Vulnerabilities in BlackBerry Enterprise Server components that process images could allow remote code execution

Article ID: KB27244

Type:   Security Advisory

First Published: 08-09-2011

Last Modified: 09-01-2011

 

Product(s) Affected:

  • BlackBerry Enterprise Server for Novell GroupWise
  • BlackBerry Enterprise Server for Microsoft Exchange
  • BlackBerry Enterprise Server Express for IBM Lotus Domino
  • BlackBerry Enterprise Server Express for Microsoft Exchange
  • BlackBerry Enterprise Server for IBM Lotus Domino
Collapse Products
ExpandAffected Software

The issue affects the following software versions:

  • BlackBerry® Enterprise Server version 5.0.3 MR2 and earlier for Microsoft Exchange
  • BlackBerry® Enterprise Server version 5.0.3 MR2 and earlier for IBM Lotus Domino
  • BlackBerry® Enterprise Server version 5.0.1 MR3 and earlier for Novell GroupWise
  • BlackBerry® Enterprise Server Express version 5.0.3 and earlier for Microsoft Exchange
  • BlackBerry® Enterprise Server Express version 5.0.3 and earlier for IBM Lotus Domino
  • BlackBerry Enterprise Server version 4.1.7 and earlier for MDS Applications

Note: The affected software includes versions that are no longer supported. See the Resolution section of this advisory for more information on upgrading to a supported version for which a security software update is available.

ExpandNon Affected Software
  • BlackBerry® Device Software
  • BlackBerry® Desktop Software
  • BlackBerry Enterprise Server version 5.0.3 MR3 and later for Microsoft Exchange and IBM Lotus Domino
  • BlackBerry Enterprise Server version 5.0.1 MR4 and later for Novell Groupwise
  • BlackBerry Enterprise Server Express versions later than 5.0.3 for Microsoft Exchange and IBM Lotus Domino
ExpandAre BlackBerry smartphones and the BlackBerry Device Software affected?
No.
CollapseIssue Severity

These vulnerabilities have a Common Vulnerability Scoring System (CVSS) score of 10.0 (high severity). See the References section below for the list of issues by CVE issue identifier.

CollapseOverview

Vulnerabilities exist in components of the BlackBerry Enterprise Server that process PNG and TIFF images for rendering on the BlackBerry smartphone. The BlackBerry® Mobile Data System – Connection Service component processes images on web pages that the BlackBerry® Browser requests. The BlackBerry® Messaging Agent component processes images in email messages. The BlackBerry® Collaboration Service processes images in instant messages sent between your organization's instant messaging server, its BlackBerry Enterprise Server, and devices that are using public APIs, a Research In Motion proprietary protocol, and protocols specifyed by supported integrated collaboration clients.

ExpandWho should read this advisory?
  • BlackBerry Enterprise Server administrators
ExpandWho should apply the software fix(es)?
  • BlackBerry Enterprise Server administrators
ExpandRecommendation

Complete the resolution actions documented in this advisory to install the applicable security software update on any computer that hosts a BlackBerry MDS Connection Service instance, BlackBerry Messaging Agent instance, or BlackBerry Collaboration Service instance.

Best practices

  • As a mobile device best practice, RIM recommends that users exercise caution when receiving email or instant messages from untrusted sources, and clicking links to web sites at the direction of untrusted sources.
  • Consider installing the BlackBerry Enterprise Server in a segmented network configuration. To configure the BlackBerry Enterprise Solution in a segmented network, you must install each BlackBerry Enterprise Solution component on a computer that is separate from the computers that host other components and then place each computer in its own network segment. A segmented network architecture is designed to isolate attacks and contain them on one computer. See Additional Information, below.  
ExpandReferences
View the linked CVE® Identifiers for descriptions of the security issues that this security advisory addresses: CVE-2010-1205CVE-2010-3087, CVE-2010-2595, CVE-2011-0192, CVE-2011-1167
CollapseProblem

Vulnerabilities exist in how the BlackBerry MDS Connection Service and the BlackBerry Messaging Agent process PNG and TIFF images for rendering on the BlackBerry smartphone. Successful exploitation of any of these vulnerabilities might allow an attacker to gain access to and execute code on the BlackBerry Enterprise Server. Depending on the privileges available to the configured BlackBerry Enterprise Server service account, the attacker might also be able to extend access to other non-segmented parts of the network.

