BSRT-2013-006 Vulnerability in BlackBerry Protect impacts BlackBerry Z10 smartphone software

Article ID: KB34458

Type:   BlackBerry Security Advisory

First Published:

06-11-2013

Last Modified: 06-25-2013

 
CollapseOverview

This advisory addresses an escalation of privilege vulnerability affecting BlackBerry® Z10 smartphones that is not currently being actively exploited. BlackBerry® customer risk is limited by the inability of a potential attacker to force exploitation of the vulnerability without significant customer interaction and physical access to the device. Successful exploitation requires not only that a customer enable BlackBerry® Protect™, use the feature to reset the device password, and download a specifically crafted malicious app, but also that an attacker gain physical access to the smartphone. If all of the specific requirements are met for exploitation, an attacker could potentially access or modify data on the device.

Customers using BlackBerry® Q10 smartphones and BlackBerry Z10 users running BlackBerry® 10 OS version 10.0.10.648 and later are not affected. After installing the latest software update, BlackBerry Z10 users running earlier versions of the BlackBerry 10 OS will be fully protected from this vulnerability.

ExpandWho should read this advisory?
  • BlackBerry Z10 smartphone users
  • IT administrators who deploy BlackBerry Z10 smartphones in an enterprise
ExpandWho should apply the software fix(es)?
  • BlackBerry Z10 smartphone users
  • IT administrators who deploy BlackBerry Z10 smartphones in an enterprise
ExpandMore Information

Have any BlackBerry customers been subject to an attack that exploits this vulnerability?
BlackBerry is not aware of any attacks on or specifically targeting BlackBerry Z10 smartphone users.

What is BlackBerry Protect?
BlackBerry Protect is a feature of the BlackBerry 10® OS designed to help you find your BlackBerry device and help protect your smartphone's data if your smartphone is ever lost or stolen. For more information on BlackBerry Protect, visit http://us.blackberry.com/devices/features/security/protect.html. Note: BlackBerry 7 and earlier devices are not affected.

What factors affected the release of this security advisory?
This advisory addresses a publicly known vulnerability. BlackBerry publishes full details of a software update in a security advisory after the fix is available to the majority of our customers and wireless service provider partners. The update has been available to many wireless service providers for BlackBerry Z10 smartphones for several weeks. Publishing this advisory ensures that all of our customers can protect themselves either by updating their software or employing workarounds or mitigations included in this advisory until the software update is available to them.

Where can I read more about BlackBerry Z10 smartphone security?
For more information on security features of the BlackBerry Z10 smartphone, read the BlackBerry Enterprise Service 10 Security Technical Overview.

Where can I read more about the security of BlackBerry products and solutions?
For more information on BlackBerry security, visit www.blackberry.com/security.

CollapseAffected Software and Resolutions
Read the following to determine if your BlackBerry Z10 smartphone is affected.
ExpandAffected Software
  • BlackBerry 10 OS version 10.0.10.261 and earlier, except version 10.0.9.2743
ExpandNon-Affected Software
  • BlackBerry 10 OS version 10.0.9.2743
  • BlackBerry 10 OS version 10.0.10.648 or later
  • BlackBerry 10 OS version 10.1
  • BlackBerry 7 OS and earlier
  • BlackBerry® PlayBook™ tablet software
ExpandAre BlackBerry smartphones affected?
Yes; only BlackBerry Z10 smartphones are affected.
ExpandResolution

BlackBerry has issued BlackBerry 10 OS version 10.0.10.648, which resolves this issue on affected versions of BlackBerry Z10 smartphones. Update your BlackBerry Z10 smartphone to BlackBerry 10 OS version 10.0.10.648 or later to be fully protected from this issue.

Note: If you are running a BlackBerry 10 OS version earlier than 10.0.10.648 but do not see a software update notification and your device indicates that your software is up to date, contact your wireless service provider to request BlackBerry 10 OS version 10.0.10.648 or later.

See the Workarounds and Mitigations sections of this advisory for information on how to mitigate potential risk until the software update is available for all customers.

