-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2014.0789
           BSRT-2014-005 Information disclosure vulnerability in
                    OpenSSL affects BlackBerry products
                                21 May 2014

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           BBM for Android
                   BBM for iPhone
                   BlackBerry Enterprise Service 10
                   BES10 Client for iOS
                   BES10 Client for Android
                   BlackBerry Link For PC
                   BlackBerry Link for Mac
Publisher:         RIM
Operating System:  Windows
                   OS X
                   Apple iOS
                   Android
Impact/Access:     Access Privileged Data -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2014-0160  

Reference:         ASB-2014.0042
                   ESB-2014.0461
                   ESB-2014.0457
                   ESB-2014.0458.2

Original Bulletin: 
   http://www.blackberry.com/btsc/kb35955

- --------------------------BEGIN INCLUDED TEXT--------------------

BSRT-2014-005 Information disclosure vulnerability in OpenSSL affects 
BlackBerry products

Article ID: KB35955

Type:   BlackBerry Security Advisory

First Published: 05-13-2014

Last Modified: 05-13-2014

Product(s) Affected:

   BBM for Android
   BBM for iPhone
   BlackBerry Enterprise Service 10
   BES10 Client for iOS
   BES10 Client for Android
   BlackBerry Link For PC
   BlackBerry Link for Mac

Overview

Note: KB35955 was previously published as a Security Notice (KB35882), which 
addressed the  OpenSSL "Heartbleed" vulnerability that was announced on April 
7, 2014. The Security Notice was updated as fixes became available. Now that 
all the fixes have been completed, this Security Advisory replaces the 
Security Notice and provides full details of publicly available software 
updates that address the issue. To review the related Security Notice, visit 
KB35882.

This advisory addresses an OpenSSL information disclosure vulnerability that 
is not currently being exploited on BlackBerry products but affects BBM for 
Android and iPhone, Secure Work Space for iOS and Android, BlackBerry 
Enterprise Service 10, and BlackBerry Link customers. BlackBerry customer risk 
is limited in all cases by the requirement that an attacker first gain access 
to an affected product in order to then mount a successful attack. 
Additionally, BBM for Android and iPhone, Secure Work Space, and Link, 
customer risk is also limited by the need for an attacker to successfully 
complete a man-in-the-middle attack that is capable of spoofing IP addresses.  
Successful exploitation requires an attacker to send a malformed request for a 
heartbeat reply to an SSL endpoint that is running a vulnerable version of 
OpenSSL. If the requirements are met for exploitation, an attacker could 
potentially gain access to limited but arbitrary data that is in memory. After 
installing the recommended software update, affected BlackBerry customers will 
be fully protected from this vulnerability.

Who should read this advisory?

   BBM for Android and iPhone users
   Secure Work Space users
   BlackBerry Link users
   IT administrators who deploy BES10 with Secure Work Space in an enterprise

Who should apply the software fix(es)?

   BBM for Android and iPhone users
   Secure Work Space users
   BlackBerry Link users
   IT administrators who deploy BES10 with Secure Work Space in an enterprise

More Information

Have any BlackBerry customers been subject to an attack that exploits this 
vulnerability?
BlackBerry is not aware of any attacks targeting BlackBerry customers using 
this vulnerability.

What factors affected the release of this security advisory?
This advisory addresses a publicly known vulnerability that was previously 
discussed in a Security Notice (KB35882). The notice provided available 
details, and was updated as affected products were fixed. BlackBerry publishes 
full details of a software update in a security advisory after the fix for 
each affected product is available to the majority of our customers and 
wireless service provider partners. Publishing this advisory ensures that all 
of our customers can protect themselves by updating their software, or 
employing available workarounds if updating is not possible.

Is the Security Notice (KB35882) still applicable?
No. Given that all of the products identified in the Security Notice have been 
fixed and are available to our customers, the Security Notice is provided only 
for historical context.

