Operating System:

[Win]

Published:

14 February 2013

Protect yourself against future threats.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2013.0200
        Vulnerabilities in BlackBerry Enterprise Server components
           that process images could allow remote code execution
                             14 February 2013

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           BlackBerry Enterprise Server
Publisher:         Blackberry
Operating System:  Windows
Impact/Access:     Execute Arbitrary Code/Commands -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2012-4447 CVE-2012-2088 

Original Bulletin: 
   http://www.blackberry.com/btsc/KB33425

- --------------------------BEGIN INCLUDED TEXT--------------------

BSRT-2013-003 Vulnerabilities in BlackBerry Enterprise Server components that
process images could allow remote code execution

Article ID: KB33425

Type: Security Advisory

First Published: 02-12-2013

Last Modified: 02-12-2013

Products

Affected Software

    BlackBerry Enterprise Server Express version 5.0.4 and earlier for 
    Microsoft Exchange and IBM Lotus Domino 
    BlackBerry Enterprise Server version 5.0.4 and earlier for Microsoft 
    Exchange, IBM Lotus Domino and Novell Groupwise

Issue Severity

These vulnerabilities have a Common Vulnerability Scoring System (CVSS) score
of 10.0 (high severity).

Overview

Vulnerabilities exist in components of the BlackBerry Enterprise Server that 
process TIFF images for rendering on the BlackBerry smartphone. The BlackBerry
Mobile Data System - Connection Service component processes images on web 
pages that the BlackBerry Browser requests. The BlackBerry Messaging Agent 
component processes images in email messages. The BlackBerry Collaboration 
Service processes images in instant messages sent between your organization's
instant messaging server, its BlackBerry Enterprise Server, and devices that 
are using public APIs, a Research In Motion proprietary protocol, and 
protocols specified by supported integrated collaboration clients.

RIM is not aware of any attacks on or specifically targeting BlackBerry 
Enterprise Server customers, and recommends that affected customers update to
the latest available software version to be fully protected from these 
vulnerabilities.

Problem

Vulnerabilities exist in how the BlackBerry MDS Connection Service and the 
BlackBerry Messaging Agent process TIFF images for rendering on the BlackBerry
smartphone. Successful exploitation of any of these vulnerabilities might 
allow an attacker to gain access to and execute code on the BlackBerry 
Enterprise Server. Depending on the privileges available to the configured 
BlackBerry Enterprise Server service account, the attacker might also be able
to extend access to other non-segmented parts of the network.

To exploit these vulnerabilities in how the BlackBerry MDS Connection Service
processes TIFF images, an attacker would need to create a specially crafted 
web page and then persuade the BlackBerry smartphone user to click a link to 
that web page. The attacker could provide the link to the user in an email or
instant message.

To exploit these vulnerabilities in how the BlackBerry Messaging Agent or the
BlackBerry Collaboration Service processes TIFF images, an attacker would need
to embed specially crafted TIFF image in an email message or enterprise 
instant message and send the message to the BlackBerry smartphone user. The 
user does not need to click a link or an image, or view the email message or 
instant message for the attack to succeed in this scenario. CollapseImpact 
These vulnerabilities could allow an attacker to execute arbitrary code using
the privileges of the BlackBerry Enterprise Server login account.

Resolution

RIM has issued BlackBerry Enterprise Server version 5.0.4 MR2 and an interim 
security update to BlackBerry Enterprise Server Express version 5.0.4 which 
resolves these vulnerabilities in all affected supported versions of the 
BlackBerry Enterprise Server and BlackBerry Enterprise Server Express. Update
your BlackBerry Enterprise Server or BlackBerry Enterprise Server Express to 
5.0.4 MR2 or later to be protected from these vulnerabilities. This update 
replaces the installed image.dll file that the affected components use with an
image.dll file that is not affected by the vulnerabilities.

If you are using a software version that is not listed below, update to one of
the listed versions before applying the security software update or 
Maintenance Release. Visit the Software Support Lifecycle site for information
about product support timelines.

Important: You must install the applicable security software update or MR for
your software version on any computer that hosts a BlackBerry MDS Connection 
Service or BlackBerry Messaging Agent instance. 

For BlackBerry Enterprise Server Express versions 5.0.2 through 5.0.4 for 
Microsoft Exchange and IBM Lotus Domino

	Visit http://www.blackberry.com/go/serverdownloads to obtain the 
	interim security update for BlackBerry Enterprise Server Express. 

For BlackBerry Enterprise Server versions 5.0.2 through 5.0.4 for Microsoft 
Exchange and IBM Lotus Domino

	Visit http://www.blackberry.com/go/serverdownloads to obtain BlackBerry 
	Enterprise Server version 5.0.4 MR2. 

For BlackBerry Enterprise Server versions 5.0.1 and 5.0.4 for Novell Groupwise

	Visit http://www.blackberry.com/go/serverdownloads to obtain BlackBerry 
	Enterprise Server version 5.0.4 MR2.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBURw5qO4yVqjM2NGpAQL+0g//eJBKsfGrfL/263I3tUsLILtwm1NPsIUZ
e0AE0q75YBY1Ecqtx6TnX4j40V7ZC2cC6RUL4wuLK+uD3u2+Ize2xDTJiJjqd6me
vEQvr+68LvtG2ZxTiy5+LwfxCJtpsDsiQvnLxgsxtAlWZVzcCm482qSE227tpFfF
LYxfgZyr6t+JTPYkrF+8M9K0IaZYMl1w7ehMNqcUzDqbeDzPiIx8RoRzLAP/uQqw
bgChmm2VaPcd8Z8lGGVO56JgHvUwldKsWWYIYYtGWhcyZmGBLDc4SoB92NwTlAo4
9gYMwCvBwGMqGSREMEt7X0hyjr5QReZIko9OBzKBd4RQE9+57EO1NBBTVz23tltv
6Es4P9efcesk39uw2xtzmrAYADsXx3qu2/SPfYV4xmS5sBCKMMGtCeqx3p9IGv3u
KvbHGiBxcr29WngvbWJsUENgWYx8Y5gZx5tpB9qNKEGK5ryml2bm9ZUTCGrbWYxW
ScJ+SiXb+Y3nQ8v0Kj7qgKJJWzItCDoKMNG32PxXqGmRGZFE6+knD/uaSfwfzK4r
RXcbOd2lAUk4r+T+y5r4H/A/CwgdYUw5zEDgfoc0PSkjhUvdUNTZmcWI7WxXLdTA
W9Pjh1VWa33hf+4h31UtExDlP+8x1wufjKoADO+ZKoV6o2rMPeA1BFMQYC/iBXKS
5TYYkkGr9pc=
=CaSL
-----END PGP SIGNATURE-----