Cross-site scripting (XSS) vulnerability in the BlackBerry Web Desktop Manager component of the BlackBerry Enterprise Server

Article ID: KB26296

Type:   Security Advisory

First Published: 04-12-11

Last Modified: 04-14-2011

 

Product(s) Affected:

  • BlackBerry Enterprise Server for Novell GroupWise
  • BlackBerry Enterprise Server for Microsoft Exchange
  • BlackBerry Enterprise Server Express for IBM Domino
  • BlackBerry Enterprise Server Express for Microsoft Exchange
  • BlackBerry Web Desktop Manager
  • BlackBerry Enterprise Server for IBM Domino
Collapse Products
ExpandAffected Software
This issue affects the BlackBerry Web Desktop Manager component of the following software versions:

  • BlackBerry Enterprise Server Express versions 5.0.1 and 5.0.2 for Microsoft Exchange
  • BlackBerry Enterprise Server Express version 5.0.2 for IBM Lotus Domino
  • BlackBerry Enterprise Server versions 5.0.0 through 5.0.3 for Microsoft Exchange and IBM Lotus Domino
  • BlackBerry Enterprise Server version 5.0.1 for Novell GroupWise
ExpandNon Affected Software
  • BlackBerry® Device Software
  • BlackBerry® Desktop Software
  • BlackBerry® Internet Service
  • BlackBerry® Web Desktop Manager version 1.0.1.
ExpandAre BlackBerry smartphones and the BlackBerry Device Software affected?
No.
CollapseIssue Severity
This vulnerability has a Common Vulnerability Scoring System (CVSS) score of 8.1.
CollapseOverview
This advisory describes a security issue whereby the BlackBerry Web Desktop Manager component of the BlackBerry Enterprise Server is susceptible to a reflective cross-site scripting (XSS) vulnerability. (Reflective cross-site scripting vulnerabilities are sometimes referred to as non-persistent or Type I cross-site scripting vulnerabilities.)
ExpandWho should read this advisory?
BlackBerry Enterprise Server administrators
ExpandWho should apply the software fix(es)?
BlackBerry Enterprise Server administrators
ExpandRecommendation
Complete the resolution actions documented in this advisory.
ExpandReferences
CVE® Identifier: CVE-2011-0286
CollapseProblem
The vulnerability could allow an attacker to execute externally supplied scripts using the user privileges of the BlackBerry Web Desktop Manager. This could allow the attacker to perform any BlackBerry Web Desktop Manager task that the legitimate user could perform on a BlackBerry smartphone while the user is logged in to the BlackBerry Web Desktop Manager. Such tasks include remotely resetting the device password and locking the device, remotely wiping and disabling the device, and activating the user's account on another device over the wireless network.

Successful exploitation of this issue requires an attacker to persuade the legitimate user to click a specially crafted URL. The URL that the attacker persuades the legitimate user to click may be in a web browser or an email or instant message.

Mitigations

  • As a best practice, RIM recommends that access to administrative functions of the BlackBerry Enterprise Server, including BlackBerry Web Desktop Manager, be allowed only from trusted networks or specific hosts.
  • Refer to the documentation for your web browser to learn about potential mitigation of cross-site scripting vulnerabilities.
CollapseResolution

The following released versions of the BlackBerry Enterprise Server resolve this issue:

BlackBerry Enterprise Server version 5.0.3 MR1 for Microsoft Exchange and IBM Lotus Domino

BlackBerry Enterprise Server version 5.0.2 MR5 for Microsoft Exchange

RIM has issued the following interim security software updates that resolve the vulnerability in affected versions of the BlackBerry Enterprise Server and the BlackBerry Enterprise Server Express.

For BlackBerry Enterprise Server version 5.0.2 for IBM Lotus Domino

For BlackBerry Enterprise Server version 5.0.1 for Microsoft Exchange, IBM Lotus Domino, and Novell GroupWise

For BlackBerry Enterprise Server Express version 5.0.2 for Microsoft Exchange and IBM Lotus Domino

For BlackBerry Enterprise Server Express version 5.0.1 for Microsoft Exchange

If you are using a software version that is not listed above, update to one of the listed versions to apply the upgrade.
CollapseAdditional Information
Reflective cross-site scripting

Reflective cross-site scripting (XSS) is the most common form of cross-site scripting. A web application introduces the vulnerability by allowing improper reuse of data that a user supplies to the application. An attacker creates a URL that can exploit the vulnerability and then persuades a user to click the URL. When the user clicks the URL, a script supplied by the attacker executes using the rights of the application.

Reflective cross-site scripting is also referred to as non-persistent cross-site scripting or Type I cross-site scripting.

CVE

Common Vulnerabilities and Exposures (CVE) is a dictionary of common names (CVE Identifiers) for publicly known information security vulnerabilities maintained by the MITRE corporation.

CVSS

CVSS is a vendor agnostic, industry open standard designed to convey the severity of vulnerabilities. CVSS scores may be used to determine the urgency for update deployment within an organization. CVSS scores range from 0.0 (no vulnerability) to 10.0 (critical). RIM uses CVSS for vulnerability assessments to present an immutable characterization of security issues. RIM assigns all relevant security issues a non-zero score.

Visit www.blackberry.com/security for more information on BlackBerry security.

CollapseAcknowledgements
RIM would like to thank Ivan Huertas of Cybsec (http://www.cybsec.com) for his involvement in helping to protect our customers.
CollapseChange Log
04-14-11
The article has been updated to change the list of non affected software to include BlackBerry Web Desktop Manager version 1.0.1.

Disclaimer

By downloading, accessing or otherwise using the Knowledge Base documents you agree:

   (a) that the terms of use for the documents found at www.blackberry.com/legal/knowledgebase apply to your use or reference to these documents; and

   (b) not to copy, distribute, disclose or reproduce, in full or in part any of the documents without the express written consent of RIM.


Visit the BlackBerry Technical Solution Center at www.blackberry.com/btsc.