ESB-2017.2916 - [BlackBerry] BlackBerry: Multiple vulnerabilities 2017-11-16

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2017.2916
        QNX-2017-001 Multiple vulnerabilities impact BlackBerry QNX
                       Software Development Platform
                             16 November 2017

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           BlackBerry
Publisher:         BlackBerry
Operating System:  BlackBerry Device
Impact/Access:     Increased Privileges     -- Existing Account
                   Modify Arbitrary Files   -- Existing Account
                   Access Confidential Data -- Existing Account
                   Reduced Security         -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2017-9371 CVE-2017-9369 CVE-2017-3893
                   CVE-2017-3892 CVE-2017-3891 

Original Bulletin: 
   http://support.blackberry.com/kb/articleDetail?articleNumber=000046674

- --------------------------BEGIN INCLUDED TEXT--------------------

QNX-2017-001 Multiple vulnerabilities impact BlackBerry QNX Software 
Development Platform

Article Number: 000046674 
First Published: November 14, 2017 
Last Modified: November 14, 2017 
Type: Security Advisory

Overview

This advisory addresses multiple vulnerabilities that have been discovered in
the BlackBerry QNX Software Development Platform (QNX SDP). BlackBerry QNX is
not aware of any exploitation of these vulnerabilities. Customer risk is 
limited for the most severe vulnerability by the requirement that an attacker
must first gain access to a secondary QNX QNet node. Successful exploitation 
of the most severe vulnerability requires an attacker to execute commands 
targeting arbitrary nodes from a secondary QNX QNet node. If the requirements
for exploitation of the most severe vulnerability are met, an attacker could 
potentially gain access to local and remote files or take ownership of files 
on other QNX nodes, regardless of permissions. After installing the 
recommended software update, affected customers will be fully protected from 
this vulnerability.

Who Should Read This Advisory?

Developers and project managers who develop or maintain BlackBerry QNX-based 
systems

Who Should Apply The Software Fix(es)?

Developers and project managers who develop or maintain BlackBerry QNX-based 
systems

More information

Have any BlackBerry QNX customers been subject to an attack that exploits 
these vulnerabilities?

BlackBerry QNX is not aware of any attacks targeting BlackBerry QNX customers
using these vulnerabilities.

What factors affected the release of this security advisory?

This advisory addresses privately disclosed vulnerabilities. BlackBerry QNX 
publishes full details of a software update in a security advisory after the 
fix is available to our customers. Publishing this advisory ensures that our 
customers can protect themselves by updating their software, or employing 
available workarounds if updating is not possible.

Where can I read more about the security of BlackBerry QNX products and 
solutions?

For more information on BlackBerry QNX security, visit 
http://blackberry.qnx.com/en/products/neutrino-rtos/neutrino-rtos#technology

Affected Products and Resolutions

Read the following to determine if the version of QNX SDP deployed in your 
product is affected.

Affected Products

The following table outlines the affected versions for each vulnerability:

CVE 		Affected Versions of QNX SDP

CVE-2017-3891	6.6.0

CVE-2017-3892	6.6.0

CVE-2017-3893	6.6.0

CVE-2017-9369	6.6.0
		6.5.0 SP1 and earlier

CVE-2017-9371	6.6.0
		6.5.0 SP1 and earlier

Non Affected Products

The following table outlines the versions for each vulnerability that are 
either fixed or were not affected:

CVE 		Affected Versions of QNX SDP

CVE-2017-3891	7.0.0 and later
		6.5.0SP1 and earlier

CVE-2017-3892	7.0.0 and later
		6.5.0SP1 and earlier

CVE-2017-3893	7.0.0 and later
		6.5.0SP1 and earlier

CVE-2017-9369	7.0.0 and later

CVE-2017-9371	7.0.0 and later

Resolution

BlackBerry QNX has issued a fix for this vulnerability, which is included in 
QNX SDP version 7.0.0 and later. This software update resolves this 
vulnerability on affected versions. To be fully protected from this issue, 
affected customers should update to QNX SDP version 7.0.0 or later. View the 
release notes on the BlackBerry QNX download center for instructions to deploy
the fix. Customers running an affected version who cannot update at this time
should apply an available workaround. See the Workarounds section of this 
advisory for details.

Vulnerability Information

Multiple vulnerabilities exist in affected versions of the QNX SDP.

