Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2013.1647 BSRT 2013-012 Vulnerability in remote file access feature impacts BlackBerry Link 15 November 2013 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: BlackBerry Link Publisher: RIM Operating System: BlackBerry Device Impact/Access: Increased Privileges -- Existing Account Execute Arbitrary Code/Commands -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2013-3694 Original Bulletin: http://www.blackberry.com/btsc/KB35315 - --------------------------BEGIN INCLUDED TEXT-------------------- BSRT 2013-012 Vulnerability in remote file access feature impacts BlackBerry Link Overview This advisory addresses an elevation of privilege or remote code execution vulnerability that is not currently being exploited but affects BlackBerry Link. BlackBerry customer risk is limited by the inability of a potential attacker to force exploitation of the vulnerability without customer interaction. Successful exploitation can require that an attacker must persuade a user on a system with BlackBerry Link installed to click on a specifically crafted link or access a webpage containing maliciously crafted code. In the alternative scenario, successful exploitation requires that a local attacker must be able to log in to the affected system while the BlackBerry Link remote file access feature is running under a different user account. If the requirements are met for exploitation, an attacker could potentially gain access to, read, or modify data from the BlackBerry Link remote file access folder of the user account under which the BlackBerry Links remote file access feature is running. After installing the recommended software update, affected BlackBerry Link customers will be fully protected from this vulnerability. Who should read this advisory? BlackBerry Link users IT administrators who deploy BlackBerry Link in an enterprise Who should apply the software fix(es)? BlackBerry Link users IT administrators who deploy BlackBerry Link in an enterprise More Information What is BlackBerry Link? BlackBerry Link allows customers to manage and sync content between BlackBerry 10 devices and their computer. For more information about BlackBerry Link, visit http://www.blackberry.com/blackberrylink. Have any BlackBerry customers been subject to an attack that exploits this vulnerability? BlackBerry is not aware of any attacks targeting BlackBerry customers using this vulnerability. What factors affected the release of this security advisory? This advisory addresses a publicly known vulnerability. BlackBerry publishes full details of a software update in a security advisory after the fix is available to the majority of our customers. Publishing this advisory ensures that all of our customers can protect themselves by updating their software, or employing available workarounds if updating is not possible. Where can I read more about the security of BlackBerry products and solutions? For more information on BlackBerry security, visit http://us.blackberry.com/business/topics/security.html. Affected Software and Resolutions Read the following to determine if your version of BlackBerry Link is affected. Affected Software BlackBerry Link for Windows version 1.0.1.12 to 1.2.0.28 BlackBerry Link for Mac OS version 1.0.1 (build 6) to 1.1.1 (build 35) Non-Affected Software BlackBerry Link for Windows prior to version 1.0.1.12 BlackBerry Link for Mac OS prior to version 1.0.1 (build 6) BlackBerry Link for Windows version 1.2.1.31 BlackBerry Link for Mac OS version 1.1.1 (build 39) Are BlackBerry smartphones affected? No. Resolution BlackBerry has issued a fix for this vulnerability, which is included in BlackBerry Link for Windows version 1.2.1.31 and BlackBerry Link for Mac OS version 1.1.1 (build 39). These software updates resolve this vulnerability in affected versions of BlackBerry Link. Update BlackBerry Link for Windows to software version 1.2.1.31 or later or BlackBerry Link for Mac OS to version 1.1.1 (build 39) to be fully protected from this issue. See the Mitigations section of this advisory for information on how to manage potential risk if updating is not possible at this time. Vulnerability Information A vulnerability exists in the Peer Manager component of affected BlackBerry Link versions. BlackBerry Link allows customers to manage and sync content between BlackBerry 10 devices and their computer; Peer Manager is the component of BlackBerry Link that provides remote file access. The BlackBerry Link Peer Manager uses WebDAV to provide access to user data. This allows a local user, using their smartphone, to access user data from the specified remote file access folder(s) on the computer. There are three potential scenarios for this vulnerability: Local Elevation of Privilege In multi-user systems, the remote file access folder belonging to the account that Peer Manager is running under can be accessible to other accounts on the system. Successful exploitation of this attack scenario could result in a local lower privileged user accessing user data belonging to the higher privileged account that Peer Manager is running under. In order to exploit this vulnerability, a lower privileged user must log into their account on a system on which a higher privileged user has previously logged in, resulting in Peer Manager running under the higher privileged user. Remote Code Execution Successful exploitation of this attack scenario could result in a remote attacker accessing data belonging to a users remote file access folder, with the rights of the users account. In order to exploit this vulnerability, an attacker must persuade a local user to click on a specifically crafted link or access a webpage containing maliciously crafted code. Remote Code Execution with Local Elevation of Privilege In multiuser systems, the remote file access folder belonging to the account that Peer Manager is running under can be accessible to other accounts. Successful exploitation of this attack scenario could result in a remote attacker persuading a lower privileged user to access data belonging to the higher privileged account that Peer Manager is running under. In order to exploit this vulnerability, an attacker must persuade a lower