Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2014.1391 BSRT-2014-007 Information disclosure vulnerability affects BlackBerry Enterprise Service 10 and BlackBerry Enterprise Server 5.0.4 14 August 2014 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: BlackBerry Enterprise Service 10 BlackBerry Enterprise Server for Microsoft Exchange BlackBerry Enterprise Server for IBM Lotus Domino BlackBerry Enterprise Server for Novell GroupWise BlackBerry Enterprise Server Express for Microsoft Exchange BlackBerry Enterprise Server Express for IBM Lotus Domino Publisher: BlackBerry Operating System: Windows Impact/Access: Access Privileged Data -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2014-1469 Original Bulletin: http://www.blackberry.com/btsc/KB36175 - --------------------------BEGIN INCLUDED TEXT-------------------- BSRT-2014-007 Information disclosure vulnerability affects BlackBerry Enterprise Service 10 and BlackBerry Enterprise Server 5.0.4 Article ID: KB36175 Type: BlackBerry Security Advisory First Published: 08-12-2014 Last Modified: 08-12-2014 Product(s) Affected: BlackBerry Enterprise Service 10 BlackBerry Enterprise Server for Microsoft Exchange BlackBerry Enterprise Server for IBM Lotus Domino BlackBerry Enterprise Server for Novell GroupWise BlackBerry Enterprise Server Express for Microsoft Exchange BlackBerry Enterprise Server Express for IBM Lotus Domino Overview This advisory addresses an information disclosure vulnerability that is not currently being exploited but affects BlackBerry Enterprise Service 10 and BlackBerry Enterprise Server 5.0.4 customers. BlackBerry customer risk is limited by the default access controls on the server. Successful exploitation requires an attacker to gain access to both the server and certain diagnostic logs through either a valid logon or an unrelated compromise of the server. If the requirements are met for exploitation, an attacker could potentially gain and use logged credentials to impersonate a valid user on a local machine or the companys network. After installing the recommended software update and redacting logs, affected customers will be fully protected from this vulnerability. Who should read this advisory? BES10 Administrators BES5 Administrators Who should apply the software fix(es)? BES10 Administrators BES5 Administrators More Information Have any BlackBerry customers been subject to an attack that exploits this vulnerability? BlackBerry is not aware of any attacks targeting BES10 or BES5 customers using this vulnerability. What factors affected the release of this security advisory? This advisory addresses a privately disclosed vulnerability. BlackBerry publishes full details of a software update in a security advisory after the fix is available to the majority of our customers. Publishing this advisory ensures that all of our customers can protect themselves by updating their software, or employing available workarounds if updating is not possible. Where can I read more about the security of BlackBerry products and solutions? For more information on BlackBerry security, visit http://us.blackberry.com/business/topics/security.html and www.blackberry.com/bbsirt. Affected Software and Resolutions Read the following to determine if your BES10 or BES5 installation is affected. Affected Software BlackBerry Enterprise Service 10 version 10 to 10.2.1 BlackBerry Enterprise Server Express for IBM Lotus Domino v5.0.4 BlackBerry Enterprise Server Express for Microsoft Exchange v5.0.4 BlackBerry Enterprise Server for IBM Lotus Domino v5.0.4 MR 6 and earlier BlackBerry Enterprise Server for Microsoft Exchange v5.0.4 MR 6 and earlier BlackBerry Enterprise Server for Novell GroupWise v5.0.4 MR 6 and earlier Non-Affected Software BlackBerry Enterprise Service 10 version 10.2.2 and later BlackBerry Enterprise Server Express for IBM Lotus Domino v5.0.4 with Interim Security Update for August 12, 2014 BlackBerry Enterprise Server Express for Microsoft Exchange v5.0.4 with Interim Security Update for August 12, 2014 BlackBerry Enterprise Server for IBM Lotus Domino v5.0.4 MR7 and later BlackBerry Enterprise Server for Microsoft Exchange v5.0.4 MR7 and later BlackBerry Enterprise Server for Novell