Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT Security Bulletin
ASB-2014.0041
A vulnerability has been addressed in BlackBerry 10 smartphones
9 April 2014
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: BlackBerry 10 smartphone
Operating System: BlackBerry Device
Impact/Access: Root Compromise -- Remote/Unauthenticated
Denial of Service -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2014-1468
Member content until: Friday, May 9 2014
OVERVIEW
A vulnerability has been addressed in BlackBerry 10 smartphones. [1]
IMPACT
The vendor has provided the following details regarding this issue:
"A stack-based buffer overflow vulnerability exists in the qconnDoor
service supplied with affected versions of BlackBerry 10 OS. The
qconnDoor service is used by BlackBerry 10 OS to provide developer
access, such as shell and remote debugging capabilities, to the
smartphone.
Successful exploitation of this vulnerability could potentially result
in an attacker terminating the qconnDoor service running on a user's
BlackBerry smartphone. In addition, the attacker could potentially
execute code on the user's BlackBerry smartphone with the privileges
of the root user (superuser).
An attacker can exploit this vulnerability in the following ways:
Over Wi-Fi
In order to exploit this vulnerability, an attacker must send a
specially crafted message to the qconnDoor service on a smartphone
located on the same Wi-Fi network. The smartphone user must have also
enabled development mode on the smartphone before an attack.
Over USB
In order to exploit this vulnerability, an attacker must gain physical
access to a smartphone and then send a specially crafted message to
the qconnDoor service over USB." [1]
MITIGATION
BlackBerry recommends updating BlackBerry 10 smartphone software to
version 10.2.0.1055 or later.
REFERENCES
[1] BSRT-2014-003 Vulnerability in qconnDoor service affects BlackBerry
10 smartphones
http://www.blackberry.com/btsc/kb35816
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBU0TNABLndAQH1ShLAQKcLRAAiTRAyujinwCBbnqv87NVH+gMJco4uxiT
9dZMQlDNoPNCn26pylRYOGPEaL0JVh4WeoY2i8ZXGKOUFMFEArjVysquid3KnE4o
zvgOERD156czlM4a/6nnDGHANc22jIvhS2At4YAmEsy0ovfLW5oxbe5mzbsl0uRY
PzIhE91xZujRXX9jLzUwdWEUhSi4/MH/DdHvX1AutaE8w+ewggQniWWGdxsCzfPL
f/mk+Akzmty5zphVlKwTVqaNNIpyTWnGXcK6Jl1Z9n8N1poqgbNbBy/j7KlVEjIH
q4ECFokikAVkyE220OhwhkVQWwhQ9wcMQIcgUfrjH1BfDXPIssFdg/73Uu78rWij
+7j2OPI+9q6UKTewm5LZLj8BfTtncT4Ej4mfI/+rIqtbXlP7zdbyudz/yq3cNg5h
GKAV1xsOSwjWz/MjyslZbHWT+Yn5fRI6eQsrmvnQ55nrZ9TN7U75gHytGgqZ6K3D
kX0l4PdMG8eXjXtgo8fs720GQaBzvsL3YphIpyoSK2jfhqAOkkPHWrVUoTCTbipp
yEo9O6Cgo66WIbtByKLopIrLog1xVACokx1u/0qICkENc97C9pz9NUkDYPh3zrUe
XLX/q9wdf7pBt2iwlLzt415dMqmZ6X8uwZOZPSeq6gOIDx0xdr1ZKCJJqJKtAKqk
3YZahEY6C10=
=ifh8
-----END PGP SIGNATURE-----