BSRT-2013-003 Vulnerabilities in BlackBerry Enterprise Server components that process images could allow remote code execution

Article ID: KB33425

Type:   Security Advisory

First Published: 02-12-2013

Last Modified: 03-27-2013

 
Collapse Products
ExpandAffected Software
  • BlackBerry ® Enterprise Server Express version 5.0.4 and earlier for Microsoft Exchange and IBM Lotus Domino
  • BlackBerry ® Enterprise Server version 5.0.4 and earlier for Microsoft Exchange, IBM Lotus Domino and Novell Groupwise
  • BlackBerry Enterprise Server version 4.1.7 and earlier for MDS Applications

Note: The affected software includes versions that are no longer supported. Visit the Software Support Lifecycle site for information about supported BES versions. See the Resolution section of this advisory for more information on upgrading to a supported version for which a security software update is available.

ExpandNon Affected Software
  • BlackBerry ® Device Software
  • BlackBerry ® Desktop Software
  • BlackBerry ® Enterprise Server version 5.0.4 MR1 and later for Microsoft Exchange, IBM Lotus Domino and Novell Groupwise
  • BlackBerry ® Enterprise Server Express version 5.0.4 (interim security update) and later for Microsoft Exchange and IBM Lotus Domino
  • BlackBerry ® Enterprise Service 10
Note: BlackBerry Enterprise Server version 5.0.4. MR1 is no longer available. The current available software version for BlackBerry Enterprise Server is version 5.0.4 MR2.  
ExpandAre BlackBerry smartphones and the BlackBerry Device Software affected?
No.
CollapseIssue Severity
These vulnerabilities have a Common Vulnerability Scoring System (CVSS) score of 10.0 (high severity). See the References section below for the list of issues by CVE issue identifier.
CollapseOverview
Vulnerabilities exist in components of the BlackBerry Enterprise Server that process TIFF images for rendering on the BlackBerry smartphone. The BlackBerry® Mobile Data System – Connection Service component processes images on web pages that the BlackBerry® Browser requests. The BlackBerry® Messaging Agent component processes images in email messages. The BlackBerry® Collaboration Service processes images in instant messages sent between your organization's instant messaging server, its BlackBerry Enterprise Server, and devices that are using public APIs, a Research In Motion proprietary protocol, and protocols specified by supported integrated collaboration clients.

RIM is not aware of any attacks on or specifically targeting BlackBerry Enterprise Server customers, and recommends that affected customers update to the latest available software version to be fully protected from these vulnerabilities.

ExpandWho should read this advisory?
  • BlackBerry Enterprise Server administrators
ExpandWho should apply the software fix(es)?
  • BlackBerry Enterprise Server administrators
ExpandRecommendation

Complete the resolution actions documented in this advisory to install the applicable security software update on any computer that hosts a BlackBerry MDS Connection Service instance, BlackBerry Messaging Agent instance, or BlackBerry Collaboration Service instance.

Best practices

  • As a mobile best practice, RIM recommends that users exercise caution when receiving email or instant messages from untrusted sources, and clicking links to web sites at the direction of untrusted sources.
  • Consider installing the BlackBerry Enterprise Server in a segmented network configuration. To configure the BlackBerry Enterprise Solution in a segmented network, you must install each BlackBerry Enterprise Solution component on a computer that is separate from the computers that host other components and then place each computer in its own network segment. A segmented network architecture is designed to isolate attacks and contain them on one computer. See Additional Information, below.
ExpandReferences

View the linked CVE® Identifiers for descriptions of the security issues that this security advisory addresses:

CVE identifier CVSS score
CVE-2012-2088 10.0
CVE-2012-4447 10.0
CollapseProblem

Vulnerabilities exist in how the BlackBerry MDS Connection Service and the BlackBerry Messaging Agent process TIFF images for rendering on the BlackBerry smartphone. Successful exploitation of any of these vulnerabilities might allow an attacker to gain access to and execute code on the BlackBerry Enterprise Server. Depending on the privileges available to the configured BlackBerry Enterprise Server service account, the attacker might also be able to extend access to other non-segmented parts of the network.

