Published:
21 July 2008
Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2008.0717 -- [BLACKBERRY]
Vulnerability in the PDF distiller of the BlackBerry
Attachment Service for the BlackBerry Enterprise Server
21 July 2008
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: BlackBerry Enterprise Server 4.1.3 to 4.1.5
BlackBerry Professional Software 4.1.4
Publisher: BlackBerry
Impact: Execute Arbitrary Code/Commands
Access: Remote/Unauthenticated
Original Bulletin:
http://www.blackberry.com/btsc/search.do?cmd=displayKC&docType=kc&externalId=KB15766
- --------------------------BEGIN INCLUDED TEXT--------------------
Vulnerability in the PDF distiller of the BlackBerry Attachment Service
for the BlackBerry Enterprise Server
Doc ID : KB15766
Last Modified : 2008-07-18
Document Type : Security Advisory
Environment
* BlackBerry Enterprise Server software version 4.1 Service Pack 3
(4.1.3) through 4.1 Service Pack 5 (4.1.5)
* BlackBerry Professional Software 4.1 Service Pack 4 (4.1.4)
Overview
This advisory describes a security issue that the BlackBerry Attachment
Service component of the BlackBerry Enterprise Server is susceptible to.
The issue relates to a known vulnerability in the PDF distiller component
of the BlackBerry Attachment Service that affects how the BlackBerry
Attachment Service processes PDF files.
This vulnerability has a Common Vulnerability Scoring System (CVSS) score
of 9.0.
Problem
A security vulnerability exists in the PDF distiller of some released
versions of the BlackBerry Attachment Service. This vulnerability could
enable a malicious individual to send an email message containing a
specially crafted PDF file, which when opened for viewing on a BlackBerry
smartphone, could cause memory corruption and possibly lead to arbitrary
code execution on the computer that the BlackBerry Attachment Service
runs on.
Resolution
Upgrade to BlackBerry Enterprise Server software version 4.1 Service Pack 6
(4.1.6).
Research In Motion (RIM) has also issued an interim security software update
that resolves this vulnerability in earlier affected versions of the
BlackBerry Enterprise Server and BlackBerry Professional Software.
For BlackBerry Enterprise Server
Visit http://www.blackberry.com/go/serverdownloads to obtain the interim
security software update for affected release versions earlier than
BlackBerry Enterprise Server software version 4.1.6.
For BlackBerry Professional Software
Visit http://na.blackberry.com/eng/support/downloads/#tab_professional
to obtain the interim security software update for affected BlackBerry
Professional Software versions.
Workaround
Note: As a mobile device best practice, RIM recommends that BlackBerry
smartphone users open attachments from trusted sources only.
Prevent the BlackBerry Attachment Service from processing PDF files in
a BlackBerry Enterprise Server environment
You can prevent the BlackBerry Attachment Service from processing PDF
files by editing the list of file format extensions that the BlackBerry
Attachment Service opens, and then preventing the PDF attachment
distiller from running on the BlackBerry Attachment Service.
To remove the PDF file extension from the list of supported file format
extensions, complete the following actions:
1. From the Windows Desktop, open the BlackBerry Server Configuration tool.
2. Click the Attachment Server tab.
3. In the Format Extensions field, delete pdf: from the colondelimited
list of extensions.
4. Click Apply.
5. Click OK.
Until you prevent the PDF attachment distiller from running, the BlackBerry
Attachment Service still detects a PDF file with a renamed extension (in
other words, its extension is not .pdf) and attempts to process the file
automatically. To prevent the PDF attachment distiller from running,
complete the following actions:
1. On the Windows Desktop, open the BlackBerry Server Configuration tool.
2. Click the Attachment Server tab.
3. In the Configuration Option drop-down list, select Attachment Server.
4. In the Distiller Settings section, next to the distiller name Adobe
PDF, clear the check box in the Enabled column.
5. Click Apply.
6. Click OK.
7. On the Windows Desktop, in Administrative Tools, open Services.
8. Right-click BlackBerry Attachment Service and click Stop.
9. Right-click BlackBerry Attachment Service and click Start.
10. Close Services.
In Microsoft Exchange and Novell GroupWise environments, complete the
following additional steps:
1. On the Windows Desktop, in Administrative Tools, open Services.
2. Right-click BlackBerry Dispatcher and click Stop.
3. Right-click BlackBerry Dispatcher and click Start.
4. Close Services.
Important: Restarting certain BlackBerry Enterprise Server services will
delay email message delivery to BlackBerry smartphones. For more
information, see KB04789.
In IBM Lotus Domino environments, complete the following additional steps:
1. Open the IBM Lotus Domino Administrator.
2. Click the Server tab.
3. Click the Status tab.
4. Click Server Console.
5. In the Domino Command field, type tell BES quit and press ENTER.
6. In the Domino Command field, type load BES and press ENTER.
7. Close the IBM Lotus Domino Administrator.
Additional Information
You can install the BlackBerry Attachment Service on a remote computer and
then place that computer on its own network segment to prevent the spread
of potential attacks from the BlackBerry Attachment Service to another
computer within your organizations network. In a segmented network, attacks
are isolated and contained on a single area of the network. Using
segmented network architecture is designed to improve the security and
performance of the BlackBerry Attachment Service network segment by
filtering out attachment data that is not destined for other network
segments. For more information about placing the BlackBerry Enterprise
Solution components in a network architecture that is segmented to prevent
the spread of potential malware attacks, see Placing the BlackBerry
Enterprise Solution in a Segmented Network.
Visit www.blackberry.com/security for more information on BlackBerry security.
CVSS is a vendor agnostic, industry open standard designed to convey the
severity of vulnerabilities. CVSS scores may be used to determine the
urgency for update deployment within an organization. CVSS scores range
from 0.0 (no vulnerability) to 10.0 (critical). RIM uses CVSS in
vulnerability assessments to present an immutable characterization of
security issues. RIM assigns all security relevant issues a non-zero score.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBSIPzGyh9+71yA2DNAQISGAQAljyPfRRgYZbbQW0N3m+wTOoLXMYofJmH
DXYQdNM+Rshf8mFtrwlT6KX477EyiXPd2EVCVLhAgq2WEzjv8OV8D6lJd9T+WI3D
PbGWpEO45tJY1nAt4ly9m+EMyA2uXpFYuaTmU8192aIjQUZUHyeRk5OUCwtq6RPi
nhA4Rp6C6bk=
=n7Ao
-----END PGP SIGNATURE-----