BlackBerry has confirmed BlackBerry OS 10, BES 12 and 10 and other products are affected by the FREAK flaw, but it has no patch.
BlackBerry, it seems, is on the back foot in responding to the now infamous FREAK flaw.
Apple, Microsoft, Google and Cisco this week rolled out fixes to protect their products against a man-in-the-middle attacker that could force SSL connections onto a weak and easily broken cipher suite. BlackBerry however doesn’t have a patch yet and says it is still working to determine the full impact to its products.
BlackBerry products have been exposed to past widespread OpenSSL bugs like Heartbleed but the handset maker hadn’t until Thursday confirmed which products were affected by FREAK.
The response so far doesn’t support its messaging as the secure choice for the enterprise and to make matters worse, it hasn’t got a fix for consumer and enterprise products affected.
Its advisory on Thursday confirmed products affected include BlackBerry 10 OS, BlackBerry 7.1 OS, all versions of BES 12 and BES 10, all versions of Secure Work Space, and all version of BBM on BlackBerry 10 and Windows Phone. Meanwhile, BBM for Android below 18.104.22.168 and BBM on iOS earlier than version 22.214.171.124 are both vulnerable. The full list of affected and unaffected products can be found here.
The FREAK flaw was disclosed by the OpenSSL Project on January 8 and was later explained in detail by researchers in France and Microsoft on March 3.
BlackBerry said there are no workarounds to fix the flaw and that it currently does not have a fix to issue customers.
“For those products that are affected, we are diligently working to determine the full impact of the issue and confirm the best approach for protecting customers,” it said in the advisory.
“BlackBerry may provide further updates as needed while our ongoing investigation continues. This notice will also be updated as affected BlackBerry products are fixed.”
BlackBerry also noted that an OpenSSL fix is available for BlackBerry products.
“This weakness could allow an attacker who is able to intercept and modify encrypted SSL traffic to force a weaker cipher suite. This weaker cipher suite could be broken by a brute force attack within a finite time. In order to exploit this vulnerability, an attacker must first complete a successful man-in-the-middle (MitM) attack. This issue was addressed in OpenSSL 1.0.1k and a fix is available for integration into affected BlackBerry products,” the company said.
The only upside for customers using affected products is that an attacker must successfully launch a MITM attack on a secure connection to exploit the vulnerability.
“For BES12, BES10, Blend and Link, this would additionally require that the attacker compromise the intranet,” BlackBerry said.
“This issue is further mitigated for customers sending data that is encrypted before being sent over SSL; for example, data encrypted by S/MIME or PGP will still be protected,” it added.
The company said it will provide further updates when fixes become available.
This article is brought to you by Enex TestLab, content directors for CSO Australia.