Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2017.2916 QNX-2017-001 Multiple vulnerabilities impact BlackBerry QNX Software Development Platform 16 November 2017 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: BlackBerry Publisher: BlackBerry Operating System: BlackBerry Device Impact/Access: Increased Privileges -- Existing Account Modify Arbitrary Files -- Existing Account Access Confidential Data -- Existing Account Reduced Security -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2017-9371 CVE-2017-9369 CVE-2017-3893 CVE-2017-3892 CVE-2017-3891 Original Bulletin: http://support.blackberry.com/kb/articleDetail?articleNumber=000046674 - --------------------------BEGIN INCLUDED TEXT-------------------- QNX-2017-001 Multiple vulnerabilities impact BlackBerry QNX Software Development Platform Article Number: 000046674 First Published: November 14, 2017 Last Modified: November 14, 2017 Type: Security Advisory Overview This advisory addresses multiple vulnerabilities that have been discovered in the BlackBerry QNX Software Development Platform (QNX SDP). BlackBerry QNX is not aware of any exploitation of these vulnerabilities. Customer risk is limited for the most severe vulnerability by the requirement that an attacker must first gain access to a secondary QNX QNet node. Successful exploitation of the most severe vulnerability requires an attacker to execute commands targeting arbitrary nodes from a secondary QNX QNet node. If the requirements for exploitation of the most severe vulnerability are met, an attacker could potentially gain access to local and remote files or take ownership of files on other QNX nodes, regardless of permissions. After installing the recommended software update, affected customers will be fully protected from this vulnerability. Who Should Read This Advisory? Developers and project managers who develop or maintain BlackBerry QNX-based systems Who Should Apply The Software Fix(es)? Developers and project managers who develop or maintain BlackBerry QNX-based systems More information Have any BlackBerry QNX customers been subject to an attack that exploits these vulnerabilities? BlackBerry QNX is not aware of any attacks targeting BlackBerry QNX customers using these vulnerabilities. What factors affected the release of this security advisory? This advisory addresses privately disclosed vulnerabilities. BlackBerry QNX publishes full details of a software update in a security advisory after the fix is available to our customers. Publishing this advisory ensures that our customers can protect themselves by updating their software, or employing available workarounds if updating is not possible. Where can I read more about the security of BlackBerry QNX products and solutions? For more information on BlackBerry QNX security, visit http://blackberry.qnx.com/en/products/neutrino-rtos/neutrino-rtos#technology Affected Products and Resolutions Read the following to determine if the version of QNX SDP deployed in your product is affected. Affected Products The following table outlines the affected versions for each vulnerability: CVE Affected Versions of QNX SDP CVE-2017-3891 6.6.0 CVE-2017-3892 6.6.0 CVE-2017-3893 6.6.0 CVE-2017-9369 6.6.0 6.5.0 SP1 and earlier CVE-2017-9371 6.6.0 6.5.0 SP1 and earlier Non Affected Products The following table outlines the versions for each vulnerability that are either fixed or were not affected: CVE Affected Versions of QNX SDP CVE-2017-3891 7.0.0 and later 6.5.0SP1 and earlier CVE-2017-3892 7.0.0 and later 6.5.0SP1 and earlier CVE-2017-3893 7.0.0 and later 6.5.0SP1 and earlier CVE-2017-9369 7.0.0 and later CVE-2017-9371 7.0.0 and later Resolution BlackBerry QNX has issued a fix for this vulnerability, which is included in QNX SDP version 7.0.0 and later. This software update resolves this vulnerability on affected versions. To be fully protected from this issue, affected customers should update to QNX SDP version 7.0.0 or later. View the release notes on the BlackBerry QNX download center for instructions to deploy the fix. Customers running an affected version who cannot update at this time should apply an available workaround. See the Workarounds section of this advisory for details. Vulnerability Information Multiple vulnerabilities exist in affected versions of the