This advisory addresses an elevation of privilege or remote code execution vulnerability that is not currently being exploited but affects BlackBerry Link. BlackBerry customer risk is limited by the inability of a potential attacker to force exploitation of the vulnerability without customer interaction. Successful exploitation can require that an attacker must persuade a user on a system with BlackBerry Link installed to click on a specifically crafted link or access a webpage containing maliciously crafted code. In the alternative scenario, successful exploitation requires that a local attacker must be able to log in to the affected system while the BlackBerry Link remote file access feature is running under a different user account. If the requirements are met for exploitation, an attacker could potentially gain access to, read, or modify data from the BlackBerry Link remote file access folder of the user account under which the BlackBerry Link’s remote file access feature is running. After installing the recommended software update, affected BlackBerry Link customers will be fully protected from this vulnerability.
- BlackBerry Link users
- IT administrators who deploy BlackBerry Link in an enterprise
- BlackBerry Link users
- IT administrators who deploy BlackBerry Link in an enterprise
What is BlackBerry Link?
BlackBerry Link allows customers to manage and sync content between BlackBerry 10 devices and their computer. For more information about BlackBerry Link, visit http://www.blackberry.com/blackberrylink.
Have any BlackBerry customers been subject to an attack that exploits this vulnerability?
BlackBerry is not aware of any attacks targeting BlackBerry customers using this vulnerability.
What factors affected the release of this security advisory?
This advisory addresses a publicly known vulnerability. BlackBerry publishes full details of a software update in a security advisory after the fix is available to the majority of our customers. Publishing this advisory ensures that all of our customers can protect themselves by updating their software, or employing available workarounds if updating is not possible.
Where can I read more about the security of BlackBerry products and solutions?
For more information on BlackBerry security, visit http://us.blackberry.com/business/topics/security.html.
BlackBerry has issued a fix for this vulnerability, which is included in BlackBerry Link for Windows version 126.96.36.199 and BlackBerry Link for Mac OS version 1.1.1 (build 39). These software updates resolve this vulnerability in affected versions of BlackBerry Link. Update BlackBerry Link for Windows to software version 188.8.131.52 or later or BlackBerry Link for Mac OS to version 1.1.1 (build 39) to be fully protected from this issue.
See the Mitigations section of this advisory for information on how to manage potential risk if updating is not possible at this time.
A vulnerability exists in the Peer Manager component of affected BlackBerry Link versions. BlackBerry Link allows customers to manage and sync content between BlackBerry 10 devices and their computer; Peer Manager is the component of BlackBerry Link that provides remote file access. The BlackBerry Link Peer Manager uses WebDAV to provide access to user data. This allows a local user, using their smartphone, to access user data from the specified remote file access folder(s) on the computer. There are three potential scenarios for this vulnerability:
Local Elevation of Privilege
In multi-user systems, the remote file access folder belonging to the account that Peer Manager is running under can be accessible to other accounts on the system.
Successful exploitation of this attack scenario could result in a local lower privileged user accessing user data belonging to the higher privileged account that Peer Manager is running under.
In order to exploit this vulnerability, a lower privileged user must log into their account on a system on which a higher privileged user has previously logged in, resulting in Peer Manager running under the higher privileged user.
Remote Code Execution
Successful exploitation of this attack scenario could result in a remote attacker accessing data belonging to a user’s remote file access folder, with the rights of the user’s account.
In order to exploit this vulnerability, an attacker must persuade a local user to click on a specifically crafted link or access a webpage containing maliciously crafted code.
Remote Code Execution with Local Elevation of Privilege
In multiuser systems, the remote file access folder belonging to the account that Peer Manager is running under can be accessible to other accounts.
Successful exploitation of this attack scenario could result in a remote attacker persuading a lower privileged user to access data belonging to the higher privileged account that Peer Manager is running under.
In order to exploit this vulnerability, an attacker must persuade a lower privileged local user to click on a specifically crafted link or access a webpage containing maliciously crafted code while the user is logged into their account on a machine on which a higher privileged user has previously logged in, resulting in Peer Manager running under the higher privileged user account.
