BSRT-2013-011 Vulnerability in BlackBerry Universal Device Service wrapper impacts BlackBerry Enterprise Service 10

Article ID: KB35139

Type:   BlackBerry Security Advisory

First Published: 10-08-2013

Last Modified: 10-16-2013

 
CollapseOverview

This advisory addresses a remote code execution vulnerability that is not currently being exploited but affects the BlackBerry Universal Device Service (UDS) when it is included with BlackBerry® Enterprise Service (BES) or installed as a standalone product. BlackBerry customer risk is limited by the requirement that an attack must be launched from a location within the corporate network with access to the system hosting the UDS. Successful exploitation requires that an attacker know the address of the UDS component. If the requirements are met for exploitation, an attacker could execute code as the BES or UDS administration service account. After installing the recommended software update or modifying the configuration file, affected customers will be fully protected from this vulnerability.

ExpandWho should read this advisory?
  • BlackBerry Enterprise Service 10 administrators
  • BlackBerry Universal Device Service administrators
ExpandWho should apply the software fix(es)?
  • BlackBerry Enterprise Service 10 administrators
  • BlackBerry Universal Device Service administrators
ExpandMore Information

Have any BlackBerry customers been subject to an attack that exploits this vulnerability?
BlackBerry is not aware of any attacks targeting BlackBerry customers using this vulnerability.

What factors affected the release of this security advisory?
This advisory addresses a publicly known vulnerability. BlackBerry publishes full details of a software update in a security advisory after the fix is available to the majority of our customers. Publishing this advisory ensures that all of our customers can protect themselves by updating their software, or applying available workarounds if updating is not possible.

Where can I read more about the security of BlackBerry products and solutions?
For more information on BlackBerry security, visit http://us.blackberry.com/business/topics/security.html.

CollapseAffected Software and Resolutions

Customers can read the following lists to determine if their BlackBerry Enterprise Service or BlackBerry Universal Device Service installation is affected.

ExpandAffected Software
  • BlackBerry Enterprise Service version 10.0 to 10.1.2 with Oracle Java Runtime 7 update 17 or earlier
  • BlackBerry Universal Device Service prior to BlackBerry Enterprise Service 10.0 with Oracle Java Runtime 7 update 17 or earlier
ExpandNon-Affected Software
  • BlackBerry Enterprise Service version 10.1.3
  • BlackBerry Enterprise Service version 10.0 to 10.1.2 with Oracle Java Runtime 7 update 18 or later
  • BlackBerry Enterprise Server version 5.0.4 MR5 and earlier
  • BlackBerry Universal Device Service with Oracle Java Runtime 7 update 18 or later
ExpandAre BlackBerry smartphones affected?
No.
ExpandResolution

BlackBerry Enterprise Service
BlackBerry has issued a fix for this vulnerability, which is included in BlackBerry Enterprise Service version 10.1.3. This software update resolves this vulnerability on affected BES10 versions. To be fully protected from this issue, affected BES customers should update to BlackBerry Enterprise Service software version 10.1.3. Customers running BlackBerry Enterprise Service version 10.0 to 10.1.2 who cannot update at this time should apply an available workaround. See the Workarounds section of this advisory for instructions.

Universal Device Service
To be fully protected from this issue, standalone UDS customers should update to BlackBerry Enterprise Service 10.1.3 or later. Customers who cannot update at this time should apply the available workaround to alter the configuration file. See the Workarounds section of this advisory for instructions.

CollapseVulnerability Information

A vulnerability exists due to a misconfiguration of the JBoss hosting environment in affected BES10 versions and standalone UDS.  The BlackBerry Web Service exposes a JBoss interface that allows a legitimate administrator to upload packages and make them available to clients. This JBoss interface functionality is not used in BES10 or UDS. The misconfiguration could allow nonadministrative users to upload packages. Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code using the privileges of the BES or UDS administration service account.

In order to exploit this vulnerability, an attacker must use the Remote Method Invocation (RMI) interface to serve a malicious package to JBoss from a second server on the network that is not blocked by a firewall.

This vulnerability has a Common Vulnerability Scoring System (CVSS) score of 8.3. For a description of the security issue that this security advisory addresses, see the CVE® identifier CVE-2013-3693.

Mitigations

Mitigations are existing conditions that a potential attacker would need to overcome to mount a successful attack or that would limit the severity of an attack. Examples of such conditions include default settings, common configurations, and general best practices.

This issue is mitigated for all customers by the prerequisite that any attack must be launched from a location within the corporate network with access to the system hosting the UDS.

Systems hosting the UDS that are placed behind a firewall that blocks the affected ports are protected from attackers who might exploit this vulnerability.

ExpandWorkarounds

Workarounds are settings or configuration changes that a user or administrator can apply to help protect against an attack. BlackBerry recommends that all users apply the available software update to fully protect their system. All workarounds should be considered temporary measures for customers to apply if they cannot install the update immediately or must perform standard testing and risk analysis. BlackBerry recommends that customers who are able to do so install the update to secure their systems.

When the administrator’s choice of workaround is applied, the Universal Device Service and BlackBerry Enterprise Service 10 will run normally.

Prevent network users from calling the RMI interface by changing the configuration file

Edit the jboss-service.xml file to permit only local users to call the RMI interface.