To exploit these vulnerabilities in how the BlackBerry MDS Connection Service processes TIFF images, an attacker would need to create a specially crafted web page and then persuade the BlackBerry smartphone user to click a link to that web page. The attacker could provide the link to the user in an email or instant message.

To exploit these vulnerabilities in how the BlackBerry Messaging Agent or the BlackBerry Collaboration Service processes TIFF images, an attacker would need to embed specially crafted TIFF image in an email message or enterprise instant message and send the message to the BlackBerry smartphone user. The user does not need to click a link or an image, or view the email message or instant message for the attack to succeed in this scenario.

ExpandImpact
These vulnerabilities could allow an attacker to execute arbitrary code using the privileges of the BlackBerry Enterprise Server login account.
CollapseResolution

RIM has issued BlackBerry Enterprise Server version 5.0.4 MR2, which resolves these vulnerabilities and can be applied to all affected supported versions of BlackBerry Enterprise Server. RIM has also issued an interim security update that has been verified with supported versions of BlackBerry Enterprise Server and BlackBerry Enterprise Server Express. For a list of verified, supported versions, read the BlackBerry Enterprise Server interim security update release notes. The interim security update resolves these vulnerabilities but does not contain other changes found in BlackBerry Enterprise Server version 5.0.4 MR2.

Update your BlackBerry Enterprise Server to 5.0.4 MR2 or later or download and install the interim security update to be protected from these vulnerabilities. Update your BlackBerry Enterprise Server Express with the interim security update to be protected from these vulnerabilities.

The interim security update replaces the installed image.dll file that the affected components use with an image.dll file that is not affected by the vulnerabilities.

If you are using a software version that is not listed below, update to one of the listed versions before applying the interim security software update or MR. Visit the Software Support Lifecycle site for information about product support timelines.

Important: You must install the applicable interim security software update or MR for your software version on any computer that hosts a BlackBerry MDS Connection Service or BlackBerry Messaging Agent instance.

For BlackBerry Enterprise Server Express versions 5.0.2 through 5.0.4 for Microsoft Exchange and IBM Lotus Domino

Visit http://www.blackberry.com/go/serverdownloads to download the interim security update.

For BlackBerry Enterprise Server versions 5.0.2 through 5.0.4 for Microsoft Exchange and IBM Lotus Domino

Visit http://www.blackberry.com/go/serverdownloads to obtain BlackBerry Enterprise Server version 5.0.4 MR2 or to download the interim security update.

For BlackBerry Enterprise Server versions 5.0.1 and 5.0.4 for Novell Groupwise

Visit http://www.blackberry.com/go/serverdownloads to obtain BlackBerry Enterprise Server version 5.0.4 MR2 or to download the interim security update.

For BlackBerry Enterprise Server versions 4.1.7 and earlier for MDS Applications

Visit http://www.blackberry.com/go/serverdownloads to download the interim security update.


 

CollapseWorkaround

All workarounds should be considered temporary measures for customers to employ if they cannot install the update immediately or must perform standard testing and risk analysis. RIM recommends that customers without these requirements simply install the update to secure their systems.

Prevent the BlackBerry Enterprise Server from using the vulnerable image.dll file when processing images using the BlackBerry MDS Connection Service

Change the BlackBerry MDS Connection Service settings in the rimpublic.property file to turn off image processing that uses the vulnerable image.dll file.

  1. Navigate to the rimpublic.property file (for example, C:\Program Files\Research In Motion\BlackBerry Enterprise Server\MDS\Servers\instance\config\rimpublic.property).
  2. In a text editor, open the rimpublic.property file.
  3. Add the following settings to the rimpublic.property file:
    application.handler.rim.slipstream.clientless=false
    application.handler.rim.slipstream.clientful=false
    application.handler.rim.slipstream.progressive=false
  4. Save and close the rimpublic.property file.

