BSRT 2013-012 Vulnerability in remote file access feature impacts BlackBerry Link

Article ID: KB35315

Type:   BlackBerry Security Advisory

First Published: 11-12-2013

Last Modified: 11-12-2013

 

Product(s) Affected:

  • BlackBerry Link for Windows
  • BlackBerry Link for Mac
CollapseOverview

This advisory addresses an elevation of privilege or remote code execution vulnerability that is not currently being exploited but affects BlackBerry Link. BlackBerry customer risk is limited by the inability of a potential attacker to force exploitation of the vulnerability without customer interaction. Successful exploitation can require that an attacker must persuade a user on a system with BlackBerry Link installed to click on a specifically crafted link or access a webpage containing maliciously crafted code. In the alternative scenario, successful exploitation requires that a local attacker must be able to log in to the affected system while the BlackBerry Link remote file access feature is running under a different user account. If the requirements are met for exploitation, an attacker could potentially gain access to, read, or modify data from the BlackBerry Link remote file access folder of the user account under which the BlackBerry Link’s remote file access feature is running. After installing the recommended software update, affected BlackBerry Link customers will be fully protected from this vulnerability.

ExpandWho should read this advisory?
  • BlackBerry Link users
  • IT administrators who deploy BlackBerry Link in an enterprise
ExpandWho should apply the software fix(es)?
  • BlackBerry Link users
  • IT administrators who deploy BlackBerry Link in an enterprise
ExpandMore Information

What is BlackBerry Link?
BlackBerry Link allows customers to manage and sync content between BlackBerry 10 devices and their computer. For more information about BlackBerry Link, visit http://www.blackberry.com/blackberrylink.

Have any BlackBerry customers been subject to an attack that exploits this vulnerability?
BlackBerry is not aware of any attacks targeting BlackBerry customers using this vulnerability.

What factors affected the release of this security advisory?
This advisory addresses a publicly known vulnerability. BlackBerry publishes full details of a software update in a security advisory after the fix is available to the majority of our customers. Publishing this advisory ensures that all of our customers can protect themselves by updating their software, or employing available workarounds if updating is not possible.

Where can I read more about the security of BlackBerry products and solutions?
For more information on BlackBerry security, visit http://us.blackberry.com/business/topics/security.html.

CollapseAffected Software and Resolutions
Read the following to determine if your version of BlackBerry Link is affected.
ExpandAffected Software
  • BlackBerry Link for Windows version 1.0.1.12 to 1.2.0.28
  • BlackBerry Link for Mac OS version 1.0.1 (build 6) to 1.1.1 (build 35)
  • ExpandNon-Affected Software
  • BlackBerry Link for Windows prior to version 1.0.1.12
  • BlackBerry Link for Mac OS prior to version 1.0.1 (build 6)
  • BlackBerry Link for Windows version 1.2.1.31
  • BlackBerry Link for Mac OS version 1.1.1 (build 39)
  • ExpandAre BlackBerry smartphones affected?
    No.
    ExpandResolution

    BlackBerry has issued a fix for this vulnerability, which is included in BlackBerry Link for Windows version 1.2.1.31 and BlackBerry Link for Mac OS version 1.1.1 (build 39). These software updates resolve this vulnerability in affected versions of BlackBerry Link. Update BlackBerry Link for Windows to software version 1.2.1.31 or later or BlackBerry Link for Mac OS to version 1.1.1 (build 39) to be fully protected from this issue.

    See the Mitigations section of this advisory for information on how to manage potential risk if updating is not possible at this time.

    CollapseVulnerability Information

    A vulnerability exists in the Peer Manager component of affected BlackBerry Link versions. BlackBerry Link allows customers to manage and sync content between BlackBerry 10 devices and their computer; Peer Manager is the component of BlackBerry Link that provides remote file access. The BlackBerry Link Peer Manager uses WebDAV to provide access to user data. This allows a local user, using their smartphone, to access user data from the specified remote file access folder(s) on the computer. There are three potential scenarios for this vulnerability:

    Local Elevation of Privilege

    In multi-user systems, the remote file access folder belonging to the account that Peer Manager is running under can be accessible to other accounts on the system.

    Successful exploitation of this attack scenario could result in a local lower privileged user accessing user data belonging to the higher privileged account that Peer Manager is running under.

    In order to exploit this vulnerability, a lower privileged user must log into their account on a system on which a higher privileged user has previously logged in, resulting in Peer Manager running under the higher privileged user.

    Remote Code Execution

    Successful exploitation of this attack scenario could result in a remote attacker accessing data belonging to a user’s remote file access folder, with the rights of the user’s account.

    In order to exploit this vulnerability, an attacker must persuade a local user to click on a specifically crafted link or access a webpage containing maliciously crafted code.

    Remote Code Execution with Local Elevation of Privilege

    In multiuser systems, the remote file access folder belonging to the account that Peer Manager is running under can be accessible to other accounts.

    Successful exploitation of this attack scenario could result in a remote attacker persuading a lower privileged user to access data belonging to the higher privileged account that Peer Manager is running under.