CVE-2017-3891 Elevation of privilege vulnerability

A vulnerability exists in the Qnet protocol of affected versions of the QNX 
SDP. The Qnet protocol extends inter-process communications transparently over
a network of microkernels.

In order to exploit this vulnerability, an attacker must execute commands 
targeting arbitrary QNet nodes from a secondary QNet node running version 
6.6.0.

Successful exploitation of this vulnerability could result in an attacker 
gaining access to local and remote files or taking ownership of files on other
QNet nodes, regardless of permissions.

CVE-2017-3892 Information disclosure vulnerability

A vulnerability exists in the procfs system service of affected versions of 
the QNX SDP. The procfs service is a resource manager responsible for managing
process information.

In order to exploit this vulnerability, an attacker must execute commands 
targeting procfs resources.

Successful exploitation of this vulnerability could result in an attacker 
gaining information relating to memory layout that could be used in a blended
attack.

CVE-2017-3893 Incomplete vulnerability mitigations

Multiple incomplete vulnerability mitigations exist in the memory corruption 
protection, RELRO, and ASLR security features of affected versions of the QNX
SDP.

In order to exploit the most severe weakness, an attacker must successfully 
execute a buffer overflow attack against certain memory structures.

Successful exploitation of the most severe weakness as part of a blended 
attack could result in an attacker being able to overwrite the contents of 
these tables to cause arbitrary function calls.

CVE-2017-9369 Information disclosure across privilege barriers

An information disclosure vulnerability exists in the default configuration of
the setuid binaries in affected versions of the QNX SDP.

In order to exploit this vulnerability, an attacker who has access to a system
shell must successfully manipulate environment variables that influence the 
loader.

Successful exploitation of this vulnerability could result in an attacker 
gaining information relating to memory layout of higher privileged processes.

CVE-2017-9371 Random number service used deprecated algorithm

The random number service used an older algorithm and may have been subject to
input-based attacks.

In order to exploit this vulnerability, an attacker would need control over 
environmental factors that influence seed generation.

Successful exploitation of this vulnerability could result in an attacker 
being able to reduce the entropy of the PRNG and this could make other blended
attacks more practical.

This advisory addresses multiple vulnerabilities, the most severe of which has
a Common Vulnerability Scoring System (CVSSv3) score of 9.6. View the linked 
Common Vulnerability and Exposures (CVE) identifiers for a description of the
security issue that this security advisory addresses.

CVE identifier CVSSv3 score

CVE-2017-3891 9.6

CVE-2017-3892 3.8

CVE-2017-3893 1.9

CVE-2017-9369 3.8

CVE-2017-9371 2.6

Mitigations

Mitigations are existing conditions that a potential attacker would need to 
overcome to mount a successful attack or that would limit the severity of an 
attack. Examples of such conditions include default settings, common 
configurations, and general best practices.

CVE-2017-3891 is completely mitigated for network configurations that do not 
support multiple QNet nodes.

CVE-2017-3891 is mitigated in configurations with multiple QNet nodes by the 
requirement that an attacker must gain access to a secondary QNet node or 
physical access to the network.

CVE-2017-3892 is completely mitigated on systems that do not allow shell or 
debug access.

CVE-2017-3892 is mitigated by the requirement that an attacker must gain 
access to the shell or the QNX debug service.

CVE-2017-3893 is mitigated by the requirement that an attacker must make a 
successful blended attack to exploit this weakness.

CVE-2017-9369 is completely mitigated on systems that do not allow shell 
access.

CVE-2017-9369 is mitigated by the requirement than attacker must have access 
to a system shell.

CVE-2017-9371 is mitigated by the presence of multiple entropy sources 
contributing to PRNG seeding.

Workarounds

Workarounds are settings or configuration changes that a user or administrator
can apply to help protect against an attack. BlackBerry QNX recommends that 
all users apply the available software update to fully protect their system. 
All workarounds should be considered temporary measures for customers to apply
if they cannot install the update immediately or must perform standard testing
and risk analysis. BlackBerry QNX recommends that customers who are able to do
so install the update to secure their systems.

For CVE-2017-3891

Developers, project managers, and administrators can prevent this attack by 
disabling QNet if it is not required. If QNet is required, it should be 
deployed in physically secure conditions and on air-gapped networks. 
Instructions for the configuration of QNet can be found in the documentation 
located in the QNX download center.

