Vulnerability in the BlackBerry Desktop Manager allows remote code execution

Article ID: KB19701

Type:   Security Advisory

First Published: 11-03-09

Last Modified: 09-02-2010

 

Product(s) Affected:

  • Desktop Software (Windows)
Collapse Products
ExpandAffected Software

  • BlackBerry Desktop Software version 5.0 and earlier (on all platforms), IBM® Lotus Notes® Intellisync® functionality
ExpandNon Affected Software
  • BlackBerry® Device Software
  • BlackBerry® Enterprise Server  
CollapseIssue Severity

This vulnerability has a Common Vulnerability Scoring System (CVSS) score of 9.3.

CollapseOverview

This advisory relates to a vulnerability in a Lotus Notes Intellisync DLL that the BlackBerry Desktop Manager may use. This vulnerability may allow a malicious user to perform an attack that leverages social engineering to achieve remote code execution on the computer running the BlackBerry Desktop Manager. If the legitimate (logged in) user clicks a link to a malicious web site (for example, in an email message, in a browser, or an instant message) on the computer that is running the BlackBerry Desktop Manager, a vulnerability in an Intellisync component could allow the malicious user who sent the link or created the malicious web site to execute code on the computer using the privileges of the legitimate user.

Note: The affected Lotus Notes Intellisync DLL is included by default in all BlackBerry Desktop Manager installations. This vulnerability exists whether or not the DLL is used after installation.

Issue Status: Vulnerability confirmed. For more information, see the Resolution section.

ExpandRecommendation
Complete the resolution actions documented in this advisory.
ExpandReferences

CVE® number: CVE-2009-0306

CollapseProblem

If the malicious user performs an attack designed to deceive the legitimate user into clicking a link to a web site that appears to be from a trusted source, and the legitimate user chooses to access that site from the computer that is running the BlackBerry Desktop Manager, the user might be deceived into browsing to a web page that the malicious user has designed to perform remote code execution using the legitimate user's privileges on the computer.

The BlackBerry Desktop Manager does not need to be running for a malicious user to exploit this vulnerability.

ExpandImpact

A malicious user may be able to deceive a legitimate user into connecting to a web site that is controlled by the malicious user to allow remote code execution on the legitimate user's computer.

Mitigations

  • If you do not require the Lotus Notes Intellisync function you can disable it to prevent a malicious user from exploiting the vulnerability. For more information, see the Workaround section.
  • RIM recommends that users exercise caution when clicking on links that they receive from untrusted sources, and links to untrusted web sites in browsers.
CollapseResolution

RIM has issued a software update that resolves this issue in BlackBerry Desktop Software version 5.0.1 and later.

Upgrade the BlackBerry Desktop Software

Note: The minimum BlackBerry Desktop Software version you can install to resolve this issue is 5.0.1.
  1. In the drop-down list, select BlackBerry Desktop Software v5.0.1 or later and click Next.
  2. Choose a BlackBerry Desktop Manager bundle to download.
  3. Complete the download process and follow the installation instructions to compete the upgrade process.
    CollapseWorkaround

    You can disable the Lotus Notes Intellisync functionality by unregistering the Intellisync component DLL, lnresobject.dll. Disabling the functionality prevents a malicious user from exploiting the vulnerability but also removes the ability to synchronize data between Lotus Notes and the BlackBerry Desktop Manager.

    To unregister the DLL on the computer running the BlackBerry Desktop Manager, complete the following step for your BlackBerry Desktop Software version.

    BlackBerry Desktop Software versions earlier than 4.3.0

    On the computer running the BlackBerry Desktop Manager, at a command line enter the following command:

    regsvr32 /u "C:\Program Files\Research In Motion\BlackBerry\Connectors\Lotus Notes5.0\lnresobjectENG.dll"

    BlackBerry Desktop Software version 4.3.0 and later

    On the computer running the BlackBerry Desktop Manager, at a command line enter the following command:

    regsvr32 /u "C:\Program Files\Research In Motion\BlackBerry\IS71 Connectors\Lotus Notes5.0\lnresobject.dll"

    CollapseAdditional Information

    CVE

    Common Vulnerabilities and Exposures ( CVE ) is a dictionary of common names (CVE Identifiers) for publicly known information security vulnerabilities maintained by the MITRE corporation .

    CVSS

    CVSS is a vendor agnostic, industry open standard designed to convey the severity of vulnerabilities. CVSS scores may be used to determine the urgency for update deployment within an organization. CVSS scores range from 0.0 (no vulnerability) to 10.0 (critical). RIM uses CVSS in vulnerability assessments to present an immutable characterization of security issues. RIM assigns all security relevant issues a non-zero score.

    BlackBerry Security

    Visit www.blackberry.com/security for more information on BlackBerry security.

    CollapseAcknowledgements

    RIM thanks OYXin of Nevis Labs, Aviram Networks, Inc.,  for reporting this issue to RIM, and working with RIM to protect its customers.

    CollapseChange Log

    09-02-10

    Updates to article formatting. No technical content changed.

    12-17-09

    Article updated to correct minor formatting error.

    11-19-09

    Article updated to correct error in one of the file paths provided in the Workaround section.

    11-06-09

    Article updated to include workaround steps for BlackBerry Desktop Manager versions earlier than 4.3.0.

    Disclaimer

    By downloading, accessing or otherwise using the Knowledge Base documents you agree:

       (a) that the terms of use for the documents found at www.blackberry.com/legal/knowledgebase apply to your use or reference to these documents; and

       (b) not to copy, distribute, disclose or reproduce, in full or in part any of the documents without the express written consent of RIM.


    Visit the BlackBerry Technical Solution Center at www.blackberry.com/btsc.