BSRT-2013-009 Vulnerabilities in libexif impact BlackBerry PlayBook tablet software

Article ID: KB34780

Type:   BlackBerry Security Advisory

First Published: 09-10-2013

Last Modified: 09-12-2013

 
CollapseOverview

This advisory addresses libexif library vulnerabilities that are not currently being exploited but affect BlackBerry® PlayBook™ tablet customers. BlackBerry® customer risk is limited by the BlackBerry tablet OS design, which restricts an application's access to system resources and the private data of other applications. Successful exploitation requires an attacker to craft a malicious image file and also requires that a user opens or saves this image file from an email or website. If the requirements are met for exploitation, an attacker could potentially gain access to, read or modify data on the device. After installing the recommended software update, affected BlackBerry PlayBook Tablet customers will be fully protected from this vulnerability.

ExpandWho should read this advisory?
  • BlackBerry PlayBook tablet users
  • IT administrators who deploy BlackBerry PlayBook tablets in an enterprise
  • ExpandWho should apply the software fix(es)?
  • BlackBerry PlayBook tablet users
  • IT administrators who deploy BlackBerry PlayBook tablets in an enterprise
  • ExpandMore Information

    Have any BlackBerry customers been subject to an attack that exploits these vulnerabilities?
    BlackBerry is not aware of any attacks targeting BlackBerry tablet customers using these libexif vulnerabilities.

    What factors affected the release of this security advisory?
    This advisory addresses publicly known libexif vulnerabilities. BlackBerry publishes full details of a software update in a security advisory after the fix is available to the majority of our customers and wireless service provider partners. Publishing this advisory ensures that all of our customers can protect themselves by updating their software, or employing available workarounds if updating is not possible. Customers for whom the software update is not yet available should contact their wireless service provider to request BlackBerry Tablet OS version 2.1.0.1753 or later.

    Where can I read more about BlackBerry PlayBook tablet security?
    Read the BlackBerry PlayBook Tablet Security Feature Overview and the BlackBerry Enterprise Service 10 Security Technical Overview for more information on security features in the BlackBerry PlayBook tablet. .

    Where can I read more about the security of BlackBerry products and solutions?
    Visit http://us.blackberry.com/business/topics/security.html for more information on BlackBerry security.

    CollapseAffected Software and Resolutions
    Customers can read the following lists to determine if their BlackBerry PlayBook tablet is affected.
    ExpandAffected Software
    • BlackBerry PlayBook tablet software version 2.1.0.1526 and earlier
    ExpandNon-Affected Software
    • BlackBerry PlayBook Tablet software version 2.1.0.1753 and later
    ExpandAre BlackBerry smartphones affected?

    No.

    ExpandResolution

    BlackBerry has issued a fix for these vulnerabilities, which is included in BlackBerry PlayBook tablet software version 2.1.0.1753. This software updates resolve these vulnerabilities on affected versions of the BlackBerry PlayBook tablet. Update BlackBerry PlayBook tablet software to version 2.1.0.1753 or later to be fully protected from these issues.

    Note: If customers are running a BlackBerry Tablet OS version earlier than 2.1.0.1753 but do not see a software update notification and the device indicates that the software is up to date, customers should contact their wireless service provider to request BlackBerry Tablet OS version 2.1.0.1753 or later.

    See the Mitigations section of this advisory for information on how to manage potential risk until the software update is available for all customers.

    Update by Accessing the Software Update Notification

    BlackBerry PlayBook tablets use notifications to keep customers informed about software updates. When a new software update notification is available, it appears in the status ribbon at the top of the screen on the BlackBerry Playbook tablet.
    Simply view the notifications and follow the steps to access the latest software update notification and complete the software update.

    Manually Check for Software Updates on the BlackBerry PlayBook tablet

    1. From the home screen, swipe down from the top of the screen.
    2. Tap Software Updates.
    3. Tap Check for Updates.

    Customers can also update the device software using BlackBerry® Desktop Software. For more information, see the Help documentation for BlackBerry Desktop Software.

    After customers update their software, the screen will indicate that BlackBerry Tablet OS version 2.1.0.1753 or later is installed on the device.

    ExpandMore Information

    How can I find out what version of BlackBerry Tablet OS I am running?
    From the home screen, tap the Settings icon, tap About, and view the OS Version field in the General settings.

    Are new (still in the box) BlackBerry PlayBook tablets exposed to these vulnerabilities?
    As long as the user fully completes the device setup, including the device software update, the user's tablet will not be affected. During the initial setup process, the BlackBerry PlayBook tablet will download and install the latest version of the OS. The fix for these vulnerabilities is included in all versions of the BlackBerry PlayBook tablet software after version 2.1.0.1753.

