copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
 
Search this site

 
On this site

 > HOME
 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login





 

ASB-2011.0062 - ALERT [Win][Netware][Linux][Solaris][AIX] BlackBerry Enterprise Server: Execute arbitrary code/commands - Remote/unauthenticated

Date: 10 August 2011
References: ASB-2010.0157.2  ESB-2010.0600  ASB-2010.0175  ESB-2011.0320  ESB-2011.1032  

Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
                         AUSCERT Security Bulletin

                               ASB-2011.0062
               BlackBerry Enterprise Server vulnerabilities
                              10 August 2011

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              BlackBerry Enterprise Server
Operating System:     Windows
                      Netware
                      Linux variants
                      Solaris
                      AIX
Impact/Access:        Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Resolution:           Patch/Upgrade
CVE Names:            CVE-2011-1167 CVE-2011-0192 CVE-2010-3087
                      CVE-2010-2595 CVE-2010-1205 
Member content until: Friday, September  9 2011
Reference:            ASB-2010.0175
                      ASB-2010.0157.2
                      ESB-2011.0320
                      ESB-2010.0600

OVERVIEW

        Five vulnerabilities have been found and corrected in BlackBerry
        Enterprise Server software. [1]


IMPACT

        The vulnerabilities are in the image processing components of the
        BlackBerry Enterprise Server software. Specifically the TIFF and PNG
        image processing code is vulnerable and could allow a remote attacker
        to execute code without the user needing to click a link, open an
        attachment or even view the malicious email or images. [1]
        
        The attacker could execute code with permissions of the BlackBerry
        Enterprise Server login account. [1]


MITIGATION

        RIM has released updated software to correct these vulnerabilities. [1]


REFERENCES

        [1] Vulnerabilities in BlackBerry Enterprise Server components that
            process images could allow remote code execution
            http://blackberry.com/btsc/KB27244

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBTkISP+4yVqjM2NGpAQJD8BAAtObHqSVkE30piGVej/Yr8JA9uyTcUqHH
15uuyR1fqS8MPOA8Itf8z4N1hk0Fa6Y641dwAOaHFYG7W0wgMJODodyBO4goVCIt
hBtAKngl/T01E2kHjruvhTV6APRVxc4AuzvBtP58OzzxdBoLEf7UH/P94Bb2Fhfb
pBat4WZz5we1xJAkPbsg/YXdE1iLOxKBWvz3kaC3yRQB0sIDCPYmAYEk787U7rPf
AYR3Rhhe2s+AYIjPjmZMBqf89UWkoVkEz09wh2+fq1QWkz3o9KYOsYIalMR2LZqn
5K5YrWLMcRq0D++rdkhRiXdE8IyCbajacjh/bP+DtoYGz+zg9lglruw5TQ+2SgrO
C4cv3ejijonAVjUDXICSdDXa/v/7hdQJn9jk4rSSPStl9cDYUwgDYYUkLg28fvxt
XC2vDyfVpYJENyLvDV0al4kapE6e+oOR2WWAMvbNMRmbqNPeGbFKft+IbYwwIQPJ
oMa5tQNluQoqnsv6x7aHg+VuIlRy5DxRdl6Owcbmj79sLfUYHoAmT0kVpE5/aBKw
6mJ2YfIVGqvudOPS07Upw9I9ahC6/pAHnohTsSkw53XKDUMPmSirsEmUOjszaiAc
FEdbD5boPOEJNFqbWbPSUCwwxDzDxcS+itpwYoAGLclbuCXVBnmV2Vhm+J/VfslM
pQRuiSMHAHo=
=7tAE
-----END PGP SIGNATURE-----