BES 10.1.0, 10.1.1 and 10.1.2

The path of this file will vary, but will be of the form <root>\BWS\server\default\conf where root will include the installation drive letter and the path. Depending on the version this could reference the Universal Device Service or BlackBerry Enterprise Service.

  1. Locate the jboss-service.xml file.
  2. Open the jboss-service.xml file in a text editor.
  3. Locate the <mbean code="org.jboss.naming.NamingService" ="jboss:service=Naming" xmbean-dd="resource:xmdesc/NamingService-xmbean.xml">” element
  4. Modify the jboss-service.xml file to include the following settings:
    <attribute name="BindAddress">

         <value-factory bean="ServiceBindingManager" method="getStringBinding">

            <parameter>jboss:service=Naming</parameter>

            <parameter>Port</parameter>

            <parameter><null/></parameter>

         </value-factory>

      </attribute>

To:

      <attribute name="BindAddress">

         <value-factory bean="ServiceBindingManager" method="getStringBinding">

            <parameter>jboss:service=Naming</parameter>

            <parameter>Port</parameter>

            <parameter>127.0.0.1</parameter>

         </value-factory>

      </attribute>

And:

      <attribute name="RmiBindAddress">

         <value-factory bean="ServiceBindingManager" method="getStringBinding">

            <parameter>jboss:service=Naming</parameter>

            <parameter>RmiPort</parameter>

            <parameter><null/></parameter>

         </value-factory>

      </attribute>

To:

      <attribute name="RmiBindAddress">

         <value-factory bean="ServiceBindingManager" method="getStringBinding">

            <parameter>jboss:service=Naming</parameter>

            <parameter>RmiPort</parameter>

            <parameter>127.0.0.1</parameter>

         </value-factory>

      </attribute>

  1. Save and close the jboss-service.xml file.
  2. Restart the BlackBerry Web Services service.

The changes to the configuration file are different for BES and UDS due to a change in the JBoss version used.

Standalone UDS and BES 10.0:

The path of this file will vary, but will be of the form <root>\BWS\server\default\conf\jboss-service.xml where root will include the installation drive letter and the path for UDS.

  1. Locate the jboss-service.xml file. 
  2. Open the jboss-service.xml file in a text editor.
  3. Locate the <attribute name="BindAddress">” and “<attribute name="RmiBindAddress">” elements
  4. Modify the jboss-service.xml file to include the following settings:
    <attribute name="BindAddress">${jboss.bind.address}</attribute>

To:

<attribute name="BindAddress">127.0.0.1</attribute>

and:

<attribute name="RmiBindAddress">${jboss.bind.address}</attribute>

to:

<attribute name="RmiBindAddress">127.0.0.1</attribute>

5.    Restart the BlackBerry Web Services service.

The changes to the configuration file are different for BES and UDS due to a change in the JBoss version used. 

Block affected ports to prevent RMI access

Administrators can block the affected ports 1098 and 1099 using a firewall appliance or using IPSec on the Windows server. To block these affected ports using IPSec on the Microsoft Windows Server®, use the instructions located at http://support.microsoft.com/kb/813878.

Update the Java Runtime to version 7 update 18 or later

Administrators can update the Java Runtime to be protected from this vulnerability. To find instructions for manually upgrading the Java Runtime Environment, see:

KB34385 How to manually upgrade the Java Runtime Environment on BlackBerry Enterprise Service 10 version 10.1 to 10.1.2

KB34527 How to manually upgrade the Java Runtime Environment on BlackBerry Enterprise Service 10 version 10.0

ExpandMore Information

What is JBoss®?
JBoss is an open source component that acts as a container and host for BlackBerry-written components within the BlackBerry Enterprise Service.  JBoss is developed and maintained by JBoss, a division of Red Hat.
CollapseDefinitions

CVE
Common Vulnerabilities and Exposures (CVE) is a dictionary of common names (CVE Identifiers) for publicly known information security vulnerabilities maintained by the MITRE Corporation.

CVSS
CVSS is a vendor agnostic, industry open standard designed to convey the severity of vulnerabilities. CVSS scores may be used to determine the urgency for update deployment within an organization. CVSS scores can range from 0.0 (no vulnerability) to 10.0 (critical). BlackBerry uses CVSS in vulnerability assessments to present an immutable characterization of security issues. BlackBerry assigns all relevant security issues a non-zero score. Customers performing their own risk assessments of vulnerabilities that may impact them can benefit from using the same industry-recognized CVSS metrics.

CollapseAcknowledgements
This vulnerability was discovered by Paul O’Grady of Security Compass, who assisted BlackBerry in identifying the cause of the issue.
CollapseChange Log

10-13-2013
Amended to reflect standalone UDS as affected and to improve the clarity of the workaround section.

10-08-2013
Initial publication.

Disclaimer

By downloading, accessing or otherwise using the Knowledge Base documents you agree:

   (a) that the terms of use for the documents found at www.blackberry.com/legal/knowledgebase apply to your use or reference to these documents; and

   (b) not to copy, distribute, disclose or reproduce, in full or in part any of the documents without the express written consent of RIM.


Visit the BlackBerry Technical Solution Center at www.blackberry.com/btsc.