GroupWise v5.0.4 MR7 and later Are BlackBerry smartphones affected? No Resolution BES10 BlackBerry has issued a fix for this vulnerability, which is included in BlackBerry Enterprise Service version 10.2.2 and later. This software update resolves this vulnerability on affected versions. To be fully protected from this issue, affected customers should update to BlackBerry Enterprise Service software version 10.2.2. Customers should also redact or delete existing logs if they contain domain credentials or shared secrets an encoded form or in plain text. Visit http://swdownloads.blackberry.com/Downloads/ to download upgrades or maintenance releases. Customers running an affected version who cannot update at this time should apply an available workaround. See the Workarounds section of this advisory for instructions. BES5 BlackBerry has issued a fix for this vulnerability, which is included in BlackBerry Enterprise Server version 5.0.4 MR7 and BlackBerry Enterprise Server Express v5.0.4 with Interim Security Update for August 12, 2014. This software update resolves this vulnerability on affected versions. To be fully protected from this issue, affected customers should download and install the interim security update. Customers should also redact or delete existing logs if they contain shared secrets an encoded form or in plain text. Visit http://www.blackberry.com/go/serverdownloads to download the interim security update. Customers running an affected version who cannot update at this time should apply an available workaround. See the Workarounds section of this advisory for instructions. Vulnerability Information A vulnerability exists in the implementation of the logging of exceptions encountered during user or session management in affected BES10 and BES5 versions. During rare cases of an exception, certain credentials are logged in an encoded form or in plain text. For BlackBerry Enterprise Server 5, these credentials include shared secrets that are used between the Enterprise Instant Messenger server and device clients to encrypt enterprise instant messages. For BES10, they consist of shared secrets and domain credentials. Typically, only the system administrator would have access to the affected diagnostic logs. Shared Secrets Successful exploitation of this vulnerability could potentially result in an attacker gaining logged shared secrets from the exception log on BlackBerry Enterprise Server or BES10 components. An attacker could use a shared secret to remove encryption on Enterprise Instant Messenger messages. In order to exploit this vulnerability, an attacker must first access the server through either a valid logon or an unrelated compromise of the server, and then gain access to the exception logs. This access could occur directly, over the adjacent network if the directory were shared, or from an unencrypted backup of the server. In order to remove encryption on enterprise instant messages, the attacker must also gain access to relevant messages, which would require an additional Man-in-the-middle (MitM) attack. Domain Credentials (BES10 only) Successful exploitation of this vulnerability could potentially result in an attacker gaining logged domain credentials from the exception log on BES10 components. An attacker could use logged credentials to impersonate a valid user on a local machine or the companys network. In order to exploit this vulnerability, an attacker must first access the server through either a valid logon or an unrelated compromise of the server, and then gain access to the logs. This access could occur directly, over the adjacent network if the directory were shared, or from an unencrypted backup of the server. This vulnerability has a Common Vulnerability Scoring System (CVSS) score of 4.9. View the linked CVE identifier for a description of the security issue that this security advisory addresses. CVE identifier - CVSS score CVE-2014-1469 - 4.9 Mitigations Mitigations are existing conditions that a potential attacker would need to overcome to mount a successful attack or that would limit the severity of an attack. Examples of such conditions include default settings, common configurations and general best practices. This issue