Vulnerability in a BlackBerry Enterprise Server component could allow information disclosure and partial denial of service

Article ID: KB27258

Type:   Security Advisory

First Published: 07-12-2011

Last Modified: 07-12-2011

 

Product(s) Affected:

  • BlackBerry Enterprise Server for Novell GroupWise
  • BlackBerry Enterprise Server for Microsoft Exchange
  • BlackBerry Enterprise Server Express for IBM Lotus Domino
  • BlackBerry Enterprise Server Express for Microsoft Exchange
  • BlackBerry Enterprise Server for IBM Lotus Domino
Collapse Products
ExpandAffected Software

This issue affects the BlackBerry® Administration Application Programming Interface (API) component within the BlackBerry® Administration Service component of the following software versions:

  • BlackBerry® Enterprise Server version 5.0.0 for Microsoft Exchange, IBM Lotus Domino and Novell GroupWise (with the BlackBerry® Administration API component installed as an option only)
  • BlackBerry® Enterprise Server Express 5.0.0 for Microsoft Exchange and IBM Lotus Domino  (with the BlackBerry® Administration API component installed as an option only) 
  • BlackBerry® Enterprise Server Express versions 5.0.1, 5.0.2 and 5.0.3 for Microsoft Exchange
  • BlackBerry® Enterprise Server Express versions 5.0.2 and 5.0.3 for IBM Lotus Domino
  • BlackBerry® Enterprise Server versions 5.0.1, 5.0.2 and 5.0.3 for Microsoft Exchange and IBM Lotus Domino
  • BlackBerry® Enterprise Server versions 5.0.1 for GroupWise
ExpandNon Affected Software
  • BlackBerry® Device Software
  • BlackBerry® Desktop Software
  • BlackBerry® Internet Service
ExpandAre BlackBerry smartphones and the BlackBerry Device Software affected?

No.

CollapseIssue Severity
This vulnerability has a Common Vulnerability Scoring System (CVSS) score of 4.8.
CollapseOverview

This advisory describes a security issue in the BlackBerry Administration API component. Successful exploitation of the vulnerability could result in information disclosure and partial denial of service (DoS).

The BlackBerry Administration API is a BlackBerry Enterprise Server component that is installed on the server that hosts the BlackBerry Administration Service. The BlackBerry Administration API contains multiple web services that receive API requests from client applications. The BlackBerry Administration API then translates requests into a format that the BlackBerry Administration Service can process.

ExpandWho should read this advisory?
BlackBerry Enterprise Server administrators.
ExpandWho should apply the software fix(es)?
BlackBerry Enterprise Server administrators.
ExpandRecommendation

Complete the resolution actions documented in this advisory.

Best practices

  • Consider installing the BlackBerry Enterprise Server in a segmented network configuration. To configure the BlackBerry Enterprise Solution in a segmented network, you must install each BlackBerry Enterprise Solution component on a computer that is separate from the computers that host other components and then place each computer it its own network segment. A segmented network architecture is designed to isolate attacks and contain them on one computer. See Additional Information, below.
ExpandReferences
CVE® Identifier: CVE-2011-0287.
CollapseProblem

A vulnerability exists in the BlackBerry Administration API which could allow an attacker to read files that contain only printable characters on the BlackBerry Enterprise Server, including unencrypted text files. Binary file formats, including those used for message storage, are not affected. This vulnerability is limited to the user permissions granted to the BlackBerry Administration API component.

ExpandImpact

Successful exploitation of this issue could allow information disclosure. Successful exploitation may also result in resource exhaustion and therefore could be leveraged as a partial denial of service (DoS).

CollapseResolution

RIM has issued the following releases and interim security software updates that resolve the vulnerability in affected versions of the BlackBerry Enterprise Server:

For BlackBerry Enterprise Server Express versions 5.0.1, 5.0.2 and 5.0.3 for Microsoft Exchange

For BlackBerry Enterprise Server Express version 5.0.2 and 5.0.3 for IBM Lotus Domino

For BlackBerry Enterprise Server versions 5.0.1, 5.0.2 and 5.0.3 for Microsoft Exchange and IBM Lotus Domino

For BlackBerry Enterprise Server version 5.0.1 for Novell GroupWise

If you are using a software version that is not listed above, update to one of the listed versions before applying the interim security software update.

CollapseAdditional Information

What is network segmentation?

The administrator can install the BlackBerry Attachment Service on a remote computer and then place that computer on its own network segment to prevent the spread of potential attacks from the BlackBerry Attachment Service to another computer within your organization’s network. In a segmented network, attacks are isolated and contained on a single area of the network. Using segmented network architecture is designed to improve the security and performance of the BlackBerry Attachment Service network segment by filtering out attachment data that is not destined for other network segments. For more information about placing the BlackBerry Enterprise Solution components in a network architecture that is segmented to prevent the spread of potential malware attacks, see Placing the BlackBerry Enterprise Solution in a Segmented Network.

What is CVE?

Common Vulnerabilities and Exposures (CVE) is a dictionary of common names (CVE Identifiers) for publicly known information security vulnerabilities maintained by the MITRE corporation.


What is CVSS?

CVSS is a vendor agnostic, industry open standard designed to convey the severity of vulnerabilities. CVSS scores may be used to determine the urgency for update deployment within an organization. CVSS scores range from 0.0 (no vulnerability) to 10.0 (critical). RIM uses CVSS for vulnerability assessments to present an immutable characterization of security issues. RIM assigns all relevant security issues a non-zero score.


Visit www.blackberry.com/security for more information on BlackBerry security.

CollapseAcknowledgements
RIM would like to thank Richard Leach of NGSSecure for his involvement in helping to protect our customers.

Disclaimer

By downloading, accessing or otherwise using the Knowledge Base documents you agree:

   (a) that the terms of use for the documents found at www.blackberry.com/legal/knowledgebase apply to your use or reference to these documents; and

   (b) not to copy, distribute, disclose or reproduce, in full or in part any of the documents without the express written consent of RIM.


Visit the BlackBerry Technical Solution Center at www.blackberry.com/btsc.