-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2014.1390
BSRT-2014-006 Vulnerability in file sharing service affects BlackBerry Z10,
       BlackBerry Z30, BlackBerry Q10, and BlackBerry Q5 smartphones
                              14 August 2014

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           BlackBerry Z10
                   BlackBerry Z30
                   BlackBerry Q10
                   BlackBerry Q5
Publisher:         BlackBerry
Operating System:  BlackBerry Device
Impact/Access:     Unauthorised Access -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2014-1470  

Original Bulletin: 
   www.blackberry.com/btsc/KB36174

- --------------------------BEGIN INCLUDED TEXT--------------------

BSRT-2014-006 Vulnerability in file sharing service affects BlackBerry Z10, 
BlackBerry Z30, BlackBerry Q10, and BlackBerry Q5 smartphones

Article ID: KB36174

Type: BlackBerry Security Advisory

First Published: 08-12-2014

Last Modified: 08-12-2014

Product(s) Affected:

    Z30 Z10 Q10 Q5

Overview

This advisory addresses a file sharing authentication bypass vulnerability 
that is not currently being exploited but affects BlackBerry Z10, BlackBerry 
Z30, BlackBerry Q10, and BlackBerry Q5 smartphone customers. BlackBerry 
customer risk is limited by the default file sharing settings and a 
requirement for an attacker to have access to the same physical network. 
Successful exploitation requires an attacker to locate and connect to an 
affected smartphone over a Wi-Fi network and requires that a user must have 
enabled file sharing over Wi-Fi. If the requirements are met for exploitation,
an attacker could potentially gain access to, read or modify data on the 
device. After installing the recommended software update, affected BlackBerry
10 smartphone customers will be fully protected from this vulnerability.

Who should read this advisory?

    BlackBerry 10 smartphone users

    IT administrators who deploy BlackBerry 10 smartphones in an enterprise

Who should apply the software fix(es)?

    BlackBerry 10 smartphone users

    IT administrators who deploy BlackBerry 10 smartphones in an enterprise

More Information

Have any BlackBerry customers been subject to an attack that exploits this 
vulnerability?

BlackBerry is not aware of any attacks targeting BlackBerry 10 smartphone 
customers using this vulnerability.

What factors affected the release of this security advisory?

This advisory addresses a privately disclosed authentication bypass 
vulnerability in the BlackBerry 10 file sharing service. BlackBerry publishes
full details of a software update in a security advisory after the fix is 
available to the majority of our customers and wireless service provider 
partners. Publishing this advisory ensures that all of our customers can 
protect themselves by updating their software, or employing available 
workarounds if updating is not possible. Customers for whom the software 
update is not yet available should contact their wireless service provider to
request BlackBerry 10 smartphone version 10.2.1.1925 or later.

Where can I read more about BlackBerry 10 smartphone security?

For more information on security features in BlackBerry smartphones, read the
BlackBerry Enterprise Service 10 Security Technical Overview.

Affected Software and Resolutions

Read the following information to determine if your BlackBerry 10 smartphone 
is affected.

Affected Software

    BlackBerry 10 OS earlier than version 10.2.1.1925

Non-Affected Software

    BlackBerry 10 OS version 10.2.1.1925 and later

Are BlackBerry smartphones affected?

Yes

Resolution

BlackBerry has issued a fix for this vulnerability, which is included in 
BlackBerry 10 OS version 10.2.1.1925 and later. This software updates resolve
this vulnerability on affected versions of BlackBerry 10 smartphones. Update 
BlackBerry 10 smartphone software to version 10.2.1.1925 or later to be fully
protected from this issue.

Note: If customers are running a BlackBerry 10 OS earlier than 10.2.1.1925, 
but do not see a software update notification and the device indicates that 
the software is up to date, customers should contact their wireless service 
provider to request BlackBerry 10 OS version 10.2.1.1925 or later.

For information on how to manage potential risk until the software update is 
available for all customers, see the Mitigations section of this advisory.

