09 April 2014
Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT Security Bulletin ASB-2014.0041 A vulnerability has been addressed in BlackBerry 10 smartphones 9 April 2014 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: BlackBerry 10 smartphone Operating System: BlackBerry Device Impact/Access: Root Compromise -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2014-1468 Member content until: Friday, May 9 2014 OVERVIEW A vulnerability has been addressed in BlackBerry 10 smartphones.  IMPACT The vendor has provided the following details regarding this issue: "A stack-based buffer overflow vulnerability exists in the qconnDoor service supplied with affected versions of BlackBerry 10 OS. The qconnDoor service is used by BlackBerry 10 OS to provide developer access, such as shell and remote debugging capabilities, to the smartphone. Successful exploitation of this vulnerability could potentially result in an attacker terminating the qconnDoor service running on a user's BlackBerry smartphone. In addition, the attacker could potentially execute code on the user's BlackBerry smartphone with the privileges of the root user (superuser). An attacker can exploit this vulnerability in the following ways: Over Wi-Fi In order to exploit this vulnerability, an attacker must send a specially crafted message to the qconnDoor service on a smartphone located on the same Wi-Fi network. The smartphone user must have also enabled development mode on the smartphone before an attack. Over USB In order to exploit this vulnerability, an attacker must gain physical access to a smartphone and then send a specially crafted message to the qconnDoor service over USB."  MITIGATION BlackBerry recommends updating BlackBerry 10 smartphone software to version 10.2.0.1055 or later. REFERENCES  BSRT-2014-003 Vulnerability in qconnDoor service affects BlackBerry 10 smartphones http://www.blackberry.com/btsc/kb35816 AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: firstname.lastname@example.org Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBU0TNABLndAQH1ShLAQKcLRAAiTRAyujinwCBbnqv87NVH+gMJco4uxiT 9dZMQlDNoPNCn26pylRYOGPEaL0JVh4WeoY2i8ZXGKOUFMFEArjVysquid3KnE4o zvgOERD156czlM4a/6nnDGHANc22jIvhS2At4YAmEsy0ovfLW5oxbe5mzbsl0uRY PzIhE91xZujRXX9jLzUwdWEUhSi4/MH/DdHvX1AutaE8w+ewggQniWWGdxsCzfPL f/mk+Akzmty5zphVlKwTVqaNNIpyTWnGXcK6Jl1Z9n8N1poqgbNbBy/j7KlVEjIH q4ECFokikAVkyE220OhwhkVQWwhQ9wcMQIcgUfrjH1BfDXPIssFdg/73Uu78rWij +7j2OPI+9q6UKTewm5LZLj8BfTtncT4Ej4mfI/+rIqtbXlP7zdbyudz/yq3cNg5h GKAV1xsOSwjWz/MjyslZbHWT+Yn5fRI6eQsrmvnQ55nrZ9TN7U75gHytGgqZ6K3D kX0l4PdMG8eXjXtgo8fs720GQaBzvsL3YphIpyoSK2jfhqAOkkPHWrVUoTCTbipp yEo9O6Cgo66WIbtByKLopIrLog1xVACokx1u/0qICkENc97C9pz9NUkDYPh3zrUe XLX/q9wdf7pBt2iwlLzt415dMqmZ6X8uwZOZPSeq6gOIDx0xdr1ZKCJJqJKtAKqk 3YZahEY6C10= =ifh8 -----END PGP SIGNATURE-----