To exploit these vulnerabilities in how the BlackBerry MDS Connection Service processes PNG and TIFF images, an attacker would need to create a specially crafted web page and then persuade the BlackBerry smartphone user to click a link to that web page. The attacker could provide the link to the user in an email or instant message.

To exploit these vulnerabilities in how the BlackBerry Messaging Agent or the BlackBerry Collaboration Service processes PNG and TIFF images, an attacker would need to embed specially crafted PNG and TIFF images in an email message or enterprise instant message and send the message to the BlackBerry smartphone user. The user does not need to click a link or an image, or view the email message or instant message for the attack to succeed in this scenario.

ExpandImpact

These vulnerabilities could allow an attacker to execute arbitrary code using the privileges of the BlackBerry Enterprise Server login account.

CollapseResolution

RIM has issued the following updates that resolve these vulnerabilities in affected supported versions of the BlackBerry Enterprise Server and the BlackBerry Enterprise Server Express. These updates replace the installed image.dll file that the affected components use with an image.dll file that is not affected by the vulnerabilities.

If you are using a software version that is not listed below, update to one of the listed versions before applying the security software update or Maintenance Release. Visit the Software Support Lifecycle site for information about product support timelines.

Important: You must install the applicable security software update or MR for your software version on any computer that hosts a BlackBerry MDS Connection Service or BlackBerry Messaging Agent instance.

For BlackBerry Enterprise Server Express versions 5.0.1 through 5.0.3 for Microsoft Exchange

Visit http://www.blackberry.com/go/serverdownloads to obtain the Interim Security Software Update for August 9, 2011 for BlackBerry Enterprise Server Express versions 5.0.1 through 5.0.3.

For BlackBerry Enterprise Server Express version 5.0.2 and 5.0.3 for IBM Lotus Domino

Visit http://www.blackberry.com/go/serverdownloads to obtain Interim Security Software Update for August 9, 2011 for BlackBerry Enterprise Server Express versions 5.0.2 and 5.0.3.

For BlackBerry Enterprise Server versions 5.0.1 and 5.0.2 for Microsoft Exchange and IBM Lotus Domino

Visit http://www.blackberry.com/go/serverdownloads to obtain either Interim Security Software Update for August 9, 2011 for BlackBerry Enterprise Server software versions 5.0.1 and 5.0.2. Note that Version 5.0.3 MR3 also includes the fix for the vulnerabilities described in this advisory.

For BlackBerry Enterprise Server versions 5.0.3 for Microsoft Exchange and IBM Lotus Domino

Visit http://www.blackberry.com/go/serverdownloads to obtain BlackBerry Enterprise Server version 5.0.3 MR3.

For BlackBerry Enterprise Server version 4.1.7 for Novell GroupWise

Visit http://www.blackberry.com/go/serverdownloads to obtain Interim Security Software Update for August 9, 2011 for BlackBerry Enterprise Server software version 4.1.7.

For BlackBerry Enterprise Server version 5.0.1 for Novell GroupWise

Visit http://www.blackberry.com/go/serverdownloads to obtain Interim Security Software Update for August 9, 2011 for BlackBerry Enterprise Server software version 5.0.1.

For BlackBerry Enterprise Server version 4.1 Service Pack 7 for MDS Applications

Visit http://www.blackberry.com/go/serverdownloads to obtain Interim Security Software Update for August 9, 2011 for BlackBerry Enterprise Server software version 4.1.7 for MDS Applications.

CollapseWorkaround

All workarounds should be considered temporary measures for customers to employ if they cannot install the update immediately or must perform standard testing and risk analysis. RIM recommends that customers without these requirements simply install the update to secure their systems.

Prevent the BlackBerry Enterprise Server from using the vulnerable image.dll file when processing images using the BlackBerry MDS Connection Service

Change the BlackBerry MDS Connection Service settings in the rimpublic.property file to turn off image processing that uses the vulnerable image.dll file.

  1. Navigate to the rimpublic.property file (for example, C:\Program Files\Research In Motion\BlackBerry Enterprise Server\MDS\Servers\instance\config\rimpublic.property).
  2. In a text editor, open the rimpublic.property file.
  3. Add the following settings to the rimpublic.property file:
    application.handler.rim.slipstream.clientless=false
    application.handler.rim.slipstream.clientful=false
    application.handler.rim.slipstream.progressive=false
  4. Save and close the rimpublic.property file.