Where can I read more about the security of BlackBerry products and solutions?
For more information on BlackBerry security, visit 
http://us.blackberry.com/business/enterprise-mobility/mobile-security.html and 
www.blackberry.com/bbsirt.

Affected Software and Resolutions

Read the following information to determine if your BlackBerry product is 
affected.

Affected Software

Product                                                Date fix was available
BBM for iPhone earlier than version 2.1.1.64           April 18, 2014
BBM for Android earlier than version 2.1.1.53          April 18, 2014      

Secure Work Space for iOS, versions as outlined:       April 17, 2014

   Work Connect earlier than version 1.0.10980.3    
   Work Browser earlier than version 1.1.10980.3 

Secure Work Space for Android, versions as outlined:   April 17, 2014

   Work Space Manager earlier than version 23552_10
   SWS for Android 2.3.7 earlier than version 23552_10-2.3.7
   SWS for Android 4.0.4 earlier than version 23553_10-4.0.4
   SWS for Android 4.4 earlier than version 23554_10-4.4 

Universal Device Service component of BES10 version    April 21, 2014 
10.1.1 and later (BlackBerry Work Connect 
Notification Service (BWCNS) only) 	

BlackBerry Link for Windows earlier than               May 13, 2014
version 1.2.3.48 (bundle46)

BlackBerry Link for Mac OS earlier than                May 13, 2014
version 1.2.1.16 (bundle21)


Non-Affected Software

Product                                                Date fix was available

BBM for iPhone version 2.1.1.64 and later              April 18, 2014

BBM for Android version 2.1.1.53 and later             April 18, 2014      

Secure Work Space for iOS, versions as outlined:       April 17, 2014

   Work Connect version 1.0.10980.3 and later
   Work Browser version 1.1.10980.3 and later 

Secure Work Space for Android, versions as outlined:   April 17, 2014

   Work Space Manager earlier than version 23552_10 and later
   SWS for Android 2.3.7 version 23552_10-2.3.7 and later
   SWS for Android 4.0.4 version 23553_10-4.0.4 and later
   SWS for Android 4.4 version 23554_10-4.4 and later 


Universal Device Service component of BES10            April 21, 2014
version 10.1.1 and later with Interim Security 
Update (April 21, 2014)

BlackBerry Link for Windows version 1.2.3.48           May 13, 2014
(bundle46) and later

BlackBerry Link for Mac OS version 1.2.1.16            May 13, 2014
(bundle21) and later
 

The following software was never affected and all versions are fully protected 
against the vulnerability:

   BlackBerry Device Service component of BES 10 
   Universal Device Service component of BES 10 earlier than version 10.1.1
   BlackBerry Enterprise Server 5
   BlackBerry Universal Device Server 6.2 and earlier
   BlackBerry 10 OS
   BlackBerry 7.1 OS and earlier
   BlackBerry Infrastructure services
   BBM for BlackBerry smartphones
   BlackBerry PlayBook tablet software
   BlackBerry Enterprise Server for Office 365
   BlackBerry Desktop Manager

Are BlackBerry smartphones affected?
No.

Resolution

BlackBerry has now issued fixes for all products that were affected by this 
vulnerability, which are included in:
 
Product                                                Date fix was available

BBM for iPhone version 2.1.1.64 and later              April 18, 2014

BBM for Android version 2.1.1.53 and later             April 18, 2014      

Secure Work Space for iOS, versions as outlined:       April 17, 2014

   Work Connect version 1.0.10980.3 and later
   Work Browser version 1.1.10980.3 and later 

Secure Work Space for Android, versions as outlined:   April 17, 2014

   Work Space Manager earlier than version 23552_10 and later
   SWS for Android 2.3.7 version 23552_10-2.3.7 and later
   SWS for Android 4.0.4 version 23553_10-4.0.4 and later
   SWS for Android 4.4 version 23554_10-4.4 and later 

Universal Device Service component of BES10 version    April 21, 2014
10.1.1 and later with Interim Security 
Update (April 21, 2014)

BlackBerry Link for Windows version 1.2.3.48           May 13, 2014
(bundle46) and later

BlackBerry Link for Mac OS version 1.2.1.16            May 13 2014
(bundle21) and later

These software updates resolve this vulnerability on affected versions of the 
listed products. Update the listed software to the specified version or later 
to be fully protected from this issue.
See the Mitigations section of this advisory for information on how to manage 
potential risk until the software update can be installed.

