Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2013.1647
BSRT 2013-012 Vulnerability in remote file access feature
impacts BlackBerry Link
15 November 2013
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: BlackBerry Link
Publisher: RIM
Operating System: BlackBerry Device
Impact/Access: Increased Privileges -- Existing Account
Execute Arbitrary Code/Commands -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2013-3694
Original Bulletin:
http://www.blackberry.com/btsc/KB35315
- --------------------------BEGIN INCLUDED TEXT--------------------
BSRT 2013-012 Vulnerability in remote file access feature impacts BlackBerry
Link
Overview
This advisory addresses an elevation of privilege or remote code execution
vulnerability that is not currently being exploited but affects BlackBerry
Link. BlackBerry customer risk is limited by the inability of a potential
attacker to force exploitation of the vulnerability without customer
interaction. Successful exploitation can require that an attacker must
persuade a user on a system with BlackBerry Link installed to click on a
specifically crafted link or access a webpage containing maliciously crafted
code. In the alternative scenario, successful exploitation requires that a
local attacker must be able to log in to the affected system while the
BlackBerry Link remote file access feature is running under a different user
account. If the requirements are met for exploitation, an attacker could
potentially gain access to, read, or modify data from the BlackBerry Link
remote file access folder of the user account under which the BlackBerry Links
remote file access feature is running. After installing the recommended
software update, affected BlackBerry Link customers will be fully protected
from this vulnerability.
Who should read this advisory?
BlackBerry Link users
IT administrators who deploy BlackBerry Link in an enterprise
Who should apply the software fix(es)?
BlackBerry Link users
IT administrators who deploy BlackBerry Link in an enterprise
More Information
What is BlackBerry Link?
BlackBerry Link allows customers to manage and sync content between BlackBerry
10 devices and their computer. For more information about BlackBerry Link,
visit http://www.blackberry.com/blackberrylink.
Have any BlackBerry customers been subject to an attack that exploits this
vulnerability?
BlackBerry is not aware of any attacks targeting BlackBerry customers using
this vulnerability.
What factors affected the release of this security advisory?
This advisory addresses a publicly known vulnerability. BlackBerry publishes
full details of a software update in a security advisory after the fix is
available to the majority of our customers. Publishing this advisory ensures
that all of our customers can protect themselves by updating their software,
or employing available workarounds if updating is not possible.
Where can I read more about the security of BlackBerry products and solutions?
For more information on BlackBerry security, visit
http://us.blackberry.com/business/topics/security.html.
Affected Software and Resolutions
Read the following to determine if your version of BlackBerry Link is
affected.
Affected Software BlackBerry Link for Windows version 1.0.1.12 to 1.2.0.28
BlackBerry Link for Mac OS version 1.0.1 (build 6) to 1.1.1 (build 35)
Non-Affected Software
BlackBerry Link for Windows prior to version 1.0.1.12
BlackBerry Link for Mac OS prior to version 1.0.1 (build 6)
BlackBerry Link for Windows version 1.2.1.31
BlackBerry Link for Mac OS version 1.1.1 (build 39)
Are BlackBerry smartphones affected?
No.
Resolution
BlackBerry has issued a fix for this vulnerability, which is included in
BlackBerry Link for Windows version 1.2.1.31 and BlackBerry Link for Mac OS
version 1.1.1 (build 39). These software updates resolve this vulnerability in
affected versions of BlackBerry Link. Update BlackBerry Link for Windows to
software version 1.2.1.31 or later or BlackBerry Link for Mac OS to version
1.1.1 (build 39) to be fully protected from this issue.
See the Mitigations section of this advisory for information on how to manage
potential risk if updating is not possible at this time.
