Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2014.1391
BSRT-2014-007 Information disclosure vulnerability affects BlackBerry
Enterprise Service 10 and BlackBerry Enterprise Server 5.0.4
14 August 2014
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: BlackBerry Enterprise Service 10
BlackBerry Enterprise Server for Microsoft Exchange
BlackBerry Enterprise Server for IBM Lotus Domino
BlackBerry Enterprise Server for Novell GroupWise
BlackBerry Enterprise Server Express for Microsoft Exchange
BlackBerry Enterprise Server Express for IBM Lotus Domino
Publisher: BlackBerry
Operating System: Windows
Impact/Access: Access Privileged Data -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2014-1469
Original Bulletin:
http://www.blackberry.com/btsc/KB36175
- --------------------------BEGIN INCLUDED TEXT--------------------
BSRT-2014-007 Information disclosure vulnerability affects BlackBerry
Enterprise Service 10 and BlackBerry Enterprise Server 5.0.4
Article ID: KB36175
Type: BlackBerry Security Advisory
First Published: 08-12-2014
Last Modified: 08-12-2014
Product(s) Affected:
BlackBerry Enterprise Service 10
BlackBerry Enterprise Server for Microsoft Exchange
BlackBerry Enterprise Server for IBM Lotus Domino
BlackBerry Enterprise Server for Novell GroupWise
BlackBerry Enterprise Server Express for Microsoft Exchange
BlackBerry Enterprise Server Express for IBM Lotus Domino
Overview
This advisory addresses an information disclosure vulnerability that is not
currently being exploited but affects BlackBerry Enterprise Service 10 and
BlackBerry Enterprise Server 5.0.4 customers. BlackBerry customer risk is
limited by the default access controls on the server. Successful exploitation
requires an attacker to gain access to both the server and certain diagnostic
logs through either a valid logon or an unrelated compromise of the server. If
the requirements are met for exploitation, an attacker could potentially gain
and use logged credentials to impersonate a valid user on a local machine or
the companys network. After installing the recommended software update and
redacting logs, affected customers will be fully protected from this
vulnerability.
Who should read this advisory?
BES10 Administrators BES5 Administrators
Who should apply the software fix(es)?
BES10 Administrators BES5 Administrators
More Information
Have any BlackBerry customers been subject to an attack that exploits this
vulnerability?
BlackBerry is not aware of any attacks targeting BES10 or BES5 customers using
this vulnerability.
What factors affected the release of this security advisory?
This advisory addresses a privately disclosed vulnerability. BlackBerry
publishes full details of a software update in a security advisory after the
fix is available to the majority of our customers. Publishing this advisory
ensures that all of our customers can protect themselves by updating their
software, or employing available workarounds if updating is not possible.
Where can I read more about the security of BlackBerry products and solutions?
For more information on BlackBerry security, visit
http://us.blackberry.com/business/topics/security.html and
www.blackberry.com/bbsirt.
Affected Software and Resolutions
Read the following to determine if your BES10 or BES5 installation is
affected.
Affected Software
BlackBerry Enterprise Service 10 version 10 to 10.2.1
BlackBerry Enterprise Server Express for IBM Lotus Domino v5.0.4
BlackBerry Enterprise Server Express for Microsoft Exchange v5.0.4
BlackBerry Enterprise Server for IBM Lotus Domino v5.0.4 MR 6 and earlier
BlackBerry Enterprise Server for Microsoft Exchange v5.0.4 MR 6 and
earlier
BlackBerry Enterprise Server for Novell GroupWise v5.0.4 MR 6 and earlier
Non-Affected Software
BlackBerry Enterprise Service 10 version 10.2.2 and later
BlackBerry Enterprise Server Express for IBM Lotus Domino v5.0.4 with
Interim Security Update for August 12, 2014
BlackBerry Enterprise Server Express for Microsoft Exchange v5.0.4 with
Interim Security Update for August 12, 2014
BlackBerry Enterprise Server for IBM Lotus Domino v5.0.4 MR7 and later
BlackBerry Enterprise Server for Microsoft Exchange v5.0.4 MR7 and later
BlackBerry Enterprise Server for Novell GroupWise v5.0.4 MR7 and later
Are BlackBerry smartphones affected?
