Date: 10 August 2011
References: ASB-2010.0157.2 ESB-2010.0600 ASB-2010.0175 ESB-2011.0320 ESB-2011.1032
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT Security Bulletin
ASB-2011.0062
BlackBerry Enterprise Server vulnerabilities
10 August 2011
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: BlackBerry Enterprise Server
Operating System: Windows
Netware
Linux variants
Solaris
AIX
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2011-1167 CVE-2011-0192 CVE-2010-3087
CVE-2010-2595 CVE-2010-1205
Member content until: Friday, September 9 2011
Reference: ASB-2010.0175
ASB-2010.0157.2
ESB-2011.0320
ESB-2010.0600
OVERVIEW
Five vulnerabilities have been found and corrected in BlackBerry
Enterprise Server software. [1]
IMPACT
The vulnerabilities are in the image processing components of the
BlackBerry Enterprise Server software. Specifically the TIFF and PNG
image processing code is vulnerable and could allow a remote attacker
to execute code without the user needing to click a link, open an
attachment or even view the malicious email or images. [1]
The attacker could execute code with permissions of the BlackBerry
Enterprise Server login account. [1]
MITIGATION
RIM has released updated software to correct these vulnerabilities. [1]
REFERENCES
[1] Vulnerabilities in BlackBerry Enterprise Server components that
process images could allow remote code execution
http://blackberry.com/btsc/KB27244
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBTkISP+4yVqjM2NGpAQJD8BAAtObHqSVkE30piGVej/Yr8JA9uyTcUqHH
15uuyR1fqS8MPOA8Itf8z4N1hk0Fa6Y641dwAOaHFYG7W0wgMJODodyBO4goVCIt
hBtAKngl/T01E2kHjruvhTV6APRVxc4AuzvBtP58OzzxdBoLEf7UH/P94Bb2Fhfb
pBat4WZz5we1xJAkPbsg/YXdE1iLOxKBWvz3kaC3yRQB0sIDCPYmAYEk787U7rPf
AYR3Rhhe2s+AYIjPjmZMBqf89UWkoVkEz09wh2+fq1QWkz3o9KYOsYIalMR2LZqn
5K5YrWLMcRq0D++rdkhRiXdE8IyCbajacjh/bP+DtoYGz+zg9lglruw5TQ+2SgrO
C4cv3ejijonAVjUDXICSdDXa/v/7hdQJn9jk4rSSPStl9cDYUwgDYYUkLg28fvxt
XC2vDyfVpYJENyLvDV0al4kapE6e+oOR2WWAMvbNMRmbqNPeGbFKft+IbYwwIQPJ
oMa5tQNluQoqnsv6x7aHg+VuIlRy5DxRdl6Owcbmj79sLfUYHoAmT0kVpE5/aBKw
6mJ2YfIVGqvudOPS07Upw9I9ahC6/pAHnohTsSkw53XKDUMPmSirsEmUOjszaiAc
FEdbD5boPOEJNFqbWbPSUCwwxDzDxcS+itpwYoAGLclbuCXVBnmV2Vhm+J/VfslM
pQRuiSMHAHo=
=7tAE
-----END PGP SIGNATURE-----
|