Vulnerability Information
A vulnerability exists in the Peer Manager component of affected BlackBerry
Link versions. BlackBerry Link allows customers to manage and sync content
between BlackBerry 10 devices and their computer; Peer Manager is the
component of BlackBerry Link that provides remote file access. The BlackBerry
Link Peer Manager uses WebDAV to provide access to user data. This allows a
local user, using their smartphone, to access user data from the specified
remote file access folder(s) on the computer. There are three potential
scenarios for this vulnerability:
Local Elevation of Privilege
In multi-user systems, the remote file access folder belonging to the
account that Peer Manager is running under can be accessible to other accounts
on the system.
Successful exploitation of this attack scenario could result in a local
lower privileged user accessing user data belonging to the higher privileged
account that Peer Manager is running under.
In order to exploit this vulnerability, a lower privileged user must log
into their account on a system on which a higher privileged user has
previously logged in, resulting in Peer Manager running under the higher
privileged user.
Remote Code Execution
Successful exploitation of this attack scenario could result in a remote
attacker accessing data belonging to a users remote file access folder, with
the rights of the users account.
In order to exploit this vulnerability, an attacker must persuade a local
user to click on a specifically crafted link or access a webpage containing
maliciously crafted code.
Remote Code Execution with Local Elevation of Privilege
In multiuser systems, the remote file access folder belonging to the
account that Peer Manager is running under can be accessible to other
accounts.
Successful exploitation of this attack scenario could result in a remote
attacker persuading a lower privileged user to access data belonging to the
higher privileged account that Peer Manager is running under.
In order to exploit this vulnerability, an attacker must persuade a lower
privileged local user to click on a specifically crafted link or access a
webpage containing maliciously crafted code while the user is logged into
their account on a machine on which a higher privileged user has previously
logged in, resulting in Peer Manager running under the higher privileged user
account.
This vulnerability has a Common Vulnerability Scoring System (CVSS) score of
6.8. View the linked CVE identifier for a description of the security issue
that this security advisory addresses: CVE-2013-3694.
Mitigations
Mitigations are existing conditions that a potential attacker would need to
overcome to mount a successful attack or that would limit the severity of an
attack. Examples of such conditions include default settings, common
configurations and general best practices.
The elevation of privilege attack scenario for this issue is mitigated in
systems that do not support multiple users, and it is further mitigated by the
requirement that the attacker must have valid local login credentials.
Remote code execution attack scenarios for this issue are mitigated for all
customers by the prerequisite that the attacker must persuade the customer to
access the maliciously crafted link or visit a webpage containing maliciously
crafted code.
In order to exploit this vulnerability, an attacker must know the IPv6 address
generated upon Peer Manager startup.
Workarounds
Workarounds are settings or configuration changes that a user or administrator
can apply to help protect against an attack. BlackBerry recommends that all
users apply the available software update to fully protect their system. All
workarounds should be considered temporary measures for customers to apply if
they cannot install the update immediately or must perform standard testing
and risk analysis. BlackBerry recommends that customers who are able to do so
install the update to secure their systems.
Remove the remote file sharing directory in Link
Users who cannot upgrade BlackBerry Link at this time can remove the folder
that is accessed when remote file sharing is installed.
Note: For affected users running BlackBerry Link for Windows or BlackBerry
Link for Mac OS versions prior to 1.1, skip to step 4.
On your computer, open BlackBerry Link.
Access the Remote File Access settings:
In version 1.1, at the bottom of the screen, click your computer, then
click the Settings icon. In the Settings view, click Remote File Access.
In version 1.2, at the side of the screen, click your computer, then
click Remote File Access.
Click the X beside the folder specified in the Share the following folders
with remote devices field.
Check that the folder name (e.g., \Users\username) is not in the
folder_config.xml file. This file can be located in the following locations:
On systems running Microsoft Windows: %AppData%\Research In
Motion\BlackBerry 10 Desktop\RemoteAccess\nginx\conf\folder_config.xml
On systems running Mac OS: ~/Library/Application Support/BlackBerry
Link/RemoteAccess/nginx/conf/folder_config.xml
When the workaround is applied, customers will be unable to remotely access
files on their computer from their BlackBerry 10 device.