Note: When the workaround for the BlackBerry MDS Connection Service is implemented customers will still see inline images in messages. The workaround causes the BlackBerry MDS Connection Service to use a non-vulnerable library for image processing.

Prevent the BlackBerry Enterprise Server from using the vulnerable image.dll file when processing images using the BlackBerry Collaboration Service

Change the BlackBerry Collaboration Service settings in the rimpublic.property file to turn off image processing that uses the vulnerable image.dll file.

  1. Navigate to the rimpublic.property file (for example, C:\Program Files\Research In Motion\BlackBerry Enterprise Server\BBIM\Servers\instance\config\rimpublic.property).
  2. In a text editor, open the rimpublic.property file.
  3. Add the following settings to the rimpublic.property file:
    application.handler.rim.slipstream.clientless=false
    application.handler.rim.slipstream.clientful=false
    application.handler.rim.slipstream.progressive=false
    improxy.slipstream=false
  4. Save and close the rimpublic.property file.

Note: When the workaround for the BlackBerry Collaboration Service is implemented customers will still see inline images in instant messages. The workaround causes the BlackBerry Collaboration Service to use a non-vulnerable library for image processing.

Prevent the BlackBerry Enterprise Server from processing inline images using the BlackBerry Messaging Agent

Follow the instructions in KB15931 for the software version you are running.

CollapseAdditional Information

What is network segmentation?

The administrator can install the BlackBerry Enterprise Server on a remote computer and then place that computer on its own network segment to prevent the spread of potential attacks from the BlackBerry Enterprise Server to another computer within your organization’s network. In a segmented network, attacks are isolated and contained on a single area of the network. Using segmented network architecture is designed to improve the security and performance of the network segment by filtering out data that is not destined for other network segments. For more information about placing the BlackBerry Enterprise Solution components in a network architecture that is segmented to prevent the spread of potential attacks, see the Technical Note Placing the BlackBerry Enterprise Solution in a Segmented Network.

What is CVE?

Common Vulnerabilities and Exposures (CVE) is a dictionary of common names (CVE Identifiers) for publicly known information security vulnerabilities maintained by the MITRE corporation.

What is CVSS?

CVSS is a vendor agnostic, industry open standard designed to convey the severity of vulnerabilities. CVSS scores may be used to determine the urgency for update deployment within an organization. CVSS scores range from 0.0 (no vulnerability) to 10.0 (critical). RIM uses CVSS for vulnerability assessments to present an immutable characterization of security issues. RIM assigns all relevant security issues a non-zero score.

Where can I read more about the security of BlackBerry products and solutions?

Visit www.blackberry.com/security for more information on BlackBerry security.

CollapseChange Log

09-01-2011

This advisory has been updated to include the following details:

  • The BlackBerry Enterprise Server version 4.1.7 and earlier for MDS Applications is affected. A resolution in the form of an Interim Security Update is available for the BlackBerry Enterprise Server version 4.1.7 for MDS Applications. 
  • The BlackBerry Collaboration Service component is affected. A workaround to prevent the BlackBerry Enterprise Server from using the vulnerable image.dll file when processing images using the BlackBerry Collaboration Service is included.

08-23-2011

This advisory has been updated to correct a typo and clarify instructions in the Workaround section.

08-18-2011

This advisory has been updated to clarify the Affected Software and the Workaround sections.

08-10-2011

This advisory has been updated to clarify the following details:

  • The software updates to address the issue must be applied on any computer that hosts a BlackBerry MDS Connection Service or BlackBerry Messaging Agent instance.
  • The vulnerabilities do not affect BlackBerry Enterprise Server version 5.0.3 MR3 and later for Microsoft Exchange and IBM Lotus Domino.

Disclaimer

By downloading, accessing or otherwise using the Knowledge Base documents you agree:

   (a) that the terms of use for the documents found at www.blackberry.com/legal/knowledgebase apply to your use or reference to these documents; and

   (b) not to copy, distribute, disclose or reproduce, in full or in part any of the documents without the express written consent of RIM.


Visit the BlackBerry Technical Solution Center at www.blackberry.com/btsc.