    In order to exploit this vulnerability, an attacker must persuade a lower privileged local user to click on a specifically crafted link or access a webpage containing maliciously crafted code while the user is logged into their account on a machine on which a higher privileged user has previously logged in, resulting in Peer Manager running under the higher privileged user account.

    This vulnerability has a Common Vulnerability Scoring System (CVSS) score of 6.8. View the linked CVE identifier for a description of the security issue that this security advisory addresses: CVE-2013-3694.

    Mitigations

    Mitigations are existing conditions that a potential attacker would need to overcome to mount a successful attack or that would limit the severity of an attack. Examples of such conditions include default settings, common configurations and general best practices.

    The elevation of privilege attack scenario for this issue is mitigated in systems that do not support multiple users, and it is further mitigated by the requirement that the attacker must have valid local login credentials.

    Remote code execution attack scenarios for this issue are mitigated for all customers by the prerequisite that the attacker must persuade the customer to access the maliciously crafted link or visit a webpage containing maliciously crafted code.

    In order to exploit this vulnerability, an attacker must know the IPv6 address generated upon Peer Manager startup.

    ExpandWorkarounds
    Workarounds are settings or configuration changes that a user or administrator can apply to help protect against an attack. BlackBerry recommends that all users apply the available software update to fully protect their system. All workarounds should be considered temporary measures for customers to apply if they cannot install the update immediately or must perform standard testing and risk analysis. BlackBerry recommends that customers who are able to do so install the update to secure their systems.

    Remove the remote file sharing directory in Link

    Users who cannot upgrade BlackBerry Link at this time can remove the folder that is accessed when remote file sharing is installed.

    Note: For affected users running BlackBerry Link for Windows or BlackBerry Link for Mac OS versions prior to 1.1, skip to step 4.

    1. On your computer, open BlackBerry Link.
    2. Access the Remote File Access settings:
      • In version 1.1, at the bottom of the screen, click your computer, then click the Settings icon. In the Settings view, click Remote File Access.
      • In version 1.2, at the side of the screen, click your computer, then click Remote File Access.
    3. Click the X beside the folder specified in the Share the following folders with remote devices field.
    4. Check that the folder name (e.g., \Users\username) is not in the folder_config.xml file. This file can be located in the following locations:
      • On systems running Microsoft Windows: %AppData%\Research In Motion\BlackBerry 10 Desktop\RemoteAccess\nginx\conf\folder_config.xml
      • On systems running Mac OS: ~/Library/Application Support/BlackBerry Link/RemoteAccess/nginx/conf/folder_config.xml

    When the workaround is applied, customers will be unable to remotely access files on their computer from their BlackBerry 10 device.

    Uninstall BlackBerry Link

    Users who cannot upgrade BlackBerry Link at this time can uninstall the software.

    Uninstalling BlackBerry Link for Windows

    For instructions to uninstall BlackBerry Link, consult the following knowledgebase articles:

    Uninstalling BlackBerry Link for Mac OS

    For instructions to uninstall BlackBerry Link, consult the following knowledgebase article: http://support.apple.com/kb/ph11356

    When the workaround is applied, customers will be unable to manage and sync content with their computer using their BlackBerry 10 device.

    ExpandMore Information

    What is the remote file access folder?
    This refers to the root folder specified in the “Share the following folders with remote devices” and its subfolders in the Remote File Access settings in BlackBerry Link. Allowed devices can access the specified folders over a Wi-Fi connection. Visit http://docs.blackberry.com/en/smartphone_users/deliverables/53213/lym1345128370803.jsp for more information about Remote File Access.

    CollapseDefinitions

    CVE
    Common Vulnerabilities and Exposures (CVE) is a dictionary of common names (CVE Identifiers) for publicly known information security vulnerabilities maintained by the MITRE Corporation.

    CVSS
    CVSS is a vendor agnostic, industry open standard designed to convey the severity of vulnerabilities. CVSS scores may be used to determine the urgency for update deployment within an organization. CVSS scores can range from 0.0 (no vulnerability) to 10.0 (critical). BlackBerry uses CVSS in vulnerability assessments to present an immutable characterization of security issues. BlackBerry assigns all relevant security issues a non-zero score. Customers performing their own risk assessments of vulnerabilities that may impact them can benefit from using the same industry-recognized CVSS metrics.

    CollapseAcknowledgements
    BlackBerry would like to thank Tavis Ormandy and Ollie Whitehouse for their individual reports and involvement in helping protect our customers.
    CollapseChange Log
    11-12-2013
    Initial publication.

    Disclaimer

    By downloading, accessing or otherwise using the Knowledge Base documents you agree:

       (a) that the terms of use for the documents found at www.blackberry.com/legal/knowledgebase apply to your use or reference to these documents; and

       (b) not to copy, distribute, disclose or reproduce, in full or in part any of the documents without the express written consent of RIM.


    Visit the BlackBerry Technical Solution Center at www.blackberry.com/btsc.