HexView advisory on BlackBerry device buffer overflow and data loss

Article ID: KB03422

Type:   Security Advisory

First Published:

10-29-04

Last Modified: 09-02-2010

 

Product(s) Affected:

  • BlackBerry Enterprise Server
  • BlackBerry Enterprise Server for Microsoft Exchange
  • BlackBerry Enterprise Server for IBM Domino
Collapse Products
ExpandAffected Software
  • BlackBerry® device
  • BlackBerry® Device Software 3.7 Service Pack 1
  • BlackBerry® Enterprise Server
  • IBM® Lotus® Domino®
  • Microsoft® Exchange
CollapseIssue Severity

Not assigned.

 

CollapseOverview

A HexView advisory (ID number HEXVIEW*2004*10*12*1) published on 12 October 2004 and a subsequent updated advisory updated advisory (ID number HEXVIEW*2004*10*14*1) published on 14 October 2004 identified an issue in BlackBerry Device Software 3.7 Service Pack 1 that is known to Research In Motion (RIM) and has been corrected in BlackBerry Device Software 3.8 and later.

The HexView advisory correctly identifies a scenario that can be manufactured to cause a BlackBerry device to reset, but RIM believes that the advisory contains several incorrect conclusions. While exploiting the software issue may cause a BlackBerry device to reset, it does not constitute a buffer overflow or data loss vulnerability. To date, RIM has not received any customer reports of this issue being exploited in practice.

ExpandRecommendation

Complete the resolution actions documented in this advisory.
CollapseProblem

HexView published a brief advisory on 12 October 2004. HexView's policy at that time was not to contact vendors in advance unless a vendor had a prior agreement with HexView. RIM was not notified in advance and was not able to provide any feedback to HexView prior to the publication of the advisory. RIM has since contacted HexView and HexView was helpful in assisting RIM with this issue.

The advisory states the issue can be created by sending a Microsoft Outlook® meeting request with a large string (over 128 KB) in the Location field. It is important to note that Microsoft Outlook limits the size of the Location field to 255 characters, or bytes, so a large Location field cannot be normally or inadvertently created. Despite this restriction, RIM has replicated the issue defined by HexView on BlackBerry devices running BlackBerry Device Software 3.7 Service Pack 1 and confirmed that a BlackBerry device reset may occur. However, RIM believes the following conclusions in HexView's advisory are incorrect:

  • A buffer overflow and stack corruption occur.
  • Stored messages and BlackBerry device user data are lost. (These are stored in non-volatile Flash memory, not in RAM.)
  • Malicious code can be embedded and executed on the BlackBerry device.

Note: The Watchdog Timer also causes the BlackBerry device to reset.

ExpandImpact

A BlackBerry device reset may occur.

CollapseResolution

Install BlackBerry Device Software 3.8 or later.

RIM has implemented further safeguards at the BlackBerry Enterprise Server level with the release of the following BlackBerry products:

  • BlackBerry Enterprise Server software version 4.0
  • BlackBerry Enterprise Server software version 3.6 Service Pack 4 Hot Fix 1 for Microsoft Exchange
  • BlackBerry Enterprise Server software version 2.2 Service Pack 4 Hot Fix 1 for IBM Lotus Domino

These safety measures will prevent artificially large or problematic meeting requests from being delivered to the BlackBerry device. This eliminates the need for BlackBerry Device Software to be upgraded to version 3.8 or later.

CollapseAdditional Information

For more information on BlackBerry security, refer to the following documents:

Visit www.blackberry.com/security for more information on BlackBerry security.

CollapseChange Log

09-02-10

Updates to article formatting. No technical content changed.

Disclaimer

By downloading, accessing or otherwise using the Knowledge Base documents you agree:

   (a) that the terms of use for the documents found at www.blackberry.com/legal/knowledgebase apply to your use or reference to these documents; and

   (b) not to copy, distribute, disclose or reproduce, in full or in part any of the documents without the express written consent of RIM.


Visit the BlackBerry Technical Solution Center at www.blackberry.com/btsc.