No
Resolution
BES10
BlackBerry has issued a fix for this vulnerability, which is included in
BlackBerry Enterprise Service version 10.2.2 and later. This software update
resolves this vulnerability on affected versions. To be fully protected from
this issue, affected customers should update to BlackBerry Enterprise Service
software version 10.2.2. Customers should also redact or delete existing logs
if they contain domain credentials or shared secrets an encoded form or in
plain text. Visit http://swdownloads.blackberry.com/Downloads/ to download
upgrades or maintenance releases. Customers running an affected version who
cannot update at this time should apply an available workaround. See the
Workarounds section of this advisory for instructions.
BES5
BlackBerry has issued a fix for this vulnerability, which is included in
BlackBerry Enterprise Server version 5.0.4 MR7 and BlackBerry Enterprise
Server Express v5.0.4 with Interim Security Update for August 12, 2014. This
software update resolves this vulnerability on affected versions. To be fully
protected from this issue, affected customers should download and install the
interim security update. Customers should also redact or delete existing logs
if they contain shared secrets an encoded form or in plain text. Visit
http://www.blackberry.com/go/serverdownloads to download the interim security
update. Customers running an affected version who cannot update at this time
should apply an available workaround. See the Workarounds section of this
advisory for instructions.
Vulnerability Information
A vulnerability exists in the implementation of the logging of exceptions
encountered during user or session management in affected BES10 and BES5
versions. During rare cases of an exception, certain credentials are logged in
an encoded form or in plain text. For BlackBerry Enterprise Server 5, these
credentials include shared secrets that are used between the Enterprise
Instant Messenger server and device clients to encrypt enterprise instant
messages. For BES10, they consist of shared secrets and domain credentials.
Typically, only the system administrator would have access to the affected
diagnostic logs.
Shared Secrets
Successful exploitation of this vulnerability could potentially result in an
attacker gaining logged shared secrets from the exception log on BlackBerry
Enterprise Server or BES10 components. An attacker could use a shared secret
to remove encryption on Enterprise Instant Messenger messages.
In order to exploit this vulnerability, an attacker must first access the
server through either a valid logon or an unrelated compromise of the server,
and then gain access to the exception logs. This access could occur directly,
over the adjacent network if the directory were shared, or from an unencrypted
backup of the server. In order to remove encryption on enterprise instant
messages, the attacker must also gain access to relevant messages, which would
require an additional Man-in-the-middle (MitM) attack.
Domain Credentials (BES10 only)
Successful exploitation of this vulnerability could potentially result in an
attacker gaining logged domain credentials from the exception log on BES10
components. An attacker could use logged credentials to impersonate a valid
user on a local machine or the companys network.
In order to exploit this vulnerability, an attacker must first access the
server through either a valid logon or an unrelated compromise of the server,
and then gain access to the logs. This access could occur directly, over the
adjacent network if the directory were shared, or from an unencrypted backup
of the server.
This vulnerability has a Common Vulnerability Scoring System (CVSS) score of
4.9. View the linked CVE identifier for a description of the security issue
that this security advisory addresses.
CVE identifier - CVSS score
CVE-2014-1469 - 4.9
Mitigations
Mitigations are existing conditions that a potential attacker would need to
overcome to mount a successful attack or that would limit the severity of an
attack. Examples of such conditions include default settings, common
configurations and general best practices.
This issue is mitigated for all customers by the prerequisite that the
attacker must gain access to the affected diagnostic logs. Typically, only the
system administrator would have this access.
Additionally, the logs are historical in nature. As a result, logged
information of this type may not be valid at the time that the log is read.
Workarounds
Workarounds are settings or configuration changes that a user or administrator
can apply to help protect against an attack. BlackBerry recommends that all
users apply the available software update to fully protect their system. All
workarounds should be considered temporary measures for customers to apply if
they cannot install the update immediately or must perform standard testing
and risk analysis. BlackBerry recommends that customers who are able to do so
install the update to secure their systems. Delete or edit the exception log
file
Delete the log files used to record the activity of BES10 and BES5 components.
