Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2011.0725 Vulnerability in a BlackBerry Enterprise Server component could allow information disclosure and partial denial of service 13 July 2011 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: BlackBerry Enterprise Server Publisher: RIM Operating System: Windows Netware Linux variants Solaris AIX Impact/Access: Denial of Service -- Existing Account Access Privileged Data -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2011-0287 Original Bulletin: http://btsc.webapps.blackberry.com/btsc/search.do?cmd=displayKC&docType=kc&externalId=KB27258 - --------------------------BEGIN INCLUDED TEXT-------------------- Vulnerability in a BlackBerry Enterprise Server component could allow information disclosure and partial denial of service Products Affected Software This issue affects the BlackBerry Administration Application Programming Interface (API) component within the BlackBerry Administration Service component of the following software versions: BlackBerry Enterprise Server version 5.0.0 for Microsoft Exchange, IBM Lotus Domino and Novell GroupWise (with the BlackBerry Administration API component installed as an option only) BlackBerry Enterprise Server Express 5.0.0 for Microsoft Exchange and IBM Lotus Domino (with the BlackBerry Administration API component installed as an option only) BlackBerry Enterprise Server Express versions 5.0.1, 5.0.2 and 5.0.3 for Microsoft Exchange BlackBerry Enterprise Server Express versions 5.0.2 and 5.0.3 for IBM Lotus Domino BlackBerry Enterprise Server versions 5.0.1, 5.0.2 and 5.0.3 for Microsoft Exchange and IBM Lotus Domino BlackBerry Enterprise Server versions 5.0.1 for GroupWise Non Affected Software BlackBerry Device Software BlackBerry Desktop Software BlackBerry Internet Service Are BlackBerry smartphones and the BlackBerry Device Software affected? No. Issue Severity This vulnerability has a Common Vulnerability Scoring System (CVSS) score of 4.8. Overview This advisory describes a security issue in the BlackBerry Administration API component. Successful exploitation of the vulnerability could result in information disclosure and partial denial of service (DoS). The BlackBerry Administration API is a BlackBerry Enterprise Server component that is installed on the server that hosts the BlackBerry Administration Service. The BlackBerry Administration API contains multiple web services that receive API requests from client applications. The BlackBerry Administration API then translates requests into a format that the BlackBerry Administration Service can process. Who should read this advisory BlackBerry Enterprise Server administrators. Who should apply the software fix(es) BlackBerry Enterprise Server administrators. Recommendation Complete the resolution actions documented in this advisory. Best practices Consider installing the BlackBerry Enterprise Server in a segmented network configuration. To configure the BlackBerry Enterprise Solution in a segmented network, you must install each BlackBerry Enterprise Solution component on a computer that is separate from the computers that host other components and then place each computer it its own network segment. A segmented network architecture is designed to isolate attacks and contain them on one computer. See Additional Information, below. References CVE Identifier: CVE-2011-0287. Problem A vulnerability exists in the BlackBerry Administration API which could allow an attacker to read files that contain only printable characters on the BlackBerry Enterprise Server, including unencrypted text files. Binary file formats, including those used for message storage, are not affected. This vulnerability is limited to the user permissions granted to the BlackBerry Administration API component. Impact Successful exploitation of this issue could allow information disclosure. Successful exploitation may also result in resource exhaustion and therefore could be