Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2014.1390 BSRT-2014-006 Vulnerability in file sharing service affects BlackBerry Z10, BlackBerry Z30, BlackBerry Q10, and BlackBerry Q5 smartphones 14 August 2014 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: BlackBerry Z10 BlackBerry Z30 BlackBerry Q10 BlackBerry Q5 Publisher: BlackBerry Operating System: BlackBerry Device Impact/Access: Unauthorised Access -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2014-1470 Original Bulletin: www.blackberry.com/btsc/KB36174 - --------------------------BEGIN INCLUDED TEXT-------------------- BSRT-2014-006 Vulnerability in file sharing service affects BlackBerry Z10, BlackBerry Z30, BlackBerry Q10, and BlackBerry Q5 smartphones Article ID: KB36174 Type: BlackBerry Security Advisory First Published: 08-12-2014 Last Modified: 08-12-2014 Product(s) Affected: Z30 Z10 Q10 Q5 Overview This advisory addresses a file sharing authentication bypass vulnerability that is not currently being exploited but affects BlackBerry Z10, BlackBerry Z30, BlackBerry Q10, and BlackBerry Q5 smartphone customers. BlackBerry customer risk is limited by the default file sharing settings and a requirement for an attacker to have access to the same physical network. Successful exploitation requires an attacker to locate and connect to an affected smartphone over a Wi-Fi network and requires that a user must have enabled file sharing over Wi-Fi. If the requirements are met for exploitation, an attacker could potentially gain access to, read or modify data on the device. After installing the recommended software update, affected BlackBerry 10 smartphone customers will be fully protected from this vulnerability. Who should read this advisory? BlackBerry 10 smartphone users IT administrators who deploy BlackBerry 10 smartphones in an enterprise Who should apply the software fix(es)? BlackBerry 10 smartphone users IT administrators who deploy BlackBerry 10 smartphones in an enterprise More Information Have any BlackBerry customers been subject to an attack that exploits this vulnerability? BlackBerry is not aware of any attacks targeting BlackBerry 10 smartphone customers using this vulnerability. What factors affected the release of this security advisory? This advisory addresses a privately disclosed authentication bypass vulnerability in the BlackBerry 10 file sharing service. BlackBerry publishes full details of a software update in a security advisory after the fix is available to the majority of our customers and wireless service provider partners. Publishing this advisory ensures that all of our customers can protect themselves by updating their software, or employing available workarounds if updating is not possible. Customers for whom the software update is not yet available should contact their wireless service provider to request BlackBerry 10 smartphone version 10.2.1.1925 or later. Where can I read more about BlackBerry 10 smartphone security? For more information on security features in BlackBerry smartphones, read the BlackBerry Enterprise Service 10 Security Technical Overview. Affected Software and Resolutions Read the following information to determine if your BlackBerry 10 smartphone is affected. Affected Software BlackBerry 10 OS earlier than version 10.2.1.1925 Non-Affected Software BlackBerry 10 OS version 10.2.1.1925 and later Are BlackBerry smartphones affected? Yes Resolution BlackBerry has issued a fix for this vulnerability, which is included in BlackBerry 10 OS version 10.2.1.1925 and later. This software updates resolve this vulnerability on affected versions of BlackBerry 10 smartphones. Update BlackBerry 10 smartphone software to version 10.2.1.1925 or later to be fully protected from this issue. Note: If customers are running a BlackBerry 10 OS earlier than 10.2.1.1925, but do not see a software update notification and the device indicates that the software is up to date, customers should contact their wireless service provider to request BlackBerry 10 OS version 10.2.1.1925 or later. For information on how to manage potential risk until the software update is available for all customers, see the Mitigations section of this advisory. Update by Accessing the Software Update Notification BlackBerry 10 smartphones use notifications to keep customers informed about software updates. When a new software update notification is available, it appears in the Notifications section of the BlackBerry Hub on affected BlackBerry smartphones. Review the notifications and follow the steps to access the latest software update notification and complete the software update. Manually Check for Software Updates on BlackBerry 10 smartphones From the home screen, swipe down from the top of the screen. Tap Settings, then Software Updates. Tap Check for Updates. Customers can also update their BlackBerry smartphone software using BlackBerry Link. For more information, see the Help documentation for BlackBerry Link. More Information How can I find out what version of the BlackBerry 10 OS I am running? From the home screen, swipe down from the top of the screen. Tap Settings, then Software Updates. Tap About, and view the OS Version or Software Release field in the OS settings. Are new (still in the box) BlackBerry 10 smartphone exposed to this vulnerability? As long as the customer fully completes the smartphone setup, including the smartphone software update, the smartphone will not be affected. During the initial setup process, BlackBerry 10 smartphones will download and install the latest version of the OS available from the customers carrier. The fix for this vulnerability is included in all versions of BlackBerry 10 OS after version 10.2.1.1925. Note: If customers are running an affected version earlier than 10.2.1.1925 but do not see a software update notification but their device indicates that the software is up to date, customers should contact their