Update by Accessing the Software Update Notification
Your BlackBerry Z10 smartphone uses notifications to keep you informed about software updates. When a new software update notification is available, it appears within the Notifications section of the BlackBerry Hub on a BlackBerry Z10 smartphone.

Simply view your notifications and follow the steps to access the latest software update notification and complete the software update.

Manually Check for Software Updates
1. From the home screen, swipe down from the top of the screen.
2. Tap Settings, then Software Updates.
3. Tap Check for Updates.

You can also update your device software using BlackBerry® Link. For more information, see the Help documentation for BlackBerry Link.

After you update your software, the screen will indicate that you have installed BlackBerry 10 OS version 10.0.10.648 or later.

ExpandMore Information

How can I find out what version of the BlackBerry 10 OS I am running?
1. From the home screen, swipe down from the top of the screen.
2. Tap Settings.
3. Tap About, and view the OS Version field in the OS settings.

Are new (still in the box) BlackBerry Z10 smartphones exposed to this vulnerability?
As long as the user fully completes the device setup, including the device software update, the user’s smartphone will not be affected. During the initial setup process, BlackBerry Z10 smartphones will download and install the latest version of the BlackBerry 10 OS. The fix for this vulnerability will be included in all future versions of BlackBerry Z10 smartphone software. If the user chooses to not update the device software at the initial setup, the smartphone could still be exposed to this vulnerability.

Are BlackBerry Q10 smartphones exposed to this vulnerability?
No. The fix for this vulnerability is included in all versions of the BlackBerry Q10 smartphone software.

CollapseVulnerability Information

An escalation of privilege vulnerability exists in affected versions of BlackBerry Z10 smartphones. Under specific conditions, this vulnerability could allow a malicious app to take advantage of weak permissions on a BlackBerry Protect object. Taking advantage of the weak permissions could allow the malicious app to:

  • Gain the device password if a remote password reset command had been issued through the BlackBerry Protect website.
  • Intercept and prevent the smartphone from acting on BlackBerry Protect commands, such as a remote smartphone wipe.

The most severe potential impact of this vulnerability requires a BlackBerry Z10 smartphone user to install a specially crafted malicious app, enable BlackBerry Protect, and reset the device password through BlackBerry Protect.

With the device password and physical access to the smartphone, an attacker can:

  • Access the functionality of the smartphone (including the BlackBerry® Hub, apps, data, and the phone) by unlocking the smartphone.
  • Unlock the work perimeter on a BlackBerry Z10 smartphone that has BlackBerry® Balance™ technology enabled if the work perimeter password is the same as the device password.
  • Access the smartphone over a USB tether with either BlackBerry Link or the computer’s file viewer, allowing access to the smartphone’s personal files, contacts, PIM data, and so on. The attacker could also access work perimeter content on BlackBerry Balance smartphones if the work perimeter is unlocked and access over a USB tether is allowed by a policy that the IT administrator sets.
  • Enable development mode after accessing the smartphone over a USB tether, allowing remote access as a low privilege development user.
  • Change the current device password, allowing the attacker to deny access to the legitimate user of the smartphone.
  • Access any other local and enterprise services for which the legitimate user has used the same password as the smartphone’s password.

With the device password, but without physical access to the smartphone, an attacker could gain Wi-Fi® file access. This capability is only possible if the smartphone’s owner enables Wi-Fi storage access on the smartphone and sets a storage access password that is the same as the device password. Wi-Fi storage access is disabled by default.

This vulnerability has a Common Vulnerability Scoring System (CVSS) score of 6.2.
For a description of the security issue that this security advisory addresses, see the CVE® Identifier CVE-2013-3692.

Mitigations

For BlackBerry Z10 Smartphone Users:

BlackBerry recommends that all users apply the available BlackBerry 10 OS version 10.0.10.648 software update to fully protect their BlackBerry Z10 smartphone. However, before the software update is applied, the following mitigations might help limit the risk of exposure to an attack.

