Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2014.1864 BSRT-2014-008 Vulnerability in BlackBerry World service affects BlackBerry 10 smartphones 16 October 2014 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: BlackBerry 10 smartphones Publisher: RIM Operating System: BlackBerry Device Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2014-6611 Original Bulletin: http://www.blackberry.com/btsc/kb36360 - --------------------------BEGIN INCLUDED TEXT-------------------- BSRT-2014-008 Vulnerability in BlackBerry World service affects BlackBerry 10 smartphones Article ID: KB36360 Type: BlackBerry Security Advisory First Published: 10-14-2014 Last Modified: 10-14-2014 Overview This advisory addresses a spoofing vulnerability that is not currently being exploited but affects BlackBerry 10 smartphone customers running the BlackBerry World app. BlackBerry customer risk is limited both by the requirement that customers must first connect to an attacker-controlled network and by the inability of a potential attacker to force exploitation of the vulnerability without customer interaction. Successful exploitation requires an attacker to intercept a users application download/update request from BlackBerry World over a compromised network and replace the response from the server with a malicious file and requires that a user accept the permissions and install the malicious app. If the requirements are met for exploitation, an attacker could potentially gain access to any data or settings allowed by the app permissions that the user granted. After installing the recommended software update, affected customers will be fully protected from this vulnerability. Who should read this advisory? BlackBerry World for BlackBerry 10 smartphone users IT administrators who deploy BlackBerry 10 smartphones with BlackBerry World enabled in the personal space Who should apply the software fix(es)? BlackBerry World for BlackBerry 10 smartphone users IT administrators who deploy BlackBerry 10 smartphones with BlackBerry World enabled in the personal space More Information Have any BlackBerry customers been subject to an attack that exploits this vulnerability? BlackBerry is not aware of any attacks targeting BlackBerry 10 smartphone customers using this vulnerability. What factors affected the release of this security advisory? This advisory addresses a publicly known vulnerability. BlackBerry publishes full details of a software update in a security advisory after the fix is available to the majority of our customers and wireless service provider partners. Publishing this advisory ensures that all of our customers can protect themselves by updating their software, or employing available workarounds if updating is not possible. Where can I read more about the security of BlackBerry products and solutions? For more information on BlackBerry security, visit http://us.blackberry.com/business/topics/security.html and www.blackberry.com/bbsirt. Affected Software and Resolutions Read the following information to determine if your BlackBerry 10 smartphone is affected. Affected Software BlackBerry World impacted versions on BlackBerry 10 smartphones. The impacted versions depend on the BlackBerry 10 OS version, as follows: BlackBerry 10 OS version Affected BlackBerry World versions: 10.3.0 Versions earlier than 5.1.0.53 10.2.1 Versions earlier than 5.0.0.263 10.2.0 Versions earlier than 5.0.0.262 Non-Affected Software BlackBerry World resolution versions on BlackBerry 10 smartphones. The resolution versions depend on the BlackBerry 10 OS version, as follows: BlackBerry 10 OS version Resolution BlackBerry World versions: 10.3.0 Versions 5.1.0.53 and later 10.2.1 Versions 5.0.0.263 and later 10.2.0 Versions 5.0.0.262 and later Are BlackBerry smartphones affected? Yes; BlackBerry 10 smartphones running BlackBerry World versions earlier than the specified impacted versions are affected. Resolution BlackBerry has issued a fix for this vulnerability, which is included in the specified BlackBerry World resolution versions. The resolution versions depend on the BlackBerry 10 OS version, as follows: BlackBerry 10 OS version Resolution BlackBerry World versions: 10.3.0 Versions 5.1.0.53 and later 10.2.1 Versions 5.0.0.263 and later 10.2.0 Versions 5.0.0.262 and later This software update resolves this vulnerability on affected versions of BlackBerry 10 smartphones. Update BlackBerry World software to the version specified for your BlackBerry 10 OS version to be fully protected from this issue. Customers running an affected version who cannot update at this time should apply an available workaround. Update by accessing the BlackBerry World update notification in the Hub BlackBerry smartphones use notifications to keep customers informed about software updates. When an app update notification is available, it appears in Notifications section of the BlackBerry Hub on affected BlackBerry 10 smartphones. View the notifications and follow the steps to access the latest app update notification and complete the app update. Manually update the BlackBerry World application You can download BlackBerry World or manually update your existing version of BlackBerry World by visiting www.mobile.blackberry.com from your BlackBerry device or by visiting www.blackberry.com/blackberryworld from a computer. Vulnerability Information A vulnerability exists in the BlackBerry World services download mechanism, which is used by the BlackBerry World app on affected BlackBerry 10 