Update by Accessing the Software Update Notification

BlackBerry 10 smartphones use notifications to keep customers informed about 
software updates. When a new software update notification is available, it 
appears in the Notifications section of the BlackBerry Hub on affected 
BlackBerry smartphones.

Review the notifications and follow the steps to access the latest software 
update notification and complete the software update.

Manually Check for Software Updates on BlackBerry 10 smartphones

    From the home screen, swipe down from the top of the screen.

    Tap Settings, then Software Updates.

    Tap Check for Updates.

Customers can also update their BlackBerry smartphone software using 
BlackBerry Link. For more information, see the Help documentation for 
BlackBerry Link.

More Information

How can I find out what version of the BlackBerry 10 OS I am running?

    From the home screen, swipe down from the top of the screen.

    Tap Settings, then Software Updates.

    Tap About, and view the OS Version or Software Release field in the OS 
    settings.

Are new (still in the box) BlackBerry 10 smartphone exposed to this 
vulnerability?

As long as the customer fully completes the smartphone setup, including the 
smartphone software update, the smartphone will not be affected. During the 
initial setup process, BlackBerry 10 smartphones will download and install the
latest version of the OS available from the customers carrier. The fix for 
this vulnerability is included in all versions of BlackBerry 10 OS after 
version 10.2.1.1925.

Note: If customers are running an affected version earlier than 10.2.1.1925 
but do not see a software update notification but their device indicates that
the software is up to date, customers should contact their wireless service 
provider to request BlackBerry 10 OS version 10.2.1.1925 or later.

Are Z3 smartphones exposed to this vulnerability?

No. The fix for this vulnerability is included in all versions of the Z3 
smartphone software.

Does the BlackBerry 10 smartphone force me to update my software?

No, customer action is required to update the software. BlackBerry 10 
smartphones use notifications to keep customers informed about software 
updates and provide instructions for customers to easily install a software 
update. Customers can also manually check for software updates. For 
instructions to update customer software, see the Resolution section of this 
advisory.

Can a BlackBerry 10 smartphone user update the file sharing service without 
performing a full BlackBerry 10 OS upgrade?

No. The service is provided as an integral part of the BlackBerry 10 
smartphone installation, and they must be updated together.

Vulnerability Information

A vulnerability that could allow authentication bypass exists in the Wi-Fi 
file sharing service supplied with affected versions of the BlackBerry 10 OS.
This service allows a BlackBerry 10 smartphone to share files from the SD card
and the media folder over a Wi-Fi network.

Successful exploitation of this vulnerability could potentially result in an 
attacker gaining the ability to read, write, or modify data on the device.

In order to exploit this vulnerability, an attacker must connect to an 
affected BlackBerry smartphones file sharing service.

This vulnerability has a Common Vulnerability Scoring System (CVSS) score of 
5.4. View the linked Common Vulnerabilities and Exposures (CVE) identifier for
a description of the security issue that this security advisory addresses.

CVE identifier CVSS score 

CVE-2014-1470 5.4

Mitigations

Mitigations are existing conditions that a potential attacker would need to 
overcome in order to mount a successful attack or that would limit the 
severity of an attack. Examples of such conditions include default settings, 
common configurations and general best practices.

This issue is mitigated for all customers by the prerequisite that the 
attacker must persuade the customer to turn on file sharing over Wi-Fi or 
locate a customer on the Wi-Fi network who has file sharing over Wi-Fi turned
on. File sharing over Wi-Fi is not enabled by default.

Workarounds

Workarounds are settings or configuration changes that a user or administrator
can apply to help protect against an attack. BlackBerry recommends that all 
users apply the available software update to fully protect their smartphone. 
All workarounds should be considered temporary measures for customers to apply
if they cannot install the update immediately or must perform standard testing
and risk analysis. BlackBerry recommends that customers who are able to do so
install the update to secure their smartphones.

