Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2014.1864
BSRT-2014-008 Vulnerability in BlackBerry World service
affects BlackBerry 10 smartphones
16 October 2014
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: BlackBerry 10 smartphones
Publisher: RIM
Operating System: BlackBerry Device
Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2014-6611
Original Bulletin:
http://www.blackberry.com/btsc/kb36360
- --------------------------BEGIN INCLUDED TEXT--------------------
BSRT-2014-008 Vulnerability in BlackBerry World service affects BlackBerry 10
smartphones
Article ID: KB36360
Type: BlackBerry Security Advisory
First Published: 10-14-2014
Last Modified: 10-14-2014
Overview
This advisory addresses a spoofing vulnerability that is not currently being
exploited but affects BlackBerry 10 smartphone customers running the
BlackBerry World app. BlackBerry customer risk is limited both by the
requirement that customers must first connect to an attacker-controlled
network and by the inability of a potential attacker to force exploitation of
the vulnerability without customer interaction. Successful exploitation
requires an attacker to intercept a users application download/update request
from BlackBerry World over a compromised network and replace the response from
the server with a malicious file and requires that a user accept the
permissions and install the malicious app. If the requirements are met for
exploitation, an attacker could potentially gain access to any data or
settings allowed by the app permissions that the user granted. After
installing the recommended software update, affected customers will be fully
protected from this vulnerability.
Who should read this advisory?
BlackBerry World for BlackBerry 10 smartphone users
IT administrators who deploy BlackBerry 10 smartphones with BlackBerry
World enabled in the personal space
Who should apply the software fix(es)?
BlackBerry World for BlackBerry 10 smartphone users
IT administrators who deploy BlackBerry 10 smartphones with BlackBerry
World enabled in the personal space
More Information
Have any BlackBerry customers been subject to an attack that exploits this
vulnerability?
BlackBerry is not aware of any attacks targeting BlackBerry 10 smartphone
customers using this vulnerability.
What factors affected the release of this security advisory?
This advisory addresses a publicly known vulnerability. BlackBerry publishes
full details of a software update in a security advisory after the fix is
available to the majority of our customers and wireless service provider
partners. Publishing this advisory ensures that all of our customers can
protect themselves by updating their software, or employing available
workarounds if updating is not possible.
Where can I read more about the security of BlackBerry products and solutions?
For more information on BlackBerry security, visit
http://us.blackberry.com/business/topics/security.html and
www.blackberry.com/bbsirt.
Affected Software and Resolutions
Read the following information to determine if your BlackBerry 10 smartphone
is affected.
Affected Software
BlackBerry World impacted versions on BlackBerry 10 smartphones. The
impacted versions depend on the BlackBerry 10 OS version, as follows:
BlackBerry 10 OS version Affected BlackBerry World versions:
10.3.0 Versions earlier than 5.1.0.53
10.2.1 Versions earlier than 5.0.0.263
10.2.0 Versions earlier than 5.0.0.262
Non-Affected Software
BlackBerry World resolution versions on BlackBerry 10 smartphones. The
resolution versions depend on the BlackBerry 10 OS version, as follows:
BlackBerry 10 OS version Resolution BlackBerry World versions:
10.3.0 Versions 5.1.0.53 and later
10.2.1 Versions 5.0.0.263 and later
10.2.0 Versions 5.0.0.262 and later
Are BlackBerry smartphones affected?
Yes; BlackBerry 10 smartphones running BlackBerry World versions earlier than
the specified impacted versions are affected.
Resolution
BlackBerry has issued a fix for this vulnerability, which is included in the
specified BlackBerry World resolution versions. The resolution versions depend
on the BlackBerry 10 OS version, as follows:
BlackBerry 10 OS version Resolution BlackBerry World versions:
10.3.0 Versions 5.1.0.53 and later
10.2.1 Versions 5.0.0.263 and later
10.2.0 Versions 5.0.0.262 and later
This software update resolves this vulnerability on affected versions of
BlackBerry 10 smartphones. Update BlackBerry World software to the version
specified for your BlackBerry 10 OS version to be fully protected from this
issue. Customers running an affected version who cannot update at this time
should apply an available workaround.
Update by accessing the BlackBerry World update notification in the Hub
BlackBerry smartphones use notifications to keep customers informed about
software updates. When an app update notification is available, it appears in
Notifications section of the BlackBerry Hub on affected BlackBerry 10
smartphones.
View the notifications and follow the steps to access the latest app update
notification and complete the app update.
Manually update the BlackBerry World application
You can download BlackBerry World or manually update your existing version of
BlackBerry World by visiting www.mobile.blackberry.com from your BlackBerry
device or by visiting www.blackberry.com/blackberryworld from a computer.
Vulnerability Information
A vulnerability exists in the BlackBerry World services download mechanism,
which is used by the BlackBerry World app on affected BlackBerry 10
smartphones. BlackBerry World allows you to search for and download apps for
your BlackBerry device. BlackBerry World employs application integrity
checking and secure download methods to ensure that the correct app is
downloaded and installed. In some cases, a weakness in these methods could
allow an attacker, through a man-in-the-middle attack, to intercept a users
BlackBerry World application download and, as a result, install malware on the
device. Successful exploitation of this vulnerability could potentially result
in an attacker gaining access to any data or settings that are accessible
through the permissions that the user accepted when installing the malicious
app.