QNX SDP. CVE-2017-3891 Elevation of privilege vulnerability A vulnerability exists in the Qnet protocol of affected versions of the QNX SDP. The Qnet protocol extends inter-process communications transparently over a network of microkernels. In order to exploit this vulnerability, an attacker must execute commands targeting arbitrary QNet nodes from a secondary QNet node running version 6.6.0. Successful exploitation of this vulnerability could result in an attacker gaining access to local and remote files or taking ownership of files on other QNet nodes, regardless of permissions. CVE-2017-3892 Information disclosure vulnerability A vulnerability exists in the procfs system service of affected versions of the QNX SDP. The procfs service is a resource manager responsible for managing process information. In order to exploit this vulnerability, an attacker must execute commands targeting procfs resources. Successful exploitation of this vulnerability could result in an attacker gaining information relating to memory layout that could be used in a blended attack. CVE-2017-3893 Incomplete vulnerability mitigations Multiple incomplete vulnerability mitigations exist in the memory corruption protection, RELRO, and ASLR security features of affected versions of the QNX SDP. In order to exploit the most severe weakness, an attacker must successfully execute a buffer overflow attack against certain memory structures. Successful exploitation of the most severe weakness as part of a blended attack could result in an attacker being able to overwrite the contents of these tables to cause arbitrary function calls. CVE-2017-9369 Information disclosure across privilege barriers An information disclosure vulnerability exists in the default configuration of the setuid binaries in affected versions of the QNX SDP. In order to exploit this vulnerability, an attacker who has access to a system shell must successfully manipulate environment variables that influence the loader. Successful exploitation of this vulnerability could result in an attacker gaining information relating to memory layout of higher privileged processes. CVE-2017-9371 Random number service used deprecated algorithm The random number service used an older algorithm and may have been subject to input-based attacks. In order to exploit this vulnerability, an attacker would need control over environmental factors that influence seed generation. Successful exploitation of this vulnerability could result in an attacker being able to reduce the entropy of the PRNG and this could make other blended attacks more practical. This advisory addresses multiple vulnerabilities, the most severe of which has a Common Vulnerability Scoring System (CVSSv3) score of 9.6. View the linked Common Vulnerability and Exposures (CVE) identifiers for a description of the security issue that this security advisory addresses. CVE identifier CVSSv3 score CVE-2017-3891 9.6 CVE-2017-3892 3.8 CVE-2017-3893 1.9 CVE-2017-9369 3.8 CVE-2017-9371 2.6 Mitigations Mitigations are existing conditions that a potential attacker would need to overcome to mount a successful attack or that would limit the severity of an attack. Examples of such conditions include default settings, common configurations, and general best practices. CVE-2017-3891 is completely mitigated for network configurations that do not support multiple QNet nodes. CVE-2017-3891 is mitigated in configurations with multiple QNet nodes by the requirement that an attacker must gain access to a secondary QNet node or physical access to the network. CVE-2017-3892 is completely mitigated on systems that do not allow shell or debug access. CVE-2017-3892 is mitigated by the requirement that an attacker must gain access to the shell or the QNX debug service. CVE-2017-3893 is mitigated by the requirement that an attacker must make a successful blended attack to exploit this weakness. CVE-2017-9369 is completely mitigated on systems that do not allow shell access. CVE-2017-9369 is mitigated by the requirement than attacker must have access to a system shell. CVE-2017-9371 is mitigated by the presence of multiple entropy sources contributing to PRNG seeding. Workarounds Workarounds are settings or configuration changes that a user or administrator can apply to help protect against