This vulnerability has a Common Vulnerability Scoring System (CVSS) score of 6.8. View the linked CVE identifier for a description of the security issue that this security advisory addresses: CVE-2013-3694.
Mitigations are existing conditions that a potential attacker would need to overcome to mount a successful attack or that would limit the severity of an attack. Examples of such conditions include default settings, common configurations and general best practices.
The elevation of privilege attack scenario for this issue is mitigated in systems that do not support multiple users, and it is further mitigated by the requirement that the attacker must have valid local login credentials.
Remote code execution attack scenarios for this issue are mitigated for all customers by the prerequisite that the attacker must persuade the customer to access the maliciously crafted link or visit a webpage containing maliciously crafted code.
In order to exploit this vulnerability, an attacker must know the IPv6 address generated upon Peer Manager startup.
Remove the remote file sharing directory in Link
Users who cannot upgrade BlackBerry Link at this time can remove the folder that is accessed when remote file sharing is installed.
Note: For affected users running BlackBerry Link for Windows or BlackBerry Link for Mac OS versions prior to 1.1, skip to step 4.
- On your computer, open BlackBerry Link.
- Access the Remote File Access settings:
- In version 1.1, at the bottom of the screen, click your computer, then click the Settings icon. In the Settings view, click Remote File Access.
- In version 1.2, at the side of the screen, click your computer, then click Remote File Access.
- Click the X beside the folder specified in the Share the following folders with remote devices field.
- Check that the folder name (e.g., \Users\username) is not in the folder_config.xml file. This file can be located in the following locations:
- On systems running Microsoft Windows: %AppData%\Research In Motion\BlackBerry 10 Desktop\RemoteAccess\nginx\conf\folder_config.xml
- On systems running Mac OS: ~/Library/Application Support/BlackBerry Link/RemoteAccess/nginx/conf/folder_config.xml
When the workaround is applied, customers will be unable to remotely access files on their computer from their BlackBerry 10 device.
Uninstall BlackBerry Link
Users who cannot upgrade BlackBerry Link at this time can uninstall the software.
Uninstalling BlackBerry Link for Windows
For instructions to uninstall BlackBerry Link, consult the following knowledgebase articles:
- For Microsoft Windows XP: http://support.microsoft.com/kb/307895
- For Microsoft Windows 7: http://windows.microsoft.com/en-ca/windows/uninstall-change-program#uninstall-change-program=windows-7
- For Microsoft 8: http://www.microsoft.com/surface/en-ca/support/apps-and-windows-store/install-apps-and-programs
Uninstalling BlackBerry Link for Mac OS
For instructions to uninstall BlackBerry Link, consult the following knowledgebase article: http://support.apple.com/kb/ph11356
When the workaround is applied, customers will be unable to manage and sync content with their computer using their BlackBerry 10 device.
What is the remote file access folder?
This refers to the root folder specified in the “Share the following folders with remote devices” and its subfolders in the Remote File Access settings in BlackBerry Link. Allowed devices can access the specified folders over a Wi-Fi connection. Visit http://docs.blackberry.com/en/smartphone_users/deliverables/53213/lym1345128370803.jsp for more information about Remote File Access.
Common Vulnerabilities and Exposures (CVE) is a dictionary of common names (CVE Identifiers) for publicly known information security vulnerabilities maintained by the MITRE Corporation.
CVSS is a vendor agnostic, industry open standard designed to convey the severity of vulnerabilities. CVSS scores may be used to determine the urgency for update deployment within an organization. CVSS scores can range from 0.0 (no vulnerability) to 10.0 (critical). BlackBerry uses CVSS in vulnerability assessments to present an immutable characterization of security issues. BlackBerry assigns all relevant security issues a non-zero score. Customers performing their own risk assessments of vulnerabilities that may impact them can benefit from using the same industry-recognized CVSS metrics.
By downloading, accessing or otherwise using the Knowledge Base documents you agree:
(b) not to copy, distribute, disclose or reproduce, in full or in part any of the documents without the express written consent of RIM.
Visit the BlackBerry Technical Solution Center at www.blackberry.com/btsc.