wireless service provider to request BlackBerry 10 OS version 10.2.1.1925 or later. Are Z3 smartphones exposed to this vulnerability? No. The fix for this vulnerability is included in all versions of the Z3 smartphone software. Does the BlackBerry 10 smartphone force me to update my software? No, customer action is required to update the software. BlackBerry 10 smartphones use notifications to keep customers informed about software updates and provide instructions for customers to easily install a software update. Customers can also manually check for software updates. For instructions to update customer software, see the Resolution section of this advisory. Can a BlackBerry 10 smartphone user update the file sharing service without performing a full BlackBerry 10 OS upgrade? No. The service is provided as an integral part of the BlackBerry 10 smartphone installation, and they must be updated together. Vulnerability Information A vulnerability that could allow authentication bypass exists in the Wi-Fi file sharing service supplied with affected versions of the BlackBerry 10 OS. This service allows a BlackBerry 10 smartphone to share files from the SD card and the media folder over a Wi-Fi network. Successful exploitation of this vulnerability could potentially result in an attacker gaining the ability to read, write, or modify data on the device. In order to exploit this vulnerability, an attacker must connect to an affected BlackBerry smartphones file sharing service. This vulnerability has a Common Vulnerability Scoring System (CVSS) score of 5.4. View the linked Common Vulnerabilities and Exposures (CVE) identifier for a description of the security issue that this security advisory addresses. CVE identifier CVSS score CVE-2014-1470 5.4 Mitigations Mitigations are existing conditions that a potential attacker would need to overcome in order to mount a successful attack or that would limit the severity of an attack. Examples of such conditions include default settings, common configurations and general best practices. This issue is mitigated for all customers by the prerequisite that the attacker must persuade the customer to turn on file sharing over Wi-Fi or locate a customer on the Wi-Fi network who has file sharing over Wi-Fi turned on. File sharing over Wi-Fi is not enabled by default. Workarounds Workarounds are settings or configuration changes that a user or administrator can apply to help protect against an attack. BlackBerry recommends that all users apply the available software update to fully protect their smartphone. All workarounds should be considered temporary measures for customers to apply if they cannot install the update immediately or must perform standard testing and risk analysis. BlackBerry recommends that customers who are able to do so install the update to secure their smartphones. Disabling file sharing over Wi-Fi networks On the home screen of your BlackBerry device, swipe down from the top of the screen. Tap Settings > Storage and Access. Set the Access using Wi-Fi switch to Off. Once customers have upgraded their BlackBerry 10 OS, they can resume file sharing over Wi-Fi. Restrict users from file sharing over Wi-Fi networks Administrators who deploy work space only devices and regulated BlackBerry Balance devices in their networks can use the Computer Access to Device IT policy rule to prevent computers from accessing content on devices using the file-sharing option with a Wi-Fi connection. If you set this rule to Disallow, users cannot connect their devices to BlackBerry Link. Related best practices Users should enable Wi-Fi file sharing only while they are connected to trusted networks and intend to share files. Users should not enable Wi-Fi file sharing on their BlackBerry 10 smartphone when they are not actively sharing files. Users should connect their BlackBerry 10 smartphone over USB connections to trusted computers only. More Information Does setting a unique password for file sharing help protect me against this vulnerability? No, using a password for file sharing is not a workaround for this vulnerability. Definitions CVE Common Vulnerabilities and Exposures (CVE) is a dictionary of common names (CVE Identifiers) for publicly known information security vulnerabilities maintained by the MITRE Corporation. CVSS CVSS is a vendor agnostic, industry open standard designed to convey the severity of vulnerabilities. CVSS scores may be used to determine the urgency for update deployment within an organization. CVSS scores can range from 0.0 (no vulnerability) to 10.0 (critical). BlackBerry uses CVSS in vulnerability assessments to present an immutable characterization of security issues. BlackBerry assigns all relevant security issues a non-zero score. Customers performing their own risk assessments of vulnerabilities that may impact them can benefit from using the same industry-recognized CVSS metrics. Acknowledgements This vulnerability was discovered by David Gullasch, Max Moser, and Martin Schobert of modzero, who assisted BlackBerry in identifying the cause of the issue. Change Log 08-12-2014 Initial publication - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBU+xTDxLndAQH1ShLAQJ+KhAAnaEyrpDdGFLs20jnRHHXQ4oteBkFXFhP VjInapOLl5yHVGdJ5tyDzMhBrLf+0R2ZAwK2utZJApncBrAwbmEoLBnJWdCg81Pj BE7lSOU/9LA7ZkWYLxPnyHs9GiK8M4f3bffwbHCIhRbP3Wh7wknATrbFqlQpumPy IuxSRsPsdEJ1vcgtm0s5um6/b3RbJRZYIs4sGCCkJvXrquSJKS/fSNFseIP+U8t2 YP6U0d4DR5+CYRCgdVkm6BCVPptF/Rp9zWHgZmqVPy0Twx/tZ6g0fZ4dU7Fs9Blw frQzvD7ftlhjCHMxk49Uh29F4O7Z4vD/GArmt5dEV+PV1FPwMlta2By1Ao5Sb9dD Ssytdwq7k+VxS3Yvj1yLgWO9ssY5wQLmALJhB9n4De3Vzt7cNEspw9DhvOiZQVEg JD3SrhQNCS9SuK53S1AgoeZCR2+XekiZWvvVNqrgC2i0wvHKCKgPOD6Nqe8buLJd 8ghk9QVaLnCj9Of0sg+ffMtEgj0A6+rEO1GWIqH/uWF8SoNnlLleUW8bScCR5TsU btm8DWtnJyusZ+Ot4uQ9nj+OFWWrbStKbpR6VMG3fBTL/zkavwCLN1F6iPwn9kgm JN85/WEyPuOkCQ6nb3JbUa+Sfyuk5vgJo/N2N6krl7gwIqSD/7fzCVHtfs9J+G0D BhNZoP+xEGA= =twBP -----END PGP SIGNATURE-----