Introduction

A security vulnerability has been discovered in the OpenSSL cryptography software library.  The vulnerability has been labeled CVE-2014-0160, by the National Vulnerabilities Database and has been nicknamed “Heartbleed”.  OpenSSL is widely used in applications, operating systems, and web server software (e.g. used in Apache and nginx web servers which account for ~66% of the internet).

 

Heartbleed exploits a recently added feature (Heartbeat) within SSL/TLS. Heartbleed enables an attacker to read system memory, thereby potentially exposing private keys, passwords, and communication payloads.  The attack is readily countered with a simple code patch.  There is no way to detect if a system has been compromised.  Details on the exploit and corrective measure recommendations based on use models can be found at: http://heartbleed.com and

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0160.

 

 

Impact on MSI Mobile Computing Portfolio

Though the most significant impact is to internet web servers, the vulnerability also exists in Android JellyBean version 4.1.1.  No other versions of Android are vulnerable. Neither are any of MSI mobile computers running any versions of Microsoft’s Operating Systems. The following MSI mobile computers are impacted:

  • MC40 (Jellybean OS versions only)
  • ET-1 (Jellybean OS versions only)
  • MC67 (Jellybean OS versions only)

 

MSI response and recommends

 

Based on guidance from the OpenSSL Projects security Advisory, MSI has developed a code patch to remove and secure the above effected products.  The patch along with installation instructions is available for download free of charge at MC40 MC67 ET1 - HeartBleed Security Vulnerability in Android JB 4.1.1 device - SPR25574.

 

There are a number of scanning utilities available to customers to detect (or verify removal of) the Heartbleed vulnerability in both the OS and/or loaded applications.  More information is available via the MSI developer community at Launchpad {link}

 

Motorola Solutions recommends that this patch be used in any deployment of affected products where secure communications via SSL, i.e. HTTPS web sites, are used.  Additionally, we strongly recommend that customers check with vendors for their Server Operating Systems, Web server and other server SW components for potential vulnerabilities and remediation plans.


External Resources

There is a utility available from Bluebox (Bluebox Security) which will scan for any vulnerabilities on a device.  The apk is available here: http://files.bluebox.com/HeartbleedScanner_7.apk

 

Additional References

[1]. http://blog.existentialize.com/diagnosis-of-the-openssl-heartbleed-bug.html

[2]. http://nakedsecurity.sophos.com/2014/04/08/anatomy-of-a-data-leak-bug-openssl-heartbleed/