leveraged as a partial denial of service (DoS). Resolution RIM has issued the following releases and interim security software updates that resolve the vulnerability in affected versions of the BlackBerry Enterprise Server: For BlackBerry Enterprise Server Express versions 5.0.1, 5.0.2 and 5.0.3 for Microsoft Exchange Visit http://www.blackberry.com/go/serverdownloads to obtain the Interim Security Software Update for July 12, 2011 for BlackBerry Enterprise Server Express version 5.0.1 - 5.0.3. For BlackBerry Enterprise Server Express version 5.0.2 and 5.0.3 for IBM Lotus Domino Visit http://www.blackberry.com/go/serverdownloads to obtain Interim Security Software Update for July 12, 2011 for BlackBerry Enterprise Server Express version 5.0.2 and 5.0.3. For BlackBerry Enterprise Server versions 5.0.1, 5.0.2 and 5.0.3 for Microsoft Exchange and IBM Lotus Domino Visit http://www.blackberry.com/go/serverdownloads to obtain Interim Security Software Update for July 12, 2011 for BlackBerry Enterprise Server software version 5.0.1 - 5.0.3. For BlackBerry Enterprise Server version 5.0.1 for Novell GroupWise Visit http://www.blackberry.com/go/serverdownloads to obtain Interim Security Software Update for July 12, 2011 for BlackBerry Enterprise Server software version 5.0.1. If you are using a software version that is not listed above, update to one of the listed versions before applying the interim security software update. Additional Information What is network segmentation? The administrator can install the BlackBerry Attachment Service on a remote computer and then place that computer on its own network segment to prevent the spread of potential attacks from the BlackBerry Attachment Service to another computer within your organizations network. In a segmented network, attacks are isolated and contained on a single area of the network. Using segmented network architecture is designed to improve the security and performance of the BlackBerry Attachment Service network segment by filtering out attachment data that is not destined for other network segments. For more information about placing the BlackBerry Enterprise Solution components in a network architecture that is segmented to prevent the spread of potential malware attacks, see Placing the BlackBerry Enterprise Solution in a Segmented Network. What is CVE? Common Vulnerabilities and Exposures (CVE) is a dictionary of common names (CVE Identifiers) for publicly known information security vulnerabilities maintained by the MITRE corporation. What is CVSS? CVSS is a vendor agnostic, industry open standard designed to convey the severity of vulnerabilities. CVSS scores may be used to determine the urgency for update deployment within an organization. CVSS scores range from 0.0 (no vulnerability) to 10.0 (critical). RIM uses CVSS for vulnerability assessments to present an immutable characterization of security issues. RIM assigns all relevant security issues a non-zero score. Visit www.blackberry.com/security for more information on BlackBerry security. Acknowledgements RIM would like to thank Richard Leach of NGSSecure for his involvement in helping to protect our customers. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBTh0KKe4yVqjM2NGpAQKaHQ/+Peu6K7HXYoprhp2X5rGrbcjLkPS0fLw4 VOjqEwWFJFReqXZ7Ll06BUE+AuJCelrqAlLvDf3QotvHx6DORPIg5GsfU+Fs6a6P FMVjWwGsYC8+dSTCJYsqlVltfpLLUZtENEYcCfkrqKtC/EBdjCbuBXpYtek8+U22 ov2Melsi1zylGQUgV/X83Hnrn2WSJ6XWFaHZg56P2Jva97TaI6MAyDkvYTatZL+Z tEgUS337JupY5IcaHQ4qcDjuJ1vdzzr2hGhnwmoMXJt68rexpoAnqHcd+geH57Pg UWsS87g6+DqMJSn53X8pu/KS//VcNzdr0RwUkmx12p1IJZDyqsR34/xW2Qpbt2Oo mAUp3SJPmHR8W+LoERI5dVYaz4XgbAp6f+B/TUCBcI+2REVzEGKatr8vANd94NBN 4IJ4WovB2JUVT/b32gVbULbXXrNbrly1WRPAwoaEQBnxVePK1Sc1Pp8/m2QozfdI kxODUuj5B8dcGLjU5vM5WXkNceMbDke8YBABa5sW7azK4GDMVwNJUbMKj68gsymC j0MA8pb+vnu+pkO2/M9ApfgIQGhcks67qUpo+CZ7kCFAkQ8m+B8mwJO1IuqThbXq 35Tx2HlmaW0SyTA530cukyMNp7NascAoS+uMXZ+DRLyeuqUeQkYg1UF1cA06Eb/u 6njbG04DRc8= =YThJ -----END PGP SIGNATURE-----