Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2011.0431
Cross-site scripting (XSS) vulnerability in the BlackBerry Web Desktop
Manager component of the BlackBerry Enterprise Server
13 April 2011
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: BlackBerry Enterprise Server Express
BlackBerry Enterprise Server
Publisher: RIM
Operating System: Windows
Netware
Linux variants
Solaris
AIX
Impact/Access: Cross-site Scripting -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2011-0286
Original Bulletin:
http://blackberry.com/btsc/KB26296
- --------------------------BEGIN INCLUDED TEXT--------------------
Cross-site scripting (XSS) vulnerability in the BlackBerry Web Desktop Manager
component of the BlackBerry Enterprise Server
Products
Affected Software
This issue affects the BlackBerry Web Desktop Manager component of the
following software versions:
* BlackBerry Enterprise Server Express versions 5.0.1 and 5.0.2 for
Microsoft Exchange
* BlackBerry Enterprise Server Express version 5.0.2 for IBM Lotus Domino
* BlackBerry Enterprise Server versions 5.0.0 through 5.0.3 for Microsoft
Exchange and IBM Lotus Domino
* BlackBerry Enterprise Server version 5.0.1 for Novell GroupWise
Non Affected Software
* BlackBerry Device Software
* BlackBerry Desktop Software
* BlackBerry Internet Service
Are BlackBerry smartphones and the BlackBerry Device Software affected?
No.
Issue Severity
This vulnerability has a Common Vulnerability Scoring System (CVSS) score of 8.1.
Overview
This advisory describes a security issue whereby the BlackBerry Web Desktop
Manager component of the BlackBerry Enterprise Server is susceptible to a
reflective cross-site scripting (XSS) vulnerability. (Reflective cross-site
scripting vulnerabilities are sometimes referred to as non-persistent or Type I
cross-site scripting vulnerabilities.)
Who should read this advisory
BlackBerry Enterprise Server administrators
Who should apply the software fix(es)
BlackBerry Enterprise Server administrators
Recommendation
Complete the resolution actions documented in this advisory.
References
CVE Identifier: CVE-2011-0286
Problem
The vulnerability could allow an attacker to execute externally supplied
scripts using the user privileges of the BlackBerry Web Desktop Manager. This
could allow the attacker to perform any BlackBerry Web Desktop Manager task
that the legitimate user could perform on a BlackBerry smartphone while the
user is logged in to the BlackBerry Web Desktop Manager. Such tasks include
remotely resetting the device password and locking the device, remotely wiping
and disabling the device, and activating the user's account on another device
over the wireless network.
Successful exploitation of this issue requires an attacker to persuade the
legitimate user to click a specially crafted URL. The URL that the attacker
persuades the legitimate user to click may be in a web browser or an email or
instant message.
Mitigations
* As a best practice, RIM recommends that access to administrative
functions of the BlackBerry Enterprise Server, including BlackBerry Web
Desktop Manager, be allowed only from trusted networks or specific hosts.
* Refer to the documentation for your web browser to learn about potential
mitigation of cross-site scripting vulnerabilities.
Resolution
The following released versions of the BlackBerry Enterprise Server resolve
this issue:
BlackBerry Enterprise Server version 5.0.3 MR1 for Microsoft Exchange and IBM
Lotus Domino
* Visit http://www.blackberry.com/go/serverdownloads to obtain BlackBerry
Enterprise Server version 5.0.3 MR1.
BlackBerry Enterprise Server version 5.0.2 MR5 for Microsoft Exchange
* Visit http://www.blackberry.com/go/serverdownloads to obtain BlackBerry
Enterprise Server version 5.0.2 MR5.
RIM has issued the following interim security software updates that resolve the
vulnerability in affected versions of the BlackBerry Enterprise Server and the
BlackBerry Enterprise Server Express.
For BlackBerry Enterprise Server version 5.0.2 for IBM Lotus Domino
* Visit http://www.blackberry.com/go/serverdownloads to obtain Interim
Security Software Update for April 12, 2011.
For BlackBerry Enterprise Server version 5.0.1 for Microsoft Exchange, IBM
Lotus Domino, and Novell GroupWise
* Visit http://www.blackberry.com/go/serverdownloads to obtain Interim
Security Software Update for April 12, 2011.
For BlackBerry Enterprise Server Express version 5.0.2 for Microsoft Exchange
and IBM Lotus Domino
* Visit http://www.blackberry.com/go/serverdownloads to obtain Interim
Security Software Update for April 12, 2011
For BlackBerry Enterprise Server Express version 5.0.1 for Microsoft Exchange
* Visit http://www.blackberry.com/go/serverdownloads to obtain Interim
Security Software Update for April 12, 2011.
If you are using a software version that is not listed above, update to one of
the listed versions to apply the upgrade.
Acknowledgements
RIM would like to thank Ivan Huertas of Cybsec (http://www.cybsec.com) for his
involvement in helping to protect our customers.
Copyright 2010 Research In Motion Limited, unless otherwise noted.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iD8DBQFNpTTa/iFOrG6YcBERAmKSAJ9H1e1XbM+eEqAmQeJLhg4fniQphACfYc9j
c5vVAcgFml3dDmFqkzp4Zgc=
=dOrU
-----END PGP SIGNATURE-----