BSRT-2014-007 Information disclosure vulnerability affects BlackBerry Enterprise Service 10 and BlackBerry Enterprise Server 5.0.4

Article ID: KB36175

Type:   BlackBerry Security Advisory

First Published: 08-12-2014

Last Modified: 08-12-2014

 

Product(s) Affected:

  • BlackBerry Enterprise Service 10
  • BlackBerry Enterprise Server for Microsoft Exchange
  • BlackBerry Enterprise Server for IBM Domino
  • BlackBerry Enterprise Server for Novell GroupWise
  • BlackBerry Enterprise Server Express for Microsoft Exchange
  • BlackBerry Enterprise Server Express for IBM Domino
CollapseOverview
This advisory addresses an information disclosure vulnerability that is not currently being exploited but affects BlackBerry® Enterprise Service 10 and BlackBerry® Enterprise Server 5.0.4 customers. BlackBerry® customer risk is limited by the default access controls on the server. Successful exploitation requires an attacker to gain access to both the server and certain diagnostic logs through either a valid logon or an unrelated compromise of the server. If the requirements are met for exploitation, an attacker could potentially gain and use logged credentials to impersonate a valid user on a local machine or the company’s network. After installing the recommended software update and redacting logs, affected customers will be fully protected from this vulnerability.
ExpandWho should read this advisory?
  • BES10 Administrators
  • BES5 Administrators
ExpandWho should apply the software fix(es)?
  • BES10 Administrators
  • BES5 Administrators
ExpandMore Information

Have any BlackBerry customers been subject to an attack that exploits this vulnerability?
BlackBerry is not aware of any attacks targeting BES10 or BES5 customers using this vulnerability.

What factors affected the release of this security advisory?
This advisory addresses a privately disclosed vulnerability. BlackBerry publishes full details of a software update in a security advisory after the fix is available to the majority of our customers. Publishing this advisory ensures that all of our customers can protect themselves by updating their software, or employing available workarounds if updating is not possible.

Where can I read more about the security of BlackBerry products and solutions?
For more information on BlackBerry security, visit http://us.blackberry.com/business/topics/security.html and www.blackberry.com/bbsirt.

CollapseAffected Software and Resolutions
Read the following to determine if your BES10 or BES5 installation is affected.
ExpandAffected Software
  • BlackBerry Enterprise Service 10 version 10 to 10.2.1
  • BlackBerry® Enterprise Server Express for IBM® Lotus® Domino® v5.0.4
  • BlackBerry Enterprise Server Express for Microsoft® Exchange v5.0.4
  • BlackBerry® Enterprise Server for IBM® Lotus® Domino® v5.0.4 MR 6 and earlier
  • BlackBerry® Enterprise Server for Microsoft® Exchange v5.0.4 MR 6 and earlier
  • BlackBerry® Enterprise Server for Novell® GroupWise® v5.0.4 MR 6 and earlier
ExpandNon-Affected Software
  • BlackBerry Enterprise Service 10 version 10.2.2 and later
  • BlackBerry® Enterprise Server Express for IBM® Lotus® Domino® v5.0.4 with Interim Security Update for August 12, 2014
  • BlackBerry Enterprise Server Express for Microsoft® Exchange v5.0.4 with Interim Security Update for August 12, 2014
  • BlackBerry® Enterprise Server for IBM® Lotus® Domino® v5.0.4 MR7 and later
  • BlackBerry® Enterprise Server for Microsoft® Exchange v5.0.4 MR7 and later
  • BlackBerry® Enterprise Server for Novell® GroupWise® v5.0.4 MR7 and later
ExpandAre BlackBerry smartphones affected?
No
ExpandResolution

BES10
BlackBerry has issued a fix for this vulnerability, which is included in BlackBerry Enterprise Service version 10.2.2 and later. This software update resolves this vulnerability on affected versions. To be fully protected from this issue, affected customers should update to BlackBerry Enterprise Service software version 10.2.2. Customers should also redact or delete existing logs if they contain domain credentials or shared secrets an encoded form or in plain text. Visit http://swdownloads.blackberry.com/Downloads/ to download upgrades or maintenance releases. Customers running an affected version who cannot update at this time should apply an available workaround. See the Workarounds section of this advisory for instructions.

BES5
BlackBerry has issued a fix for this vulnerability, which is included in BlackBerry Enterprise Server version 5.0.4 MR7 and BlackBerry Enterprise Server Express v5.0.4 with Interim Security Update for August 12, 2014. This software update resolves this vulnerability on affected versions. To be fully protected from this issue, affected customers should download and install the interim security update. Customers should also redact or delete existing logs if they contain shared secrets an encoded form or in plain text. Visit http://www.blackberry.com/go/serverdownloads to download the interim security update. Customers running an affected version who cannot update at this time should apply an available workaround. See the Workarounds section of this advisory for instructions.