smartphones. BlackBerry World allows you to search for and download apps for your BlackBerry device. BlackBerry World employs application integrity checking and secure download methods to ensure that the correct app is downloaded and installed. In some cases, a weakness in these methods could allow an attacker, through a man-in-the-middle attack, to intercept a users BlackBerry World application download and, as a result, install malware on the device. Successful exploitation of this vulnerability could potentially result in an attacker gaining access to any data or settings that are accessible through the permissions that the user accepted when installing the malicious app. In order to exploit this vulnerability, an attacker must intercept a users application download/update request from BlackBerry World over a compromised network and replace the response from the server with a malicious file. The user must then accept the app permissions and install the malicious application. This vulnerability has a Common Vulnerability Scoring System (CVSS) score of 4.3 View the linked Common Vulnerabilities and Exposures (CVE) identifier for a description of the security issue that this security advisory addresses. CVE identifier CVSS score CVE-2014-6611 4.3 Mitigations Mitigations are existing conditions that a potential attacker would need to overcome in order to mount a successful attack or that would limit the severity of an attack. Examples of such conditions include default settings, common configurations and general best practices. This issue is mitigated for all customers by the prerequisite that the attacker must persuade the customer to download the malicious application and accept the permissions. In order to exploit this vulnerability, an attacker must gain control of the network that the customer is using to make the download/update request. All BlackBerry World downloads are now protected by SSL encryption, which helps mitigate the risk to customers running affected versions, including on BlackBerry 10 OS versions earlier than 10.2.0. This issue is further mitigated for customers downloading enterprise-supplied apps from the Enterprise BlackBerry World storefront located in the work space. Workarounds Workarounds are settings or configuration changes that a user or administrator can apply to help protect against an attack. BlackBerry recommends that all users apply the available software update to fully protect their system. All workarounds should be considered temporary measures for customers to apply if they cannot install the update immediately or must perform standard testing and risk analysis. BlackBerry recommends that customers who are able to do so install the update to secure their systems. Users should download or update apps only while they are connected to trusted networks. Users should consider which application permission settings to grant or deny whenever installing applications from BlackBerry World. More Information What is BlackBerry World? BlackBerry World is an application distribution service that allows you to search for and download apps for your BlackBerry device. BlackBerry World is available as an app for your BlackBerry 10 smartphone. Definitions CVE Common Vulnerabilities and Exposures (CVE) is a dictionary of common names (CVE Identifiers) for publicly known information security vulnerabilities maintained by the MITRE Corporation. CVSS CVSS is a vendor agnostic, industry open standard designed to convey the severity of vulnerabilities. CVSS scores may be used to determine the urgency for update deployment within an organization. CVSS scores can range from 0.0 (no vulnerability) to 10.0 (critical). BlackBerry uses CVSS in vulnerability assessments to present an immutable characterization of security issues. BlackBerry assigns all relevant security issues a non-zero score. Customers performing their own risk assessments of vulnerabilities that may impact them can benefit from using the same industry-recognized CVSS metrics. Acknowledgements BlackBerry would like to thank Henry Hoggard of MWR Labs for his involvement in helping protect our customers. Change Log 10-14-2014 Initial Publication Disclaimer By downloading, accessing or otherwise using the Knowledge Base documents you agree: (a) that the terms of use for the documents found at www.blackberry.com/legal/knowledgebase apply to your use or reference to these documents; and (b) not to copy, distribute, disclose or reproduce, in full or in part any of the documents without the express written consent of RIM. Visit the BlackBerry Technical Solution Center at www.blackberry.com/btsc. Copyright (c) 2012 Research In Motion Limited, unless otherwise noted. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBVD9GixLndAQH1ShLAQLU4RAApQDsqdCSsYlVXNP260PAjVXx1ccydeTK 8ouIBXuAXNe2s8lysZp/A2x3btu5RFlIG+NMFlObVh+1BXFkoTnXzgwPSkI159U5 tF5BWfLiW3XBT+SyfcjmS5kpm1mf8ouIND08D5ahGo4hsKZ+uPGSlzSkUMX+DALY oxZ3yIco0snDxCb6VYmCGX5aDshiSJc94865vMzGSJFLWUQmDPMmgi5UBdixLSRt bTdW3GWVs7IQZ6YVKXH8PuWPdHwYsrsaQds+6A6Nisu/4q2/VoRHaA3vj+55sIJp bNM/RBrteuUGp2kDK8dMEeRf8jQpAu39sZ4M7vKf2TYVmg6S3lAo65RY9lIJKCmW u6k14xa7HUtkUxXa3SRv7Ggg2D1Zgc+eA1VKoAXy32B0G/FiR+1VY4zfaVxDQgMF VhFyXU8Z3BPRXVkbqqtPA/k+ZXbn01uR75orBNOKlCR62AFegrBhWaRwLzyKShwa tCRge/YpNEtuJGyLWaTGBr0SgkKextnFSW3bH84vssH57rzea/vosogBQevx5mwr PVRW81pjmBy4dypI8H7/XDaX2JnBfNUKwO9ulPSO2ImygCHvmd/E8PWZ6s9BaAnJ 7xGaqve+gMoXNiGcR2Jkt7va0nUkSeVpazJSVoeYQuXJV/Wj77Dx2PoTetkLrmmB /yAQdNpRDfM= =SJnk -----END PGP SIGNATURE-----