ESB-2018.0747 - [Win][Linux][Mac] Blackberry UEM Management Console: Cross-site scripting - Remote with user interaction 2018-03-14

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.0747
         Reflected XSS fixed in Blackberry UEM Management Console
                               14 March 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Blackberry UEM Management Console
Publisher:         Blackberry
Operating System:  Windows
                   Linux variants
                   Mac OS
Impact/Access:     Cross-site Scripting -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2017-17442  

Original Bulletin: 
   http://support.blackberry.com/kb/articleDetail?language=en_US&articleNumber=000048073

- --------------------------BEGIN INCLUDED TEXT--------------------

BSRT-2018-001 Vulnerability in UEM Management Console impacts UEM

Article Number: 000048073 First Published: March 13, 2018 Last Modified: March
13, 2018 Type: Security Advisory

Overview

This advisory addresses a reflected cross-site scripting vulnerability that has
been discovered in UEM. BlackBerry is not aware of any exploitation of this
vulnerability. BlackBerry customer risk is limited by the requirement that an
attacker possess knowledge of the internal network and by the inability of an
attacker to force exploitation of the vulnerability without customer
interaction. Successful exploitation requires an attacker craft a malicious
link and requires that a user with Management Console access click on the
malicious link. If the requirements are met for exploitation, an attacker could
potentially execute script commands in the context of a UEM Management Console
user account. After installing the recommended software update, affected
customers will be fully protected from this vulnerability.


Who Should Read This Advisory?

UEM administrators

More information

Have any BlackBerry customers been subject to an attack that exploits this
vulnerability?
BlackBerry is not aware of any attacks targeting BlackBerry customers using
this vulnerability.

What factors affected the release of this security advisory?
This advisory addresses a privately disclosed vulnerability. BlackBerry
publishes full details of a software update in a security advisory after
the fix is available to our customers. Publishing this advisory ensures
that all of our customers can protect themselves by updating their
software.

Where can I read more about the security of BlackBerry products and
solutions?

For more information on BlackBerry security, visit www.blackberry.com/
security and www.blackberry.com/bbsirt.

Affected Products and Resolutions

Read the following to determine if your UEM installation is affected.


Affected Products

UEM version 12.7.1 and earlier.

Non Affected Products

UEM version 12.7.2 and later.

Resolution

BlackBerry has issued a fix for this vulnerability, which is included in
BlackBerry UEM 12.7.2. and later. This software update resolves this
vulnerability on affected versions. To be fully protected from this issue,
affected customers should update to BlackBerry UEM version 12.7.2 or later.
Visit the BlackBerry UEM download page to download upgrades or maintenance
releases https://swdownloads.blackberry.com/Downloads/entry.do?code

Vulnerability Information

A vulnerability exists in the UEM Management Console of affected versions of
UEM. The Management Console is a web interface that allows administrators and
users to manage enterprise-activated devices. Users can only manage their own
devices.
In order to exploit this vulnerability, an attacker must first know the URL of
the UEM Management Console on the internal network and then craft a malicious
link containing script commands. An attacker must then persuade a user with
legitimate access to the Management Console to click on the link.
Successful exploitation of this vulnerability could result in an attacker
executing script commands in the context of the affected UEM Management Console
account.

description of the security issue that this security advisory addresses.
CVE identifier: CVSSv3 score
CVE-2017-17442: 5.9

Mitigations

Mitigations are existing conditions that a potential attacker would need to
overcome to mount a successful attack or that would limit the severity of
an attack. Examples of such conditions include default settings, common
configurations, and general best practices.
This issue is mitigated for all customers by the prerequisite that an
attacker must persuade a user with access to the Management Console to
click a maliciously crafted link. An attacker cannot force the user to
click the link or bypass the requirement that the user chooses to click the
link. BlackBerry recommends that users do not click links in emails
received from untrusted sources or within webpages they are otherwise
directed to by untrusted sources.
This issue is further mitigated by the prerequisite that an attacker must
have knowledge of the internal network.
Further, script commands are able to carry out actions within the context
of the Management Console only and not the underlying system or database.
Finally, the script execution is restricted to the context of the targeted
victim's account permissions in the Management Console.

Workarounds

Workarounds are settings or configuration changes that a user or
administrator can apply to help protect against an attack. BlackBerry
recommends that all users apply the available software update to fully
protect their system.
There are no workarounds for this vulnerability; however, BlackBerry
recommends that UEM administrators and users should only access the
Management Console via known trusted sources (such as the direct URL or
user-created bookmarks) and not by using any links supplied by untrusted
sources.

More information

Are BES10 and BES5 affected by this vulnerability?
No.

Change Log

03-13-2018
Initial publication

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWqivTox+lLeg9Ub1AQj3vw//au7WvlP/OawfRVEgVpzr5Po3GjqSCaXP
JE471/TdbQtL2DhfyDBdrDHBUbmM6M0JMDh0XOirHdz0PdZT6ETvpyO56yFe27Nr
QZUeIZ8pBBLttoBcwolIAAOwfdoQpQPpdzOk1QN8Der2LxwJolbG9l7F9joWT/2j
rcmKTxuP92fkoXv1Ybx9+m+TjNZ6Qj2FtNh2QJDXGko3FpF+1PgLbWnGQQGLJYXU
lN/h4Z5rQDrLKceg5W+Bc4SgClhBnsSLPzNIZLAvi7gT81cpGlbFNIHQ2lmydoB+
khgMDqXOU/0lYfe34Hiilj23xvZ5rIWmO2gQsj7qGlqrCTj3k8ojm5PKPn1Cz1l5
xZOhWxmyTC6j/9bzHRK9tLvXZ5rvbWKQyP17+gMPMKxhTVxAgbMleVC4ZX87TIj2
x43zOh+nBSyPze3Qya6on2sUbNX+cemov1W2s4KBUEQ6OoGY1kFtwyyu0C7jvFhc
Pfrn4hoqQUuH85Yf5NrymYxA6xVk0Usc64vbKc6DLOLYF9PdBsnLpcvMkV27VYa9
Gcg9Z8gKVNEDWuwTlAGJgy+nhLjoQ+b9jWzzpzCKuPuMcv+yp2NY8d4+8Vz44aZ5
h5uYPuGGXi524GaNDj1sejtaKrGjf/EoXozmI9WsbtvSXGBcvVFrdrXoOqHVaAaU
ICsMb4Y2/Gs=
=5peZ
-----END PGP SIGNATURE-----

« Back to bulletins