This will prevent access to any plain text credentials potentially contained
within the logs.
Alternatively, the logs can be edited in Notepad or a similar editor to redact
information.
When logs are deleted, administrators will not have access to the files in
order to monitor the activity of the server or troubleshoot issues.
BES10
BES10 logs files for the BlackBerry Device Service.
Administrators can use the BES10 Log Monitoring Tool (LogMonitor.exe) to
monitor the BlackBerry Device Service log files for indications that plain
text domain credentials may have been logged. To read more about the Log
Monitoring Tool, see
http://docs.blackberry.com/en/admin/deliverables/63530/BES_Log_Monitoring_Tool_1766690_11.jsp.
In the Log Monitoring Tool, manually examine the logs for data that could
be considered sensitive, including identifiers or credentials logged in an
encoded form or in plain text. In the event that the logs contain data that
could be considered sensitive, locate the log files. The default file location
for BlackBerry Device Service log files is C:\Program Files\Research In
Motion\BlackBerry Device Service\Logs\. Delete or edit the log files.
For more information about the logs for BES10 components, read the BlackBerry
Enterprise Service 10 BlackBerry Device Service Administration Guide.
BES5
Locate the log files. For log file locations, please see Log files for
BlackBerry Enterprise Server components. Manually examine the logs for data
that could be considered sensitive, including identifiers or credentials
logged in an encoded form or in plain text . Delete or edit the log files.
Definitions
CVE
Common Vulnerabilities and Exposures (CVE) is a dictionary of common names
(CVE Identifiers) for publicly known information security vulnerabilities
maintained by the MITRE Corporation.
CVSS
CVSS is a vendor agnostic, industry open standard designed to convey the
severity of vulnerabilities. CVSS scores may be used to determine the urgency
for update deployment within an organization. CVSS scores can range from 0.0
(no vulnerability) to 10.0 (critical). BlackBerry uses CVSS in vulnerability
assessments to present an immutable characterization of security issues.
BlackBerry assigns all relevant security issues a non-zero score. Customers
performing their own risk assessments of vulnerabilities that may impact them
can benefit from using the same industry-recognized CVSS metrics.
Change Log
08-12-2014
Initial publication
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBU+1WfhLndAQH1ShLAQJlBBAAnAr9SaFJrN2g3SKVgaoj8qKkHIZbhPsT
P5FxV8OLROcP5FQEBUlyHQx5WHPGiJRJD633N3PabnA/3hVZlnZBQdQkqpRgA76S
V4neMfHan+9biKvy12i7VJbM2xY6cBHAjTmBvEIkxelCVC75lGiFLMoHlyVo8QiD
cFE2+GSZvwx9IIs3JtpMf4jwm3rS56CEDXlZLVJ8Sc47iz0cxQj4C3gqsn230mhg
PaycLFuYc9fPkbr3T+bYKF4X/TaZXo1Y/LvyykHRUvwxr8CBUGF+kwOIrTRIgPGN
nXWKCWjETSEOI5LYIrJeOKNgoC7YMMCfrTBP1Jt2UHu9Q8l+oLcKba8mb/OGbONn
cBYXiZrdstWktx+u5nJEkL1TK/NVbDvZB36EDhHy10ZA2ICwIDXMm4jJnf1vccFq
klXyt+qe4z+4tcXVYkV/rde8u+ssNPQPbedfXrNP38uptFcwdKIj28IZUwprjigl
2gcT0u38cmUvYC36eE+fOVCVe5nRN1BZRx89rIVWgv3HUi/FC5sDdBio+erX0AcR
9DLSmM8XUVtN86nb8KzBLcVwnufB2auvuY5aPqjZsnypSAcWlJNCZJPGGvyEBKt9
vwxS2dtu+3TsnjwMWkBAtQ+uD9r2axBr9jsaBZd0o0/az7EMLAhDMboXfoRn0fSw
apF9ZNugxCk=
=ij1S
-----END PGP SIGNATURE-----