Additionally, developers and project managers who develop or maintain 
QNX-based systems should ship only required utilities on production targets, 
avoiding system utilities that allow management of OS features that allow 
reconfiguration.

For CVE-2017-3892

Developers, project managers, and administrators of production systems can 
limit non-root access to critical /proc virtual file system resources by 
setting the procnto '-u' option. Instructions to set this option can be found
in the Utilities reference documentation:

For QNX SDP 6.5.0: 
http://www.qnx.com/developers/docs/6.5.0/index.jsp?topic=%2Fcom.qnx.doc.neutrino_utilities%2Fp%2Fprocnto.html&cp=13_12_18_56

For QNX SDP 6.6.0: 
http://www.qnx.com/developers/docs/6.6.0.update/com.qnx.doc.neutrino.utilities/topic/p/procnto.html

When this workaround is deployed, non-root pidin will no longer display 
information on processes other than itself.

For CVE-2017-3893

There are no workarounds for these weaknesses.

For CVE-2017-9369

Developers and project managers can prevent this attack by updating the 
runtime libraries specified in the release notes to the latest version. View 
the release notes on the BlackBerry QNX download center for instructions. 
Additionally, system developers should avoid deploying unnecessary 
command-line functionality on released systems as good practice.

For CVE-2017-9371

There are no workarounds for this weakness.

Definitions

CVE

Common Vulnerability and Exposures (CVE) is a dictionary of common names (CVE
Identifiers) for publicly known information security vulnerability maintained
by the MITRE Corporation.

CVSS

CVSS is a vendor agnostic, industry open standard designed to convey the 
severity of vulnerability. CVSS scores may be used to determine the urgency 
for update deployment within an organization. CVSS scores can range from 0.0 
(no vulnerability) to 10.0 (critical). BlackBerry QNX uses CVSSv3 in 
vulnerability assessments to present an immutable characterization of security
issues. BlackBerry QNX assigns all relevant security issues a non-zero score.
Customers performing their own risk assessments of vulnerability that may 
impact them can benefit from using the same industry-recognized CVSS metrics.

RELRO

Read-only relocations, a security feature that ensures a process's data 
section is unmodifiable.

GOT

Global offset table. PLT Procedure linkage table. Contains an entry for each 
external function called from a shared library.

PRNG

Pseudorandom number generator. An algorithm for generating a sequence of 
numbers whose properties approximate the properties of sequences of random 
numbers.

Acknowledgements

BlackBerry QNX thanks and credits Jos Wetzels with Midnight Blue with 
discovery of these issues.

Change Log

11-14-2017

Initial publication

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWgz024x+lLeg9Ub1AQhYAQ/+PkPhDpy9Gds0WDlzDSHGCqSQnBjInj/J
WmOKY13aIEKdZyclmFZkfmDbCo5zW6+hKfwLAuvRd8+kPmIh8N8g3X3+SsxPfUUv
ZXnynUKZVrW6irWOMHDeTHjGoZrvSnUf0WbCRAxSfk5vmds/8mpKysXdm70uDjy8
jOobXW37q1fuU2JDB/oMN0rbKBppLDwDsYLACLYfDz1zFtPf+Se+iizc6/u1Rt8X
47s/AKmHERV6VoPxr9h8fqk8rZRPzkMDMy5pGoyusI3TJ+0hgdB7E1ONFH4/zhha
bSwI1wY0Zci5/lLW6xg0nJUpQYe/9Mrjsj+//NLsz7Kas+uJpEIgvIKM2u4G2EWA
9ViikpChQ2ImdGg8UnTflrbjuYyXVya90E4FIDOMJhiFt6FKiU45mjIr2zEo85Sa
ARJiOLT92KfKOYpB4XZBOfXbfa+NFh47GYT2SLTDy2heXU7ckMlimfYAFqdRppaT
djasuC8/qGLep0OxmoA/CXtymndvaNIxuMmbjezKCGBixQ75JML8WVUyUtq+Kir0
8+0Ea4Un7AOd9NTFbPFDiG51rgGaW3bDnDvSYdLqCZUQA6pEn3e0ttjdjf3/znyq
XEyERnn2by8qF4phHee2alkVh+VzwNGREVyiSCUAtVX/l2wt9oegFmwCzATzBZ3u
GUNGr6Y++Xo=
=jdQu
-----END PGP SIGNATURE-----

« Back to bulletins