In order to exploit this vulnerability, an attacker must intercept a users
application download/update request from BlackBerry World over a compromised
network and replace the response from the server with a malicious file. The
user must then accept the app permissions and install the malicious
application.
This vulnerability has a Common Vulnerability Scoring System (CVSS) score of
4.3 View the linked Common Vulnerabilities and Exposures (CVE) identifier for
a description of the security issue that this security advisory addresses.
CVE identifier CVSS score
CVE-2014-6611 4.3
Mitigations
Mitigations are existing conditions that a potential attacker would need to
overcome in order to mount a successful attack or that would limit the
severity of an attack. Examples of such conditions include default settings,
common configurations and general best practices.
This issue is mitigated for all customers by the prerequisite that the
attacker must persuade the customer to download the malicious application and
accept the permissions.
In order to exploit this vulnerability, an attacker must gain control of the
network that the customer is using to make the download/update request.
All BlackBerry World downloads are now protected by SSL encryption, which
helps mitigate the risk to customers running affected versions, including on
BlackBerry 10 OS versions earlier than 10.2.0.
This issue is further mitigated for customers downloading enterprise-supplied
apps from the Enterprise BlackBerry World storefront located in the work
space.
Workarounds
Workarounds are settings or configuration changes that a user or administrator
can apply to help protect against an attack. BlackBerry recommends that all
users apply the available software update to fully protect their system. All
workarounds should be considered temporary measures for customers to apply if
they cannot install the update immediately or must perform standard testing
and risk analysis. BlackBerry recommends that customers who are able to do so
install the update to secure their systems.
Users should download or update apps only while they are connected to trusted
networks.
Users should consider which application permission settings to grant or deny
whenever installing applications from BlackBerry World.
More Information
What is BlackBerry World?
BlackBerry World is an application distribution service that allows you to
search for and download apps for your BlackBerry device. BlackBerry World is
available as an app for your BlackBerry 10 smartphone.
Definitions
CVE
Common Vulnerabilities and Exposures (CVE) is a dictionary of common names
(CVE Identifiers) for publicly known information security vulnerabilities
maintained by the MITRE Corporation.
CVSS
CVSS is a vendor agnostic, industry open standard designed to convey the
severity of vulnerabilities. CVSS scores may be used to determine the urgency
for update deployment within an organization. CVSS scores can range from 0.0
(no vulnerability) to 10.0 (critical). BlackBerry uses CVSS in vulnerability
assessments to present an immutable characterization of security issues.
BlackBerry assigns all relevant security issues a non-zero score. Customers
performing their own risk assessments of vulnerabilities that may impact them
can benefit from using the same industry-recognized CVSS metrics.
Acknowledgements
BlackBerry would like to thank Henry Hoggard of MWR Labs for his involvement
in helping protect our customers.
Change Log
10-14-2014
Initial Publication
Disclaimer
By downloading, accessing or otherwise using the Knowledge Base documents you
agree:
(a) that the terms of use for the documents found at
www.blackberry.com/legal/knowledgebase apply to your use or reference to these
documents; and
(b) not to copy, distribute, disclose or reproduce, in full or in part any
of the documents without the express written consent of RIM.
Visit the BlackBerry Technical Solution Center at www.blackberry.com/btsc.
Copyright (c) 2012 Research In Motion Limited, unless otherwise noted.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBVD9GixLndAQH1ShLAQLU4RAApQDsqdCSsYlVXNP260PAjVXx1ccydeTK
8ouIBXuAXNe2s8lysZp/A2x3btu5RFlIG+NMFlObVh+1BXFkoTnXzgwPSkI159U5
tF5BWfLiW3XBT+SyfcjmS5kpm1mf8ouIND08D5ahGo4hsKZ+uPGSlzSkUMX+DALY
oxZ3yIco0snDxCb6VYmCGX5aDshiSJc94865vMzGSJFLWUQmDPMmgi5UBdixLSRt
bTdW3GWVs7IQZ6YVKXH8PuWPdHwYsrsaQds+6A6Nisu/4q2/VoRHaA3vj+55sIJp
bNM/RBrteuUGp2kDK8dMEeRf8jQpAu39sZ4M7vKf2TYVmg6S3lAo65RY9lIJKCmW
u6k14xa7HUtkUxXa3SRv7Ggg2D1Zgc+eA1VKoAXy32B0G/FiR+1VY4zfaVxDQgMF
VhFyXU8Z3BPRXVkbqqtPA/k+ZXbn01uR75orBNOKlCR62AFegrBhWaRwLzyKShwa
tCRge/YpNEtuJGyLWaTGBr0SgkKextnFSW3bH84vssH57rzea/vosogBQevx5mwr
PVRW81pjmBy4dypI8H7/XDaX2JnBfNUKwO9ulPSO2ImygCHvmd/E8PWZ6s9BaAnJ
7xGaqve+gMoXNiGcR2Jkt7va0nUkSeVpazJSVoeYQuXJV/Wj77Dx2PoTetkLrmmB
/yAQdNpRDfM=
=SJnk
-----END PGP SIGNATURE-----