Security notice issued from BlackBerry for OpenSSL FREAK vulnerability

BlackBerry is issued a issued a security notice via the BlackBerry Knowledge Base for the OpenSSL vulnerability known as “FREAK”.

On Tuesday, March 3, 2015, researchers announced a new SSL/TLS vulnerability called the FREAK attack. It allows an attacker to intercept HTTPS connections between vulnerable clients and servers and force them to use weakened encryption, which the attacker can break to steal or manipulate sensitive data. This site is dedicated to tracking the impact of the attack and helping users test whether they’re vulnerable.

The FREAK attack was discovered by Karthikeyan Bhargavan at INRIA in Paris and the miTLS team. Further disclosure was coordinated by Matthew Green. This report is maintained by computer scientists at the University of Michigan, including Zakir Durumeric, David Adrian, Ariana Mirian, Michael Bailey, and J. Alex Halderman. The team can be contacted at freakattack@umich.edu.

For additional details about the attack and its implications, see this post by Matt Green, this site by the discoverers, this Washington Post article, and this post by Ed Felten.

 

BlackBerry response to OpenSSL “FREAK” Vulnerability

Overview

This security notice addresses the OpenSSL “FREAK” vulnerability that was disclosed on March 3, 2015. BlackBerry® is diligently working to investigate the vulnerability and to determine how best to mitigate customer risk. Investigations are still ongoing, but confirm that BlackBerry products are impacted by this vulnerability. We will update this security notice as new information and fixes become available.

Who should read this notice?

  • BlackBerry smartphone users
  • BBM for iOS, Android, and Windows Phone users
  • BlackBerry Blend users
  • BlackBerry Link users
  • Secure Work Space for iOS and Android users
  • IT administrators who deploy BlackBerry smartphones, BES12, BES10, BES5, or Secure Work Space for iOS or Android in an enterprise

More Information

  • Have any BlackBerry customers been subject to an attack that exploits this vulnerability? – BlackBerry is not aware of any attacks targeting BlackBerry customers using this vulnerability.
  • When will BlackBerry fix the BlackBerry products affected by the OpenSSL vulnerability? – For those products that are affected, we are diligently working to determine the full impact of the issue and confirm the best approach for protecting customers.
  • When will BlackBerry provide more updates about these issues? – BlackBerry may provide further updates as needed while our ongoing investigation continues. This notice will also be updated as affected BlackBerry products are fixed.
  • Where can I read more about the security of BlackBerry products and solutions? – For more information on BlackBerry security, visit www.blackberry.com/security and www.blackberry.com/bbsirt. For more information on security features in BlackBerry 10 devices, read the BlackBerry Security Overview.

Affected Software

  • BlackBerry 10 OS (all versions)
  • BlackBerry 7.1 OS and earlier (all versions)
  • BES12 (all versions)
  • BES10 (all versions)
  • BES12 Client (iOS) (all versions)
  • Secure Work Space for BES10/BES12 (Android) (all versions)
  • Work Space Manager for BES10/BES12 (Android) (all versions)
  • Work Browser for BES10/BES12 (iOS) (all versions)
  • Work Connect for BES10/BES12 (iOS) (all versions)
  • BlackBerry Blend for BlackBerry 10, Android, iOS, Windows and Mac (all versions)
  • BlackBerry Link for Windows and Mac (all versions)
  • BBM on BlackBerry 10 and Windows Phone (all versions)
  • BBM on Android earlier than version 2.7.0.6
  • BBM on iOS earlier than version 2.7.0.32
  • BBM Protected on BlackBerry 10 and BlackBerry OS (all versions)
  • BBM Protected on Android earlier than version 2.7.0.6
  • BBM Protected on iOS earlier than version 2.7.0.32
  • BBM Meetings for BlackBerry 10, Android, iOS, and Windows Phone (all versions)

Non-Affected Software

  • BES5 (all versions)
  • BlackBerry Universal Device Service (all versions)
  • BES12 Client (Windows Phone) (all versions)
  • BES12 Client (Android) (all versions)
  • BBM on Android version 2.7.0.6 and later
  • BBM on iOS version 2.7.0.32 and later
  • BBM Protected on Android version 2.7.0.6 and later
  • BBM Protected on iOS version 2.7.0.32 and later

Are BlackBerry smartphones affected?

Yes

Vulnerability Information

BlackBerry is currently investigating the customer impact of the recently announced OpenSSL FREAK vulnerability. A list of known affected and unaffected products is supplied in this notice, and may be updated as we complete our investigation.

The OpenSSL Factoring attack on RSA-EXPORT Keys is a vulnerability in the OpenSSL implementation included with affected BlackBerry products. The popular OpenSSL cryptographic software library is open-source software used to secure client/server transactions.

This weakness could allow an attacker who is able to intercept and modify encrypted SSL traffic to force a weaker cipher suite. This weaker cipher suite could be broken by a brute force attack within a finite time. In order to exploit this vulnerability, an attacker must first complete a successful man-in-the-middle (MitM) attack. This issue was addressed in OpenSSL 1.0.1k and a fix is available for integration into affected BlackBerry products. The vulnerability is detailed in CVE-2015-0204.

Further investigation into affected products is ongoing, and BlackBerry is working to determine the full impact of the issue and confirm the best approach for protecting customers. As fixes become available, this notice will be updated.

Mitigations

Mitigations are existing conditions that a potential attacker would need to overcome to mount a successful attack or that would limit the severity of an attack. Examples of such conditions include default settings, common configurations and general best practices.

This issue is mitigated for all customers by the prerequisite that the attacker must first complete a successful man-in-the-middle (MitM) attack in order to exploit the vulnerability. For BES12, BES10, Blend and Link, this would additionally require that the attacker compromise the intranet.

This issue is further mitigated for customers sending data that is encrypted before being sent over SSL; for example, data encrypted by S/MIME or PGP will still be protected.

Source: BlackBerry Knowledge Base