The attacker cannot exploit this vulnerability without user interaction. The following user actions must occur before the attacker can exploit the vulnerability:

  • The user must have downloaded and installed a malicious app that specifically targets this vulnerability. A BlackBerry smartphone prompts a user for permission to install any third-party software or to grant certain permissions to a third-party application.
  • The user must enable BlackBerry Protect, which is not enabled by default.
  • The user must have issued a password reset command through BlackBerry Protect website.

After getting the password, the attacker must have physical access to the smartphone in order to use the password to fully exploit the vulnerability.

A user with BlackBerry Balance enabled can set separate and distinct device and work perimeter passwords to make sure that work perimeter content is protected.

Wi-Fi file sharing is not turned on by default. The smartphone user would have to choose to turn on the Access using Wi-Fi option to be vulnerable to this issue. If Wi-Fi file sharing is required, the user should set a password that is not the same as the device password.

For BlackBerry Enterprise Server Administrators:

IT administrators who deploy BlackBerry Z10 smartphones in an enterprise can mitigate the impact of this issue on the smartphones in their organization by managing the following security rule groups:

Security Rule Group Setting Mitigation
Apply Workspace Password to Full Smartphone NO Allows the user to choose a separate device password.
Password Required for Work Space YES Requires the user to set a password for the workspace.
Restrict Development Mode YES Prevents users from enabling development mode.

ExpandWorkarounds

All workarounds should be considered temporary measures for customers to employ if they cannot install the update immediately or must perform standard testing and risk analysis. BlackBerry recommends that customers without these requirements simply install the update to secure their systems.

BlackBerry recommends that customers only download applications from trusted sources to help protect against malicious apps. A BlackBerry smartphone prompts a user for permission to install any third-party software.

A BlackBerry smartphone user or a BlackBerry® Enterprise Server administrator can configure the smartphone to require the user to enter the smartphone password to allow an app to install. BlackBerry recommends that all customers use this setting.

A BlackBerry smartphone user with a vulnerable version of the BlackBerry 10 OS can avoid using BlackBerry Protect to change the device password.

Users should enable Wi-Fi file sharing only while they are connected to trusted networks and intend to share files. Users should not enable Wi-Fi file sharing on their BlackBerry Z10 smartphone when they are not actively sharing files.

Users should connect their BlackBerry Z10 smartphone over USB connections to trusted computers only.

ExpandMore Information

Can an administrator use BlackBerry Enterprise Server IT policies to help protect against this vulnerability?
Yes. IT administrators who deploy BlackBerry Z10 smartphones in an enterprise can mitigate the impact of this issue on the smartphones in their organization by managing the security rule groups outlined in the Mitigations section in this security advisory.
CollapseDefinitions

What is CVE?
Common Vulnerabilities and Exposures (CVE) is a dictionary of common names (CVE Identifiers) for publicly known information security vulnerabilities maintained by the MITRE Corporation.

What is CVSS?
CVSS is a vendor agnostic, industry open standard designed to convey the severity of vulnerabilities. CVSS scores may be used to determine the urgency for update deployment within an organization. CVSS scores range from 0.0 (no vulnerability) to 10.0 (critical). BlackBerry uses CVSS for vulnerability assessments to present an immutable characterization of security issues. BlackBerry assigns all relevant security issues a non-zero score. Customers performing their own risk assessments of vulnerabilities that may impact them can benefit from using the same industry-recognized CVSS metrics.

CollapseAcknowledgements

BlackBerry acknowledges the following security researcher for reporting CVE-2013-3692 to BlackBerry: Peter Hansen.

CollapseChange Log

06-25-13

Article updated to remove a deprecated BES policy from the table of mitigating security rule groups for BlackBerry Enterprise Server Administrators.

Disclaimer

By downloading, accessing or otherwise using the Knowledge Base documents you agree:

   (a) that the terms of use for the documents found at www.blackberry.com/legal/knowledgebase apply to your use or reference to these documents; and

   (b) not to copy, distribute, disclose or reproduce, in full or in part any of the documents without the express written consent of RIM.


Visit the BlackBerry Technical Solution Center at www.blackberry.com/btsc.