copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
 
Search this site

 
On this site

 > HOME
 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login





 

ESB-2011.0725 - [Win][Netware][Linux][Solaris][AIX] BlackBerry Enterprise Server: Denial of service - Existing account

Date: 13 July 2011

Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2011.0725
   Vulnerability in a BlackBerry Enterprise Server component could allow
           information disclosure and partial denial of service
                               13 July 2011

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           BlackBerry Enterprise Server
Publisher:         RIM
Operating System:  Windows
                   Netware
                   Linux variants
                   Solaris
                   AIX
Impact/Access:     Denial of Service      -- Existing Account
                   Access Privileged Data -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2011-0287  

Original Bulletin: 
   http://btsc.webapps.blackberry.com/btsc/search.do?cmd=displayKC&docType=kc&externalId=KB27258

- --------------------------BEGIN INCLUDED TEXT--------------------

Vulnerability in a BlackBerry Enterprise Server component could allow 
information disclosure and partial denial of service

Products

Affected Software

This issue affects the BlackBerry Administration Application Programming 
Interface (API) component within the BlackBerry Administration Service 
component of the following software versions:

    BlackBerry Enterprise Server version 5.0.0 for Microsoft Exchange, IBM 
      Lotus Domino and Novell GroupWise (with the BlackBerry Administration 
      API component installed as an option only)
    BlackBerry Enterprise Server Express 5.0.0 for Microsoft Exchange and IBM 
      Lotus Domino  (with the BlackBerry Administration API component installed 
      as an option only) 
    BlackBerry Enterprise Server Express versions 5.0.1, 5.0.2 and 5.0.3 for 
      Microsoft Exchange
    BlackBerry Enterprise Server Express versions 5.0.2 and 5.0.3 for IBM Lotus 
      Domino
    BlackBerry Enterprise Server versions 5.0.1, 5.0.2 and 5.0.3 for Microsoft 
      Exchange and IBM Lotus Domino
    BlackBerry Enterprise Server versions 5.0.1 for GroupWise 

Non Affected Software

    BlackBerry Device Software
    BlackBerry Desktop Software
    BlackBerry Internet Service 

Are BlackBerry smartphones and the BlackBerry Device Software affected?

No.

Issue Severity

This vulnerability has a Common Vulnerability Scoring System (CVSS) score of 
4.8. 

Overview

This advisory describes a security issue in the BlackBerry Administration API 
component. Successful exploitation of the vulnerability could result in 
information disclosure and partial denial of service (DoS).

The BlackBerry Administration API is a BlackBerry Enterprise Server component 
that is installed on the server that hosts the BlackBerry Administration 
Service. The BlackBerry Administration API contains multiple web services that 
receive API requests from client applications. The BlackBerry Administration 
API then translates requests into a format that the BlackBerry Administration 
Service can process.

Who should read this advisory

BlackBerry Enterprise Server administrators.

Who should apply the software fix(es)

BlackBerry Enterprise Server administrators.

Recommendation

Complete the resolution actions documented in this advisory.

Best practices

    Consider installing the BlackBerry Enterprise Server in a segmented 
    network configuration. To configure the BlackBerry Enterprise Solution in 
    a segmented network, you must install each BlackBerry Enterprise Solution 
    component on a computer that is separate from the computers that host other 
    components and then place each computer it its own network segment. A 
    segmented network architecture is designed to isolate attacks and contain 
    them on one computer. See Additional Information, below.

References
CVE Identifier: CVE-2011-0287.

Problem

A vulnerability exists in the BlackBerry Administration API which could allow an 
attacker to read files that contain only printable characters on the BlackBerry 
Enterprise Server, including unencrypted text files. Binary file formats, 
including those used for message storage, are not affected. This vulnerability 
is limited to the user permissions granted to the BlackBerry Administration API 
component.

Impact

Successful exploitation of this issue could allow information disclosure. 
Successful exploitation may also result in resource exhaustion and therefore 
could be leveraged as a partial denial of service (DoS).

Resolution

RIM has issued the following releases and interim security software updates 
that resolve the vulnerability in affected versions of the BlackBerry 
Enterprise Server:

For BlackBerry Enterprise Server Express versions 5.0.1, 5.0.2 and 5.0.3 for 
Microsoft Exchange

    Visit http://www.blackberry.com/go/serverdownloads to obtain the Interim 
    Security Software Update for July 12, 2011 for BlackBerry Enterprise Server 
    Express version 5.0.1 - 5.0.3. 