 Vulnerability Information

Note: KB35955 was previously published as a Security Notice (KB35882), which 
addressed the  OpenSSL "Heartbleed" vulnerability that was announced on April 
7, 2014. The Security Notice was updated as fixes became available. Now that 
all the fixes have been completed, this Security Advisory replaces the 
Security Notice and provides full details of publicly available software 
updates that address the issue.

A vulnerability exists in the OpenSSL implementation included with affected 
BlackBerry products. The popular OpenSSL cryptographic software library is 
open-source software used to secure client/server transactions.

Successful exploitation of this vulnerability could potentially result in an 
attacker gaining access to limited but arbitrary data that is in memory. This 
data could include the information protected, under normal conditions, by the 
SSL/TLS encryption used to secure the Internet.

In order to exploit this vulnerability, an attacker must send a malformed 
request for a heartbeat reply to an SSL endpoint that is running a vulnerable 
version of OpenSSL.

This vulnerability has multiple Common Vulnerability Scoring System (CVSS) 
scores, depending on the affected product. View the linked Common 
Vulnerabilities and Exposures (CVE) identifier for a description of the 
security issue that this security advisory addresses.
  
CVE identifier   Affected Products                                                      CVSS score
CVE-2014-0160    Universal Device Service component of BES10 version 10.1.1 and later   3.3
                 Affected versions of BBM for Android and iPhone                        1.8
                 Affected versions of Secure Work Space for iOS and Android
                 Affected versions of BlackBerry Link for Windows and Mac OS
 
To review the related Security Notice, visit KB35882.

Mitigations

Mitigations are existing conditions that a potential attacker would need to 
overcome in order to mount a successful attack or that would limit the 
severity of an attack. Examples of such conditions include default settings, 
common configurations and general best practices. 
 
Universal Device Service component of BES10 version 10.1.1. and later
This vulnerability is mitigated by the requirement that an attacker would need 
to be on the same network with access to the Tomcat instance associated with 
the BlackBerry Work Connect Notification Service (BWCNS), which is a component 
that handles message notifications for Secure Work Space for iOS. If the 
service is disabled or not reachable, the system is not vulnerable.

Secure Work Space
This vulnerability is mitigated by the connection architecture, in that the 
service only connects to a known and trusted end point.

BBM for Android
This vulnerability is mitigated by the connection architecture, in that the 
service only connects to a known and trusted end point.

BBM for iPhone
This vulnerability is mitigated by the connection architecture, in that the 
service only connects to a known and trusted end point.

BlackBerry Link
This issue is mitigated for BlackBerry Link for Mac OS and BlackBerry Link for 
Windows by the requirement that an attacker must first gain control of the 
local network before launching an attack. Additionally, these systems are not 
typically visible to the Internet and external traffic is sent via a proxy in 
a business environment. This significantly raises the difficulty of exploiting 
these systems.

Workarounds

Workarounds are settings or configuration changes that a user or administrator 
can apply to help protect against an attack. BlackBerry recommends that all 
users apply the appropriate software updates to fully protect their system. 
All workarounds should be considered temporary measures for customers to apply 
if they cannot install the update immediately or must perform standard testing 
and risk analysis. BlackBerry recommends that customers who are able to do so 
install the update to secure their systems.

BlackBerry Link customers can employ their firewall system to filter out 
heartbeat requests.

There are no workarounds for this vulnerability for affected versions of the 
Universal Device Service component of BES10, affected versions of BBM for 
Android and iPhone and affected versions of Secure Work Space.