Disabling file sharing over Wi-Fi networks

    On the home screen of your BlackBerry device, swipe down from the top of 
    the screen.

    Tap Settings > Storage and Access.

    Set the Access using Wi-Fi switch to Off.

Once customers have upgraded their BlackBerry 10 OS, they can resume file 
sharing over Wi-Fi.

Restrict users from file sharing over Wi-Fi networks

Administrators who deploy work space only devices and regulated BlackBerry 
Balance devices in their networks can use the Computer Access to Device IT 
policy rule to prevent computers from accessing content on devices using the 
file-sharing option with a Wi-Fi connection. If you set this rule to Disallow,
users cannot connect their devices to BlackBerry Link.

Related best practices

Users should enable Wi-Fi file sharing only while they are connected to 
trusted networks and intend to share files. Users should not enable Wi-Fi file
sharing on their BlackBerry 10 smartphone when they are not actively sharing 
files.

Users should connect their BlackBerry 10 smartphone over USB connections 
to trusted computers only.

More Information

Does setting a unique password for file sharing help protect me against this 
vulnerability?

No, using a password for file sharing is not a workaround for this 
vulnerability.

Definitions

CVE

Common Vulnerabilities and Exposures (CVE) is a dictionary of common names 
(CVE Identifiers) for publicly known information security vulnerabilities 
maintained by the MITRE Corporation.

CVSS

CVSS is a vendor agnostic, industry open standard designed to convey the 
severity of vulnerabilities. CVSS scores may be used to determine the urgency
for update deployment within an organization. CVSS scores can range from 0.0 
(no vulnerability) to 10.0 (critical). BlackBerry uses CVSS in vulnerability 
assessments to present an immutable characterization of security issues. 
BlackBerry assigns all relevant security issues a non-zero score. Customers 
performing their own risk assessments of vulnerabilities that may impact them
can benefit from using the same industry-recognized CVSS metrics.

Acknowledgements

This vulnerability was discovered by David Gullasch, Max Moser, and Martin 
Schobert of modzero, who assisted BlackBerry in identifying the cause of the 
issue.

Change Log

08-12-2014 Initial publication

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBU+xTDxLndAQH1ShLAQJ+KhAAnaEyrpDdGFLs20jnRHHXQ4oteBkFXFhP
VjInapOLl5yHVGdJ5tyDzMhBrLf+0R2ZAwK2utZJApncBrAwbmEoLBnJWdCg81Pj
BE7lSOU/9LA7ZkWYLxPnyHs9GiK8M4f3bffwbHCIhRbP3Wh7wknATrbFqlQpumPy
IuxSRsPsdEJ1vcgtm0s5um6/b3RbJRZYIs4sGCCkJvXrquSJKS/fSNFseIP+U8t2
YP6U0d4DR5+CYRCgdVkm6BCVPptF/Rp9zWHgZmqVPy0Twx/tZ6g0fZ4dU7Fs9Blw
frQzvD7ftlhjCHMxk49Uh29F4O7Z4vD/GArmt5dEV+PV1FPwMlta2By1Ao5Sb9dD
Ssytdwq7k+VxS3Yvj1yLgWO9ssY5wQLmALJhB9n4De3Vzt7cNEspw9DhvOiZQVEg
JD3SrhQNCS9SuK53S1AgoeZCR2+XekiZWvvVNqrgC2i0wvHKCKgPOD6Nqe8buLJd
8ghk9QVaLnCj9Of0sg+ffMtEgj0A6+rEO1GWIqH/uWF8SoNnlLleUW8bScCR5TsU
btm8DWtnJyusZ+Ot4uQ9nj+OFWWrbStKbpR6VMG3fBTL/zkavwCLN1F6iPwn9kgm
JN85/WEyPuOkCQ6nb3JbUa+Sfyuk5vgJo/N2N6krl7gwIqSD/7fzCVHtfs9J+G0D
BhNZoP+xEGA=
=twBP
-----END PGP SIGNATURE-----