Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2011.0431 Cross-site scripting (XSS) vulnerability in the BlackBerry Web Desktop Manager component of the BlackBerry Enterprise Server 13 April 2011 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: BlackBerry Enterprise Server Express BlackBerry Enterprise Server Publisher: RIM Operating System: Windows Netware Linux variants Solaris AIX Impact/Access: Cross-site Scripting -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2011-0286 Original Bulletin: http://blackberry.com/btsc/KB26296 - --------------------------BEGIN INCLUDED TEXT-------------------- Cross-site scripting (XSS) vulnerability in the BlackBerry Web Desktop Manager component of the BlackBerry Enterprise Server Products Affected Software This issue affects the BlackBerry Web Desktop Manager component of the following software versions: * BlackBerry Enterprise Server Express versions 5.0.1 and 5.0.2 for Microsoft Exchange * BlackBerry Enterprise Server Express version 5.0.2 for IBM Lotus Domino * BlackBerry Enterprise Server versions 5.0.0 through 5.0.3 for Microsoft Exchange and IBM Lotus Domino * BlackBerry Enterprise Server version 5.0.1 for Novell GroupWise Non Affected Software * BlackBerry Device Software * BlackBerry Desktop Software * BlackBerry Internet Service Are BlackBerry smartphones and the BlackBerry Device Software affected? No. Issue Severity This vulnerability has a Common Vulnerability Scoring System (CVSS) score of 8.1. Overview This advisory describes a security issue whereby the BlackBerry Web Desktop Manager component of the BlackBerry Enterprise Server is susceptible to a reflective cross-site scripting (XSS) vulnerability. (Reflective cross-site scripting vulnerabilities are sometimes referred to as non-persistent or Type I cross-site scripting vulnerabilities.) Who should read this advisory BlackBerry Enterprise Server administrators Who should apply the software fix(es) BlackBerry Enterprise Server administrators Recommendation Complete the resolution actions documented in this advisory. References CVE Identifier: CVE-2011-0286 Problem The vulnerability could allow an attacker to execute externally supplied scripts using the user privileges of the BlackBerry Web Desktop Manager. This could allow the attacker to perform any BlackBerry Web Desktop Manager task that the legitimate user could perform on a BlackBerry smartphone while the user is logged in to the BlackBerry Web Desktop Manager. Such tasks include remotely resetting the device password and locking the device, remotely wiping and disabling the device, and activating the user's account on another device over the wireless network. Successful exploitation of this issue requires an attacker to persuade the legitimate user to click a specially crafted URL. The URL that the attacker persuades the legitimate user to click may be in a web browser or an email or instant message. Mitigations * As a best practice, RIM recommends that access to administrative functions of the BlackBerry Enterprise Server, including BlackBerry Web Desktop Manager, be allowed only from trusted networks or specific hosts. * Refer to the documentation for your web browser to learn about potential mitigation of cross-site scripting vulnerabilities. Resolution The following released versions of the BlackBerry Enterprise Server resolve this issue: BlackBerry Enterprise Server version 5.0.3 MR1 for Microsoft Exchange and IBM Lotus Domino * Visit http://www.blackberry.com/go/serverdownloads to obtain BlackBerry Enterprise Server version 5.0.3 MR1. BlackBerry Enterprise Server version 5.0.2 MR5 for Microsoft Exchange * Visit http://www.blackberry.com/go/serverdownloads to obtain BlackBerry Enterprise Server version 5.0.2 MR5. RIM has issued the following interim security software updates that resolve the vulnerability in affected versions of the BlackBerry Enterprise Server and the BlackBerry Enterprise Server Express. For BlackBerry Enterprise Server version 5.0.2 for IBM Lotus Domino * Visit http://www.blackberry.com/go/serverdownloads to obtain Interim Security Software Update for April 12, 2011. For BlackBerry Enterprise Server version 5.0.1 for Microsoft Exchange, IBM Lotus Domino, and Novell GroupWise * Visit http://www.blackberry.com/go/serverdownloads to obtain Interim Security Software Update for April 12, 2011. For BlackBerry Enterprise Server Express version 5.0.2 for Microsoft Exchange and IBM Lotus Domino * Visit http://www.blackberry.com/go/serverdownloads to obtain Interim Security Software Update for April 12, 2011 For BlackBerry Enterprise Server Express version 5.0.1 for Microsoft Exchange * Visit http://www.blackberry.com/go/serverdownloads to obtain Interim Security Software Update for April 12, 2011. If you are using a software version that is not listed above, update to one of the listed versions to apply the upgrade. Acknowledgements RIM would like to thank Ivan Huertas of Cybsec (http://www.cybsec.com) for his involvement in helping to protect our customers. Copyright 2010 Research In Motion Limited, unless otherwise noted. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iD8DBQFNpTTa/iFOrG6YcBERAmKSAJ9H1e1XbM+eEqAmQeJLhg4fniQphACfYc9j c5vVAcgFml3dDmFqkzp4Zgc= =dOrU -----END PGP SIGNATURE-----