is mitigated for all customers by the prerequisite that the attacker must gain access to the affected diagnostic logs. Typically, only the system administrator would have this access. Additionally, the logs are historical in nature. As a result, logged information of this type may not be valid at the time that the log is read. Workarounds Workarounds are settings or configuration changes that a user or administrator can apply to help protect against an attack. BlackBerry recommends that all users apply the available software update to fully protect their system. All workarounds should be considered temporary measures for customers to apply if they cannot install the update immediately or must perform standard testing and risk analysis. BlackBerry recommends that customers who are able to do so install the update to secure their systems. Delete or edit the exception log file Delete the log files used to record the activity of BES10 and BES5 components. This will prevent access to any plain text credentials potentially contained within the logs. Alternatively, the logs can be edited in Notepad or a similar editor to redact information. When logs are deleted, administrators will not have access to the files in order to monitor the activity of the server or troubleshoot issues. BES10 BES10 logs files for the BlackBerry Device Service. Administrators can use the BES10 Log Monitoring Tool (LogMonitor.exe) to monitor the BlackBerry Device Service log files for indications that plain text domain credentials may have been logged. To read more about the Log Monitoring Tool, see http://docs.blackberry.com/en/admin/deliverables/63530/BES_Log_Monitoring_Tool_1766690_11.jsp. In the Log Monitoring Tool, manually examine the logs for data that could be considered sensitive, including identifiers or credentials logged in an encoded form or in plain text. In the event that the logs contain data that could be considered sensitive, locate the log files. The default file location for BlackBerry Device Service log files is C:\Program Files\Research In Motion\BlackBerry Device Service\Logs\. Delete or edit the log files. For more information about the logs for BES10 components, read the BlackBerry Enterprise Service 10 BlackBerry Device Service Administration Guide. BES5 Locate the log files. For log file locations, please see Log files for BlackBerry Enterprise Server components. Manually examine the logs for data that could be considered sensitive, including identifiers or credentials logged in an encoded form or in plain text . Delete or edit the log files. Definitions CVE Common Vulnerabilities and Exposures (CVE) is a dictionary of common names (CVE Identifiers) for publicly known information security vulnerabilities maintained by the MITRE Corporation. CVSS CVSS is a vendor agnostic, industry open standard designed to convey the severity of vulnerabilities. CVSS scores may be used to determine the urgency for update deployment within an organization. CVSS scores can range from 0.0 (no vulnerability) to 10.0 (critical). BlackBerry uses CVSS in vulnerability assessments to present an immutable characterization of security issues. BlackBerry assigns all relevant security issues a non-zero score. Customers performing their own risk assessments of vulnerabilities that may impact them can benefit from using the same industry-recognized CVSS metrics. Change Log 08-12-2014 Initial publication - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBU+1WfhLndAQH1ShLAQJlBBAAnAr9SaFJrN2g3SKVgaoj8qKkHIZbhPsT P5FxV8OLROcP5FQEBUlyHQx5WHPGiJRJD633N3PabnA/3hVZlnZBQdQkqpRgA76S V4neMfHan+9biKvy12i7VJbM2xY6cBHAjTmBvEIkxelCVC75lGiFLMoHlyVo8QiD cFE2+GSZvwx9IIs3JtpMf4jwm3rS56CEDXlZLVJ8Sc47iz0cxQj4C3gqsn230mhg PaycLFuYc9fPkbr3T+bYKF4X/TaZXo1Y/LvyykHRUvwxr8CBUGF+kwOIrTRIgPGN nXWKCWjETSEOI5LYIrJeOKNgoC7YMMCfrTBP1Jt2UHu9Q8l+oLcKba8mb/OGbONn cBYXiZrdstWktx+u5nJEkL1TK/NVbDvZB36EDhHy10ZA2ICwIDXMm4jJnf1vccFq klXyt+qe4z+4tcXVYkV/rde8u+ssNPQPbedfXrNP38uptFcwdKIj28IZUwprjigl 2gcT0u38cmUvYC36eE+fOVCVe5nRN1BZRx89rIVWgv3HUi/FC5sDdBio+erX0AcR 9DLSmM8XUVtN86nb8KzBLcVwnufB2auvuY5aPqjZsnypSAcWlJNCZJPGGvyEBKt9 vwxS2dtu+3TsnjwMWkBAtQ+uD9r2axBr9jsaBZd0o0/az7EMLAhDMboXfoRn0fSw apF9ZNugxCk= =ij1S -----END PGP SIGNATURE-----