privileged local user to click on a specifically crafted link or access a webpage containing maliciously crafted code while the user is logged into their account on a machine on which a higher privileged user has previously logged in, resulting in Peer Manager running under the higher privileged user account. This vulnerability has a Common Vulnerability Scoring System (CVSS) score of 6.8. View the linked CVE identifier for a description of the security issue that this security advisory addresses: CVE-2013-3694. Mitigations Mitigations are existing conditions that a potential attacker would need to overcome to mount a successful attack or that would limit the severity of an attack. Examples of such conditions include default settings, common configurations and general best practices. The elevation of privilege attack scenario for this issue is mitigated in systems that do not support multiple users, and it is further mitigated by the requirement that the attacker must have valid local login credentials. Remote code execution attack scenarios for this issue are mitigated for all customers by the prerequisite that the attacker must persuade the customer to access the maliciously crafted link or visit a webpage containing maliciously crafted code. In order to exploit this vulnerability, an attacker must know the IPv6 address generated upon Peer Manager startup. Workarounds Workarounds are settings or configuration changes that a user or administrator can apply to help protect against an attack. BlackBerry recommends that all users apply the available software update to fully protect their system. All workarounds should be considered temporary measures for customers to apply if they cannot install the update immediately or must perform standard testing and risk analysis. BlackBerry recommends that customers who are able to do so install the update to secure their systems. Remove the remote file sharing directory in Link Users who cannot upgrade BlackBerry Link at this time can remove the folder that is accessed when remote file sharing is installed. Note: For affected users running BlackBerry Link for Windows or BlackBerry Link for Mac OS versions prior to 1.1, skip to step 4. On your computer, open BlackBerry Link. Access the Remote File Access settings: In version 1.1, at the bottom of the screen, click your computer, then click the Settings icon. In the Settings view, click Remote File Access. In version 1.2, at the side of the screen, click your computer, then click Remote File Access. Click the X beside the folder specified in the Share the following folders with remote devices field. Check that the folder name (e.g., \Users\username) is not in the folder_config.xml file. This file can be located in the following locations: On systems running Microsoft Windows: %AppData%\Research In Motion\BlackBerry 10 Desktop\RemoteAccess\nginx\conf\folder_config.xml On systems running Mac OS: ~/Library/Application Support/BlackBerry Link/RemoteAccess/nginx/conf/folder_config.xml When the workaround is applied, customers will be unable to remotely access files on their computer from their BlackBerry 10 device. Uninstall BlackBerry Link Users who cannot upgrade BlackBerry Link at this time can uninstall the software. Uninstalling BlackBerry Link for Windows For instructions to uninstall BlackBerry Link, consult the following knowledgebase articles: For Microsoft Windows XP: http://support.microsoft.com/kb/307895 For Microsoft Windows 7: http://windows.microsoft.com/en-ca/windows/uninstall-change-program#uninstall-change-program=windows-7 For Microsoft 8: http://www.microsoft.com/surface/en-ca/support/apps-and-windows-store/install-apps-and-programs Uninstalling BlackBerry Link for Mac OS For instructions to uninstall BlackBerry Link, consult the following knowledgebase article: http://support.apple.com/kb/ph11356 When the workaround is applied, customers will be unable to manage and sync content with their computer using their BlackBerry 10 device. More Information What is the remote file access folder? This refers to the root folder specified in the Share the following folders with remote devices and its subfolders in the Remote File Access settings in BlackBerry Link. Allowed devices can access the specified folders over a Wi-Fi connection. Visit http://docs.blackberry.com/en/smartphone_users/deliverables/53213/lym1345128370803.jsp for more information about Remote File Access. Definitions CVE Common Vulnerabilities and Exposures (CVE) is a dictionary of common names (CVE Identifiers) for publicly known information security vulnerabilities maintained by the MITRE Corporation. CVSS CVSS is a vendor agnostic, industry open standard designed to convey the severity of vulnerabilities. CVSS scores may be used to determine the urgency for update deployment within an organization. CVSS scores can range from 0.0 (no vulnerability) to 10.0 (critical). BlackBerry uses CVSS in vulnerability assessments to present an immutable characterization of security issues. BlackBerry assigns all relevant security issues a non-zero score. Customers performing their own risk assessments of vulnerabilities that may impact them can benefit from using the same industry-recognized CVSS metrics. Acknowledgements BlackBerry would like to thank Tavis Ormandy and Ollie Whitehouse for their individual reports and involvement in helping protect our customers. Change Log 11-12-2013 Initial publication. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBUoWikRLndAQH1ShLAQLVVA/+Jezp0QxMALoGzYLcmebYYNRZTD4CGKdS 9CeuAML3YJSPuX5pqR5FnHUyJ3KDf7spQyUkZUCYxqARzbNsI4Mi3yRmB7YJEMhh sjRCsXe28hm+WW/JUVaIdXUWRJjntT+mJH2P23qJntSrw1SOhzbwXsvdbAtlHpKL 83wIeFBhSoAoylpx1VB4lxOKZ+60a1QadaIaYIsDCOp9Pdstxz6fohaUgVtl4nni oy+bPdl+D/hn5zPrn+oC1yGB3p5L0Zyq9cFmvDySm7f4u5yX+FGyvZl5JvJcy1CV P01lN+3uBscOILEHAmwkcRAPKTGChqg4Ag24YKhF3UnyLjAu4GgU1eq6owGjVuYU qAPreRFYtsxc6KxyDVGT22d9AZ4+fWXBF/alDNRpdX1u1bD73kekx5cMwUj7/tzl Fq77in6iuyAVK5ew3TGpJxfDwFUebVSs52iPMQwcN6vTkNwBzixpsC/vaQkKGQWq R7epOVTN4cgUxWHhtOVBoxH/JTRXDABoAqBA8sQTjCaaN/hkqngrrpXr+UkKy4bb sWdAeo8x04qymywVH6qFUD4d9tdl8puhwuYlSLhtpbi8Bd1FLU0lHytmR6jUY5lG 39UJXAksRPT6uYBTWiyVEzT/bMmEkT39TXaGSsTefJNTiYKGmDhdvi5sFa4dvopo 9LHP+7PxDNc= =UF44 -----END PGP SIGNATURE-----