same network with access to the Tomcat instance associated with the BlackBerry Work Connect Notification Service (BWCNS), which is a component that handles message notifications for Secure Work Space for iOS. If the service is disabled or not reachable, the system is not vulnerable. Secure Work Space This vulnerability is mitigated by the connection architecture, in that the service only connects to a known and trusted end point. BBM for Android This vulnerability is mitigated by the connection architecture, in that the service only connects to a known and trusted end point. BBM for iPhone This vulnerability is mitigated by the connection architecture, in that the service only connects to a known and trusted end point. BlackBerry Link This issue is mitigated for BlackBerry Link for Mac OS and BlackBerry Link for Windows by the requirement that an attacker must first gain control of the local network before launching an attack. Additionally, these systems are not typically visible to the Internet and external traffic is sent via a proxy in a business environment. This significantly raises the difficulty of exploiting these systems. Workarounds Workarounds are settings or configuration changes that a user or administrator can apply to help protect against an attack. BlackBerry recommends that all users apply the appropriate software updates to fully protect their system. All workarounds should be considered temporary measures for customers to apply if they cannot install the update immediately or must perform standard testing and risk analysis. BlackBerry recommends that customers who are able to do so install the update to secure their systems. BlackBerry Link customers can employ their firewall system to filter out heartbeat requests. There are no workarounds for this vulnerability for affected versions of the Universal Device Service component of BES10, affected versions of BBM for Android and iPhone and affected versions of Secure Work Space. More Information What is OpenSSL? OpenSSL is an open-source implementation of the SSL and TLS protocols. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs). What is the OpenSSL "Heartbleed" vulnerability? The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users. This issue was addressed in OpenSSL 1.0.1g. What is the difference between a BlackBerry Security Advisory and Security Notice? A Security Advisory publicly notifies BlackBerry customers of the availability of a software update to address a confirmed vulnerability in BlackBerry products, and it provides technical details regarding the vulnerability in combination with additional mitigations and workarounds to protect customers. In comparison, a Security Notice informs customers about software vulnerabilities that we are either working to address, or that we do not believe warrant a security update, given the low risk and severity. We do not follow a set schedule for issuing security notices, but rather release these notifications as needed to provide customers with information on how to best secure their device. Definitions CVE Common Vulnerabilities and Exposures (CVE) is a dictionary of common names (CVE Identifiers) for publicly known information security vulnerabilities maintained by the MITRE Corporation. CVSS CVSS is a vendor agnostic, industry open standard designed to convey the severity of vulnerabilities. CVSS scores may be used to determine the urgency for update deployment within an organization. CVSS scores can range from 0.0 (no vulnerability) to 10.0 (critical). BlackBerry uses CVSS in vulnerability assessments to present an immutable characterization of security issues. BlackBerry assigns all relevant security issues a non-zero score. Customers performing their own risk assessments of vulnerabilities that may impact them can benefit from using the same industry-recognized CVSS metrics. Change Log 05-13-2014 Initial publication of security advisory closing KB35882 - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBU3wz4BLndAQH1ShLAQIufg/+K/WjZNEv11UD23zB+gmg9ArYzyikacxV VAmfdONgRoFCR3poZt2U3Zw/iFSqLg+p8cmFrdgTTyNFdZnkYL4QqnC2fnX6qALl m+2yT8JClbR4hHS0MABWBTNP9z3XIGnHptuo69HZxAJJXMgqEYlSHh4NuQJRCqHG KaTP5O0vARLRDY9q9bjxi08U3HgWQQDVWdPHwgY6diXkc94vhL0dRhcOH6WB07o2 e/DetkAbDX/t9jAJK5Zq1iSyVlOayEXupGFna81tBvhmcGqrKpo8RHEfCciletsR CpWp3s5ZHnl9rwGBBoLtB3/IXZUnnLGWUNcN59tpQ1dc3wGshssXgBD/2Ad4GG9G AYIYpnDXKEXDbKFHOt8f4XGij6hLnGV53hCSJHvpUgaLQzg9LA6uEusw0bsrMF1o qs2iA+4zhRLhkCQ7gXYw0PnN4n7bC+PLYOZsDgF4MjYsYZC3sJgEwCrF4uQeBH6f aUoo64BG83K22S6RsQsLqLmg1N3KN5+I/vU5uT8OmLjDm8Q6es087eLDjW/RTcMP MMeCjourxiQ5PTmh2wD77P5zOeLkIT4ixJ5OoLSzAoqVSvIZLWt9HqsTDrkuuCrs 4rbGzHDvfxmDRcf48E5A6kRJJfJza8NE4MdpqlB8P6xoNbD6WJuz9qMcth2E+6Yf UZsUpHrrVvU= =DRJH -----END PGP SIGNATURE-----