    Note: If a customer is running a BlackBerry Tablet OS version earlier than 2.1.0.1753 but does not see a software update notification during the initial setup process and the device indicates that the software is up to date, customers should contact their wireless service provider to request BlackBerry Tablet OS version 2.1.0.1753 or later.

    Are BlackBerry smartphones exposed to this vulnerability?
    No.

    Does the BlackBerry PlayBook tablet force me to update my software?
    No; customer action is required to update the software. BlackBerry PlayBook tablets use notifications to keep customers informed about software updates and provide instructions for customers to easily install a software update. Customers can also manually check for software updates. See the Resolution section of this advisory for steps to update customer software.

    Can a BlackBerry PlayBook tablet user update the libexif library without performing a full BlackBerry Tablet OS update?
    No. The libexif library is provided as an integral part of the BlackBerry Tablet OS installation, and they must be updated together.

    CollapseVulnerability Information

    Multiple vulnerabilities exist in the open source EXIF tag parsing library (libexif) supplied with affected versions of the BlackBerry PlayBook Tablet OS. The libexif library is an open source component used for processing EXIF metadata tags embedded in images. Successful exploitation of one or more of these vulnerabilities could result in an attacker executing code in the context of the application that opens the specially crafted image.

    In order to exploit these vulnerabilities, an attacker must craft an image with malformed EXIF data. The attacker must then cause the user to take action to open or save the image, after the image has been displayed in an email message or on a webpage.

    These issues are in the libexif library and affect systems that support the libexif library. Read the following libexif project security bulletin for further information on the issues: http://sourceforge.net/mailarchive/message.php?msg_id=29534027

    This issue comprises multiple vulnerabilities, with a maximum Common Vulnerability Scoring System (CVSS) score of 7.5. View the linked CVE identifiers for descriptions of the libexif security issues that this security advisory addresses.

    CVE identifier  —  CVSS score

    CVE-2012-2812 — 6.4
    CVE-2012-2813 — 6.4
    CVE-2012-2814 — 7.5
    CVE-2012-2836 — 6.4
    CVE-2012-2837 — 5.0
    CVE-2012-2840 — 7.5
    CVE-2012-2841 — 7.5
    CVE-2012-2845 — 6.4

    Mitigations

    These issues are mitigated for all customers by the prerequisite that the attacker must persuade the customer to access the maliciously crafted image with malformed EXIF data by opening or saving the specially crafted image. The attacker cannot force the customer to open or save the image or bypass the requirement that the customer chooses to access the image. BlackBerry recommends that customers do not open or save images in emails received from untrusted sources or within webpages they are otherwise directed to by untrusted sources, on the BlackBerry tablet.

    The capabilities and permissions of BlackBerry tablet applications are restricted by using a technique called sandboxing. Sandboxing limits the impact of vulnerabilities in applications to the confidentiality or integrity of other applications or the private data associated with them

    ExpandWorkarounds

    There are no workarounds for these vulnerabilities. BlackBerry recommends that all users apply the available software update to fully protect their BlackBerry PlayBook tablets.

    All workarounds should be considered temporary measures for customers to employ if they cannot install the update immediately or must perform standard testing and risk analysis. BlackBerry recommends that customers without these requirements install the update to secure their systems.

    CollapseDefinitions

    CVE

    Common Vulnerabilities and Exposures (CVE) is a dictionary of common names (CVE Identifiers) for publicly known information security vulnerabilities maintained by the MITRE Corporation.

    CVSS

    CVSS is a vendor agnostic, industry open standard designed to convey the severity of vulnerabilities. CVSS scores may be used to determine the urgency for update deployment within an organization. CVSS scores can range from 0.0 (no vulnerability) to 10.0 (critical). BlackBerry uses CVSS in vulnerability assessments to present an immutable characterization of security issues. BlackBerry assigns all relevant security issues a non-zero score. Customers performing their own risk assessments of vulnerabilities that may impact them can benefit from using the same industry-recognized CVSS metrics.

    CollapseChange Log

    09-10-2013

    Initial publication.

    09-12-2013

    Corrected to fix typo.

    Disclaimer

    By downloading, accessing or otherwise using the Knowledge Base documents you agree:

       (a) that the terms of use for the documents found at www.blackberry.com/legal/knowledgebase apply to your use or reference to these documents; and

       (b) not to copy, distribute, disclose or reproduce, in full or in part any of the documents without the express written consent of RIM.


    Visit the BlackBerry Technical Solution Center at www.blackberry.com/btsc.