BSRT-2014-003 Vulnerability in qconnDoor service affects BlackBerry 10 smartphones

Article ID: KB35816

Type:   BlackBerry Security Advisory

First Published:

04-08-2014

Last Modified: 04-08-2014

 

Product(s) Affected:

  • BlackBerry 10
  • Porsche Design P'9982 smartphone from BlackBerry
  • BlackBerry Z30
  • BlackBerry Z10
  • BlackBerry Q10
  • BlackBerry Q5
CollapseOverview

This advisory addresses a remote code execution vulnerability that is not currently being exploited but affects BlackBerry® 10 smartphone customers. BlackBerry® customer risk is limited by the inability of a potential attacker to force exploitation of the vulnerability without significant customer interaction or having physical access to the smartphone. Successful exploitation requires an attacker to send a specially crafted message over a Wi-Fi® network to the qconnDoor service on the smartphone and requires that a user enable development mode on a smartphone connected to a Wi-Fi network. In an alternate scenario, successful exploitation requires that an attacker connect the smartphone to a computer using a USB cable before sending the exploit to the qconnDoor service. If the requirements are met for exploitation, an attacker could potentially execute code with the rights of the root user (superuser). After installing the recommended software update, affected BlackBerry 10 smartphone customers will be fully protected from this vulnerability.

ExpandWho should read this advisory?
  • BlackBerry 10 smartphone users
  • IT administrators who deploy BlackBerry 10 smartphones in an enterprise
ExpandWho should apply the software fix(es)?
  • BlackBerry 10 smartphone users
  • IT administrators who deploy BlackBerry 10 smartphones in an enterprise
ExpandMore Information

Have any BlackBerry customers been subject to an attack that exploits this vulnerability?
BlackBerry is not aware of any attacks targeting BlackBerry 10 smartphone customers using this vulnerability.

What factors affected the release of this security advisory?
This advisory addresses a publicly known vulnerability. BlackBerry publishes full details of a software update in a security advisory after the fix is available to the majority of our customers and wireless service provider partners. Publishing this advisory ensures that all of our customers can protect themselves by updating their software, or employing available workarounds if updating is not possible. Customers for whom the software update is not yet available should contact their wireless service provider to request BlackBerry® 10 OS version 10.2.0.1055 or later.

Where can I read more about BlackBerry 10 smartphone security?
For more information on security features in BlackBerry 10 smartphones, read the BlackBerry Enterprise Service 10 Security Technical Overview.

Where can I read more about the security of BlackBerry products and solutions?
For more information on BlackBerry security, visit http://us.blackberry.com/business/topics/security.html and www.blackberry.com/bbsirt.

CollapseAffected Software and Resolutions

Read the following information to determine if your BlackBerry 10 smartphone is affected.

ExpandAffected Software
  • BlackBerry 10 OS versions earlier than version 10.2.0.1055
ExpandNon-Affected Software
  • BlackBerry 10 OS version 10.2.0.1055 and later
ExpandAre BlackBerry smartphones affected?

Yes; only BlackBerry 10 smartphones are affected.

ExpandResolution

BlackBerry has issued a fix for this vulnerability, which is included in BlackBerry 10 OS version 10.2.0.1055. This software update resolves this vulnerability on affected BlackBerry 10 smartphones. Update BlackBerry 10 smartphone software to version 10.2.0.1055 or later to be fully protected from this issue.
Note: If customers are running a BlackBerry 10 OS earlier than 10.2.0.1055 but do not see a software update notification and the smartphone indicates that the software is up to date, customers should contact their wireless service provider to request BlackBerry 10 OS version 10.2.0.1055 or later.
For information on how to manage potential risk until the software update is available for all customers, see the Mitigations section of this advisory.

Update by Accessing the Software Update Notification

BlackBerry 10 smartphones use notifications to keep customers informed about software updates. When a new software update notification is available, it appears in the Notifications section of the BlackBerry Hub on affected BlackBerry smartphones.

Review the notifications and follow the steps to access the latest software update notification and complete the software update.

Manually Check for Software Updates on BlackBerry 10 smartphone

  1. From the home screen, swipe down from the top of the screen.
  2. Tap Settings, then Software Updates.
  3. Tap Check for Updates.

Customers can also update their BlackBerry smartphone software using BlackBerry® Link. For more information, see the Help documentation for BlackBerry Link.

ExpandMore Information

How can I find out what version of the OS I am running?

  1. From the home screen, swipe down from the top of the screen.
  2. Tap Settings, then Software Updates.
  3. Tap About, and view the OS Version or Software Release field in the OS settings.

Are new (still in the box) BlackBerry 10 smartphone exposed to this vulnerability?
As long as the customer fully completes the smartphone setup, including the smartphone software update, the user's smartphone will not be affected. During the initial setup process, BlackBerry smartphones will download and install the latest version of the OS available from the customer’s carrier. The fix for this vulnerability is included in all versions of the BlackBerry 10 smartphone software after version 10.2.0.1055.
Note: If customers are running an affected version but do not see a software update notification but their smartphone indicates that the software is up to date, customers should contact their wireless service provider to request BlackBerry 10 OS version 10.2.0.1055 or later.