Uninstall BlackBerry Link
Users who cannot upgrade BlackBerry Link at this time can uninstall the
software.
Uninstalling BlackBerry Link for Windows
For instructions to uninstall BlackBerry Link, consult the following
knowledgebase articles:
For Microsoft Windows XP: http://support.microsoft.com/kb/307895
For Microsoft Windows 7:
http://windows.microsoft.com/en-ca/windows/uninstall-change-program#uninstall-change-program=windows-7
For Microsoft 8:
http://www.microsoft.com/surface/en-ca/support/apps-and-windows-store/install-apps-and-programs
Uninstalling BlackBerry Link for Mac OS
For instructions to uninstall BlackBerry Link, consult the following
knowledgebase article: http://support.apple.com/kb/ph11356
When the workaround is applied, customers will be unable to manage and sync
content with their computer using their BlackBerry 10 device.
More Information
What is the remote file access folder?
This refers to the root folder specified in the Share the following folders
with remote devices and its subfolders in the Remote File Access settings in
BlackBerry Link. Allowed devices can access the specified folders over a Wi-Fi
connection. Visit
http://docs.blackberry.com/en/smartphone_users/deliverables/53213/lym1345128370803.jsp
for more information about Remote File Access.
Definitions
CVE
Common Vulnerabilities and Exposures (CVE) is a dictionary of common names
(CVE Identifiers) for publicly known information security vulnerabilities
maintained by the MITRE Corporation.
CVSS
CVSS is a vendor agnostic, industry open standard designed to convey the
severity of vulnerabilities. CVSS scores may be used to determine the urgency
for update deployment within an organization. CVSS scores can range from 0.0
(no vulnerability) to 10.0 (critical). BlackBerry uses CVSS in vulnerability
assessments to present an immutable characterization of security issues.
BlackBerry assigns all relevant security issues a non-zero score. Customers
performing their own risk assessments of vulnerabilities that may impact them
can benefit from using the same industry-recognized CVSS metrics.
Acknowledgements
BlackBerry would like to thank Tavis Ormandy and Ollie Whitehouse for their
individual reports and involvement in helping protect our customers.
Change Log
11-12-2013
Initial publication.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBUoWikRLndAQH1ShLAQLVVA/+Jezp0QxMALoGzYLcmebYYNRZTD4CGKdS
9CeuAML3YJSPuX5pqR5FnHUyJ3KDf7spQyUkZUCYxqARzbNsI4Mi3yRmB7YJEMhh
sjRCsXe28hm+WW/JUVaIdXUWRJjntT+mJH2P23qJntSrw1SOhzbwXsvdbAtlHpKL
83wIeFBhSoAoylpx1VB4lxOKZ+60a1QadaIaYIsDCOp9Pdstxz6fohaUgVtl4nni
oy+bPdl+D/hn5zPrn+oC1yGB3p5L0Zyq9cFmvDySm7f4u5yX+FGyvZl5JvJcy1CV
P01lN+3uBscOILEHAmwkcRAPKTGChqg4Ag24YKhF3UnyLjAu4GgU1eq6owGjVuYU
qAPreRFYtsxc6KxyDVGT22d9AZ4+fWXBF/alDNRpdX1u1bD73kekx5cMwUj7/tzl
Fq77in6iuyAVK5ew3TGpJxfDwFUebVSs52iPMQwcN6vTkNwBzixpsC/vaQkKGQWq
R7epOVTN4cgUxWHhtOVBoxH/JTRXDABoAqBA8sQTjCaaN/hkqngrrpXr+UkKy4bb
sWdAeo8x04qymywVH6qFUD4d9tdl8puhwuYlSLhtpbi8Bd1FLU0lHytmR6jUY5lG
39UJXAksRPT6uYBTWiyVEzT/bMmEkT39TXaGSsTefJNTiYKGmDhdvi5sFa4dvopo
9LHP+7PxDNc=
=UF44
-----END PGP SIGNATURE-----