an attack. BlackBerry QNX recommends that all users apply the available software update to fully protect their system. All workarounds should be considered temporary measures for customers to apply if they cannot install the update immediately or must perform standard testing and risk analysis. BlackBerry QNX recommends that customers who are able to do so install the update to secure their systems. For CVE-2017-3891 Developers, project managers, and administrators can prevent this attack by disabling QNet if it is not required. If QNet is required, it should be deployed in physically secure conditions and on air-gapped networks. Instructions for the configuration of QNet can be found in the documentation located in the QNX download center. Additionally, developers and project managers who develop or maintain QNX-based systems should ship only required utilities on production targets, avoiding system utilities that allow management of OS features that allow reconfiguration. For CVE-2017-3892 Developers, project managers, and administrators of production systems can limit non-root access to critical /proc virtual file system resources by setting the procnto '-u' option. Instructions to set this option can be found in the Utilities reference documentation: For QNX SDP 6.5.0: http://www.qnx.com/developers/docs/6.5.0/index.jsp?topic=%2Fcom.qnx.doc.neutrino_utilities%2Fp%2Fprocnto.html&cp=13_12_18_56 For QNX SDP 6.6.0: http://www.qnx.com/developers/docs/6.6.0.update/com.qnx.doc.neutrino.utilities/topic/p/procnto.html When this workaround is deployed, non-root pidin will no longer display information on processes other than itself. For CVE-2017-3893 There are no workarounds for these weaknesses. For CVE-2017-9369 Developers and project managers can prevent this attack by updating the runtime libraries specified in the release notes to the latest version. View the release notes on the BlackBerry QNX download center for instructions. Additionally, system developers should avoid deploying unnecessary command-line functionality on released systems as good practice. For CVE-2017-9371 There are no workarounds for this weakness. Definitions CVE Common Vulnerability and Exposures (CVE) is a dictionary of common names (CVE Identifiers) for publicly known information security vulnerability maintained by the MITRE Corporation. CVSS CVSS is a vendor agnostic, industry open standard designed to convey the severity of vulnerability. CVSS scores may be used to determine the urgency for update deployment within an organization. CVSS scores can range from 0.0 (no vulnerability) to 10.0 (critical). BlackBerry QNX uses CVSSv3 in vulnerability assessments to present an immutable characterization of security issues. BlackBerry QNX assigns all relevant security issues a non-zero score. Customers performing their own risk assessments of vulnerability that may impact them can benefit from using the same industry-recognized CVSS metrics. RELRO Read-only relocations, a security feature that ensures a process's data section is unmodifiable. GOT Global offset table. PLT Procedure linkage table. Contains an entry for each external function called from a shared library. PRNG Pseudorandom number generator. An algorithm for generating a sequence of numbers whose properties approximate the properties of sequences of random numbers. Acknowledgements BlackBerry QNX thanks and credits Jos Wetzels with Midnight Blue with discovery of these issues. Change Log 11-14-2017 Initial publication - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWgz024x+lLeg9Ub1AQhYAQ/+PkPhDpy9Gds0WDlzDSHGCqSQnBjInj/J WmOKY13aIEKdZyclmFZkfmDbCo5zW6+hKfwLAuvRd8+kPmIh8N8g3X3+SsxPfUUv ZXnynUKZVrW6irWOMHDeTHjGoZrvSnUf0WbCRAxSfk5vmds/8mpKysXdm70uDjy8 jOobXW37q1fuU2JDB/oMN0rbKBppLDwDsYLACLYfDz1zFtPf+Se+iizc6/u1Rt8X 47s/AKmHERV6VoPxr9h8fqk8rZRPzkMDMy5pGoyusI3TJ+0hgdB7E1ONFH4/zhha bSwI1wY0Zci5/lLW6xg0nJUpQYe/9Mrjsj+//NLsz7Kas+uJpEIgvIKM2u4G2EWA 9ViikpChQ2ImdGg8UnTflrbjuYyXVya90E4FIDOMJhiFt6FKiU45mjIr2zEo85Sa ARJiOLT92KfKOYpB4XZBOfXbfa+NFh47GYT2SLTDy2heXU7ckMlimfYAFqdRppaT djasuC8/qGLep0OxmoA/CXtymndvaNIxuMmbjezKCGBixQ75JML8WVUyUtq+Kir0 8+0Ea4Un7AOd9NTFbPFDiG51rgGaW3bDnDvSYdLqCZUQA6pEn3e0ttjdjf3/znyq XEyERnn2by8qF4phHee2alkVh+VzwNGREVyiSCUAtVX/l2wt9oegFmwCzATzBZ3u GUNGr6Y++Xo= =jdQu -----END PGP SIGNATURE-----