CollapseVulnerability Information

A vulnerability exists in the implementation of the logging of exceptions encountered during user or session management in affected BES10 and BES5 versions. During rare cases of an exception, certain credentials are logged in an encoded form or in plain text. For BlackBerry Enterprise Server 5, these credentials include shared secrets that are used between the Enterprise Instant Messenger server and device clients to encrypt enterprise instant messages. For BES10, they consist of shared secrets and domain credentials. Typically, only the system administrator would have access to the affected diagnostic logs.

Shared Secrets

Successful exploitation of this vulnerability could potentially result in an attacker gaining logged shared secrets from the exception log on BlackBerry Enterprise Server or BES10 components. An attacker could use a shared secret to remove encryption on Enterprise Instant Messenger messages.

In order to exploit this vulnerability, an attacker must first access the server through either a valid logon or an unrelated compromise of the server, and then gain access to the exception logs. This access could occur directly, over the adjacent network if the directory were shared, or from an unencrypted backup of the server. In order to remove encryption on enterprise instant messages, the attacker must also gain access to relevant messages, which would require an additional Man-in-the-middle (MitM) attack.

Domain Credentials (BES10 only)

Successful exploitation of this vulnerability could potentially result in an attacker gaining logged domain credentials from the exception log on BES10 components. An attacker could use logged credentials to impersonate a valid user on a local machine or the company’s network.

In order to exploit this vulnerability, an attacker must first access the server through either a valid logon or an unrelated compromise of the server, and then gain access to the logs. This access could occur directly, over the adjacent network if the directory were shared, or from an unencrypted backup of the server.

This vulnerability has a Common Vulnerability Scoring System (CVSS) score of 4.9. View the linked CVE identifier for a description of the security issue that this security advisory addresses.

CVE identifier — CVSS score
CVE-2014-1469 — 4.9

Mitigations

Mitigations are existing conditions that a potential attacker would need to overcome to mount a successful attack or that would limit the severity of an attack. Examples of such conditions include default settings, common configurations and general best practices.

This issue is mitigated for all customers by the prerequisite that the attacker must gain access to the affected diagnostic logs. Typically, only the system administrator would have this access.

Additionally, the logs are historical in nature. As a result, logged information of this type may not be valid at the time that the log is read.

ExpandWorkarounds

Workarounds are settings or configuration changes that a user or administrator can apply to help protect against an attack. BlackBerry recommends that all users apply the available software update to fully protect their system. All workarounds should be considered temporary measures for customers to apply if they cannot install the update immediately or must perform standard testing and risk analysis. BlackBerry recommends that customers who are able to do so install the update to secure their systems.

Delete or edit the exception log file

Delete the log files used to record the activity of BES10 and BES5 components. This will prevent access to any plain text credentials potentially contained within the logs.

Alternatively, the logs can be edited in Notepad or a similar editor to redact information.

When logs are deleted, administrators will not have access to the files in order to monitor the activity of the server or troubleshoot issues.

BES10

BES10 logs files for the BlackBerry Device Service.

Administrators can use the BES10 Log Monitoring Tool (LogMonitor.exe) to monitor the BlackBerry Device Service log files for indications that plain text domain credentials may have been logged. To read more about the Log Monitoring Tool, see http://docs.blackberry.com/en/admin/deliverables/63530/BES_Log_Monitoring_Tool_1766690_11.jsp.

  1. In the Log Monitoring Tool, manually examine the logs for data that could be considered sensitive, including identifiers or credentials logged in an encoded form or in plain text.
  2. In the event that the logs contain data that could be considered sensitive, locate the log files. The default file location for BlackBerry Device Service log files is C:\Program Files\Research In Motion\BlackBerry Device Service\Logs\.
  3. Delete or edit the log files.

For more information about the logs for BES10 components, read the BlackBerry Enterprise Service 10 BlackBerry Device Service Administration Guide.

BES5

  1. Locate the log files. For log file locations, please see Log files for BlackBerry Enterprise Server components.
  2. Manually examine the logs for data that could be considered sensitive, including identifiers or credentials logged in an encoded form or in plain text .
  3. Delete or edit the log files.
CollapseDefinitions

CVE
Common Vulnerabilities and Exposures (CVE) is a dictionary of common names (CVE Identifiers) for publicly known information security vulnerabilities maintained by the MITRE Corporation.

CVSS
CVSS is a vendor agnostic, industry open standard designed to convey the severity of vulnerabilities. CVSS scores may be used to determine the urgency for update deployment within an organization. CVSS scores can range from 0.0 (no vulnerability) to 10.0 (critical). BlackBerry uses CVSS in vulnerability assessments to present an immutable characterization of security issues. BlackBerry assigns all relevant security issues a non-zero score. Customers performing their own risk assessments of vulnerabilities that may impact them can benefit from using the same industry-recognized CVSS metrics.

CollapseChange Log
08-12-2014
Initial publication

Disclaimer

By downloading, accessing or otherwise using the Knowledge Base documents you agree:

   (a) that the terms of use for the documents found at www.blackberry.com/legal/knowledgebase apply to your use or reference to these documents; and

   (b) not to copy, distribute, disclose or reproduce, in full or in part any of the documents without the express written consent of RIM.


Visit the BlackBerry Technical Solution Center at www.blackberry.com/btsc.