Does the BlackBerry 10 smartphone force me to update my software?
No, customer action is required to update the software. BlackBerry 10 smartphones use notifications to keep customers informed about software updates and provide instructions for customers to easily install a software update. Customers can also manually check for software updates. For instructions to update customer software, see the Resolution section of this advisory.

CollapseVulnerability Information

A stack-based buffer overflow vulnerability exists in the qconnDoor service supplied with affected versions of BlackBerry 10 OS. The qconnDoor service is used by BlackBerry 10 OS to provide developer access, such as shell and remote debugging capabilities, to the smartphone.

Successful exploitation of this vulnerability could potentially result in an attacker terminating the qconnDoor service running on a user's BlackBerry smartphone. In addition, the attacker could potentially execute code on the user’s BlackBerry smartphone with the privileges of the root user (superuser).

An attacker can exploit this vulnerability in the following ways:

Over Wi-Fi
In order to exploit this vulnerability, an attacker must send a specially crafted message to the qconnDoor service on a smartphone located on the same Wi-Fi network. The smartphone user must have also enabled development mode on the smartphone before an attack.

Over USB
In order to exploit this vulnerability, an attacker must gain physical access to a smartphone and then send a specially crafted message to the qconnDoor service over USB.

This vulnerability has a Common Vulnerability Scoring System (CVSS) score of 7.9. View the linked Common Vulnerabilities and Exposures (CVE) identifier for a description of the security issue that this security advisory addresses.

CVE identifier    —    CVSS score
CVE-2014-1468 —    7.9

Mitgations

Mitigations are existing conditions that a potential attacker would need to overcome in order to mount a successful attack or that would limit the severity of an attack. Examples of such conditions include default settings, common configurations and general best practices.

This issue is mitigated for all customers by the prerequisite that the attacker must launch an attack either while connected to the same Wi-Fi network as the smartphone user or while having physical access to the smartphone.

The qconnDoor service is not vulnerable to attack over Wi-Fi if development mode is not enabled when the service uses the Wi-Fi network. Development mode is not enabled by default on BlackBerry 10 smartphones. A user would have to enable development mode to be vulnerable to this issue.

Stack-based buffer overflow protections on BlackBerry 10 smartphones can help mitigate against an attacker achieving full control of the BlackBerry 10 smartphone.

The qconnDoor service is not vulnerable if the service is already connected using blackberry-connect before an attacker launches an exploit over Wi-Fi or USB. The blackberry-connect tool available in the BlackBerry Network Development Kit (NDK) provides SSH connectivity to the BlackBerry 10 smartphone.

ExpandWorkarounds

Workarounds are settings or configuration changes that a user or administrator can apply to help protect against an attack. BlackBerry recommends that all users apply the available software update to fully protect their smartphone. All workarounds should be considered temporary measures for customers to apply if they cannot install the update immediately or must perform standard testing and risk analysis. BlackBerry recommends that customers who are able to do so install the update to secure their smartphone.

A BlackBerry smartphone user with a vulnerable version of the BlackBerry 10 OS can avoid enabling development mode when Wi-Fi is enabled.

Customers who use development mode should disable the Wi-Fi network interface.

Customers who use development mode with the Wi-Fi network interface enabled should connect only to trusted wireless networks.

Users should connect their BlackBerry 10 smartphone over USB only to trusted computers.

ExpandMore Information

What is qconnDoor?
The qconnDoor service is a network service that runs on some BlackBerry smartphones, including BlackBerry 10 smartphones. The qconnDoor service enables connectivity for remote debugging and developer shell access. When a BlackBerry smartphone has development mode enabled, qconnDoor can use either a Wi-Fi (IEEE 802.11) or USB connection to a computer. When the smartphone has development mode disabled, qconnDoor can only use a USB connection to a computer.

CollapseDefinitions

CVE
Common Vulnerabilities and Exposures (CVE) is a dictionary of common names (CVE Identifiers) for publicly known information security vulnerabilities maintained by the MITRE Corporation.

CVSS
CVSS is a vendor agnostic, industry open standard designed to convey the severity of vulnerabilities. CVSS scores may be used to determine the urgency for update deployment within an organization. CVSS scores can range from 0.0 (no vulnerability) to 10.0 (critical). BlackBerry uses CVSS in vulnerability assessments to present an immutable characterization of security issues. BlackBerry assigns all relevant security issues a non-zero score. Customers performing their own risk assessments of vulnerabilities that may impact them can benefit from using the same industry-recognized CVSS metrics.

CollapseAcknowledgements

This vulnerability was discovered by David Gullasch, Max Moser, and Martin Schobert of modzero, who assisted BlackBerry in identifying the cause of the issue.

CollapseChange Log

04-08-2014

Initial publication.

Disclaimer

By downloading, accessing or otherwise using the Knowledge Base documents you agree:

   (a) that the terms of use for the documents found at www.blackberry.com/legal/knowledgebase apply to your use or reference to these documents; and

   (b) not to copy, distribute, disclose or reproduce, in full or in part any of the documents without the express written consent of RIM.


Visit the BlackBerry Technical Solution Center at www.blackberry.com/btsc.