For BlackBerry Enterprise Server Express version 5.0.2 and 5.0.3 for IBM Lotus 
Domino

    Visit http://www.blackberry.com/go/serverdownloads to obtain Interim 
    Security Software Update for July 12, 2011 for BlackBerry Enterprise Server 
    Express version 5.0.2 and 5.0.3. 

For BlackBerry Enterprise Server versions 5.0.1, 5.0.2 and 5.0.3 for Microsoft 
Exchange and IBM Lotus Domino

    Visit http://www.blackberry.com/go/serverdownloads to obtain Interim 
    Security Software Update for July 12, 2011 for BlackBerry Enterprise Server 
    software version 5.0.1 - 5.0.3. 

For BlackBerry Enterprise Server version 5.0.1 for Novell GroupWise

    Visit http://www.blackberry.com/go/serverdownloads to obtain Interim 
    Security Software Update for July 12, 2011 for BlackBerry Enterprise Server 
    software version 5.0.1. 

If you are using a software version that is not listed above, update to one of 
the listed versions before applying the interim security software update.

Additional Information

What is network segmentation?

The administrator can install the BlackBerry Attachment Service on a remote 
computer and then place that computer on its own network segment to prevent the 
spread of potential attacks from the BlackBerry Attachment Service to another 
computer within your organizations network. In a segmented network, attacks are 
isolated and contained on a single area of the network. Using segmented network 
architecture is designed to improve the security and performance of the 
BlackBerry Attachment Service network segment by filtering out attachment data
that is not destined for other network segments. For more information about 
placing the BlackBerry Enterprise Solution components in a network architecture 
that is segmented to prevent the spread of potential malware attacks, see 
Placing the BlackBerry Enterprise Solution in a Segmented Network.

What is CVE?

Common Vulnerabilities and Exposures (CVE) is a dictionary of common names 
(CVE Identifiers) for publicly known information security vulnerabilities 
maintained by the MITRE corporation.

What is CVSS?

CVSS is a vendor agnostic, industry open standard designed to convey the 
severity of vulnerabilities. CVSS scores may be used to determine the urgency 
for update deployment within an organization. CVSS scores range from 0.0 (no 
vulnerability) to 10.0 (critical). RIM uses CVSS for vulnerability assessments 
to present an immutable characterization of security issues. RIM assigns all 
relevant security issues a non-zero score.

Visit www.blackberry.com/security for more information on BlackBerry security.

Acknowledgements

RIM would like to thank Richard Leach of NGSSecure for his involvement in 
helping to protect our customers.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBTh0KKe4yVqjM2NGpAQKaHQ/+Peu6K7HXYoprhp2X5rGrbcjLkPS0fLw4
VOjqEwWFJFReqXZ7Ll06BUE+AuJCelrqAlLvDf3QotvHx6DORPIg5GsfU+Fs6a6P
FMVjWwGsYC8+dSTCJYsqlVltfpLLUZtENEYcCfkrqKtC/EBdjCbuBXpYtek8+U22
ov2Melsi1zylGQUgV/X83Hnrn2WSJ6XWFaHZg56P2Jva97TaI6MAyDkvYTatZL+Z
tEgUS337JupY5IcaHQ4qcDjuJ1vdzzr2hGhnwmoMXJt68rexpoAnqHcd+geH57Pg
UWsS87g6+DqMJSn53X8pu/KS//VcNzdr0RwUkmx12p1IJZDyqsR34/xW2Qpbt2Oo
mAUp3SJPmHR8W+LoERI5dVYaz4XgbAp6f+B/TUCBcI+2REVzEGKatr8vANd94NBN
4IJ4WovB2JUVT/b32gVbULbXXrNbrly1WRPAwoaEQBnxVePK1Sc1Pp8/m2QozfdI
kxODUuj5B8dcGLjU5vM5WXkNceMbDke8YBABa5sW7azK4GDMVwNJUbMKj68gsymC
j0MA8pb+vnu+pkO2/M9ApfgIQGhcks67qUpo+CZ7kCFAkQ8m+B8mwJO1IuqThbXq
35Tx2HlmaW0SyTA530cukyMNp7NascAoS+uMXZ+DRLyeuqUeQkYg1UF1cA06Eb/u
6njbG04DRc8=
=YThJ
-----END PGP SIGNATURE-----