Note: When the workaround for the BlackBerry MDS Connection Service is implemented customers will still see inline images in messages. The workaround causes the BlackBerry MDS Connection Service to use a non-vulnerable library for image processing.

Prevent the BlackBerry Enterprise Server from using the vulnerable image.dll file when processing images using the BlackBerry Collaboration Service

Change the BlackBerry Collaboration Service settings in the rimpublic.property file to turn off image processing that uses the vulnerable image.dll file.

  1. Navigate to the rimpublic.property file (for example, C:\Program Files\Research In Motion\BlackBerry Enterprise Server\BBIM\Servers\instance\config\rimpublic.property).
  2. In a text editor, open the rimpublic.property file.
  3. Add the following settings to the rimpublic.property file:
    application.handler.rim.slipstream.clientless=false
    application.handler.rim.slipstream.clientful=false
    application.handler.rim.slipstream.progressive=false
    improxy.slipstream=false
  4. Save and close the rimpublic.property file.

Note: When the workaround for the BlackBerry Collaboration Service is implemented customers will still see inline images in instant messages. The workaround causes the BlackBerry Collaboration Service to use a non-vulnerable library for image processing.

 Prevent the BlackBerry Enterprise Server from processing inline images using the BlackBerry Messaging Agent

Follow the instructions in KB15931 for the software version you are running.

CollapseAdditional Information
What is network segmentation?

The administrator can install the BlackBerry Enterprise Server on a remote computer and then place that computer on its own network segment to prevent the spread of potential attacks from the BlackBerry Enterprise Server to another computer within your organization’s network. In a segmented network, attacks are isolated and contained on a single area of the network. Using segmented network architecture is designed to improve the security and performance of the network segment by filtering out data that is not destined for other network segments. For more information about placing the BlackBerry Enterprise Solution components in a network architecture that is segmented to prevent the spread of potential attacks, see the Technical Note Placing the BlackBerry Enterprise Solution in a Segmented Network.

What is CVE?

Common Vulnerabilities and Exposures (CVE) is a dictionary of common names (CVE Identifiers) for publicly known information security vulnerabilities maintained by the MITRE corporation.

What is CVSS?

CVSS is a vendor agnostic, industry open standard designed to convey the severity of vulnerabilities. CVSS scores may be used to determine the urgency for update deployment within an organization. CVSS scores range from 0.0 (no vulnerability) to 10.0 (critical). BlackBerry uses CVSS for vulnerability assessments to present an immutable characterization of security issues. RIM assigns all relevant security issues a non-zero score. Customers performing their own risk assessments of vulnerabilities that may impact them can benefit from using the same industry-recognized CVSS metrics.

Where can I read more about the security of BlackBerry products and solutions?

Visit www.blackberry.com/security for more information on BlackBerry security.

CollapseChange Log

03-27-2013

This advisory has been updated to include the following details:

  • The BlackBerry Enterprise Server version 4.1.7 and earlier for MDS Applications is affected.
  • A resolution in the form of an interim security update is available for the BlackBerry Enterprise Server version 4.1.7 and earlier for MDS Applications.

03-13-2013

This advisory has been updated to include the following details:

  • The BlackBerry Enterprise Server version 4.1.3 and earlier for MDS Applications is affected. 
  • A resolution in the form of an interim security update is available for the BlackBerry Enterprise Server version 4.1.3 and earlier for MDS Applications.

02-13-2013

This advisory has been updated to clarify the Non-Affected Software and Resolution sections.

02-14-2013

This advisory has been updated to include the following details in the Resolution section:

  • The interim security update can be applied to all verified, affected supported versions of the BlackBerry Enterprise Server to protect against exploitation of these vulnerabilities.

Disclaimer

By downloading, accessing or otherwise using the Knowledge Base documents you agree:

   (a) that the terms of use for the documents found at www.blackberry.com/legal/knowledgebase apply to your use or reference to these documents; and

   (b) not to copy, distribute, disclose or reproduce, in full or in part any of the documents without the express written consent of RIM.


Visit the BlackBerry Technical Solution Center at www.blackberry.com/btsc.