More Information

What is OpenSSL?
OpenSSL is an open-source implementation of the SSL and TLS protocols. SSL/TLS 
provides communication security and privacy over the Internet for applications 
such as web, email, instant messaging (IM) and some virtual private networks 
(VPNs).

What is the OpenSSL "Heartbleed" vulnerability?
The Heartbleed bug allows anyone on the Internet to read the memory of the 
systems protected by the vulnerable versions of the OpenSSL software. This 
compromises the secret keys used to identify the service providers and to 
encrypt the traffic, the names and passwords of the users and the actual 
content. This allows attackers to eavesdrop on communications, steal data 
directly from the services and users and to impersonate services and users. 
This issue was addressed in OpenSSL 1.0.1g.

What is the difference between a BlackBerry Security Advisory and Security 
Notice?
A Security Advisory publicly notifies BlackBerry customers of the availability 
of a software update to address a confirmed vulnerability in BlackBerry 
products, and it provides technical details regarding the vulnerability in 
combination with additional mitigations and workarounds to protect customers.
In comparison, a Security Notice informs customers about software 
vulnerabilities that we are either working to address, or that we do not 
believe warrant a security update, given the low risk and severity. We do not 
follow a set schedule for issuing security notices, but rather release these 
notifications as needed to provide customers with information on how to best 
secure their device.

 Definitions

CVE
Common Vulnerabilities and Exposures (CVE) is a dictionary of common names 
(CVE Identifiers) for publicly known information security vulnerabilities 
maintained by the MITRE Corporation.

CVSS
CVSS is a vendor agnostic, industry open standard designed to convey the 
severity of vulnerabilities. CVSS scores may be used to determine the urgency 
for update deployment within an organization. CVSS scores can range from 0.0 
(no vulnerability) to 10.0 (critical). BlackBerry uses CVSS in vulnerability 
assessments to present an immutable characterization of security issues. 
BlackBerry assigns all relevant security issues a non-zero score. Customers 
performing their own risk assessments of vulnerabilities that may impact them 
can benefit from using the same industry-recognized CVSS metrics. 

Change Log

05-13-2014

Initial publication of security advisory closing KB35882

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBU3wz4BLndAQH1ShLAQIufg/+K/WjZNEv11UD23zB+gmg9ArYzyikacxV
VAmfdONgRoFCR3poZt2U3Zw/iFSqLg+p8cmFrdgTTyNFdZnkYL4QqnC2fnX6qALl
m+2yT8JClbR4hHS0MABWBTNP9z3XIGnHptuo69HZxAJJXMgqEYlSHh4NuQJRCqHG
KaTP5O0vARLRDY9q9bjxi08U3HgWQQDVWdPHwgY6diXkc94vhL0dRhcOH6WB07o2
e/DetkAbDX/t9jAJK5Zq1iSyVlOayEXupGFna81tBvhmcGqrKpo8RHEfCciletsR
CpWp3s5ZHnl9rwGBBoLtB3/IXZUnnLGWUNcN59tpQ1dc3wGshssXgBD/2Ad4GG9G
AYIYpnDXKEXDbKFHOt8f4XGij6hLnGV53hCSJHvpUgaLQzg9LA6uEusw0bsrMF1o
qs2iA+4zhRLhkCQ7gXYw0PnN4n7bC+PLYOZsDgF4MjYsYZC3sJgEwCrF4uQeBH6f
aUoo64BG83K22S6RsQsLqLmg1N3KN5+I/vU5uT8OmLjDm8Q6es087eLDjW/RTcMP
MMeCjourxiQ5PTmh2wD77P5zOeLkIT4ixJ5OoLSzAoqVSvIZLWt9HqsTDrkuuCrs
4rbGzHDvfxmDRcf48E5A6kRJJfJza8NE4MdpqlB8P6xoNbD6WJuz9qMcth2E+6Yf
UZsUpHrrVvU=
=DRJH
-----END PGP SIGNATURE-----