Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2017.2916
QNX-2017-001 Multiple vulnerabilities impact BlackBerry QNX
Software Development Platform
16 November 2017
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: BlackBerry
Publisher: BlackBerry
Operating System: BlackBerry Device
Impact/Access: Increased Privileges -- Existing Account
Modify Arbitrary Files -- Existing Account
Access Confidential Data -- Existing Account
Reduced Security -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2017-9371 CVE-2017-9369 CVE-2017-3893
CVE-2017-3892 CVE-2017-3891
Original Bulletin:
http://support.blackberry.com/kb/articleDetail?articleNumber=000046674
- --------------------------BEGIN INCLUDED TEXT--------------------
QNX-2017-001 Multiple vulnerabilities impact BlackBerry QNX Software
Development Platform
Article Number: 000046674
First Published: November 14, 2017
Last Modified: November 14, 2017
Type: Security Advisory
Overview
This advisory addresses multiple vulnerabilities that have been discovered in
the BlackBerry QNX Software Development Platform (QNX SDP). BlackBerry QNX is
not aware of any exploitation of these vulnerabilities. Customer risk is
limited for the most severe vulnerability by the requirement that an attacker
must first gain access to a secondary QNX QNet node. Successful exploitation
of the most severe vulnerability requires an attacker to execute commands
targeting arbitrary nodes from a secondary QNX QNet node. If the requirements
for exploitation of the most severe vulnerability are met, an attacker could
potentially gain access to local and remote files or take ownership of files
on other QNX nodes, regardless of permissions. After installing the
recommended software update, affected customers will be fully protected from
this vulnerability.
Who Should Read This Advisory?
Developers and project managers who develop or maintain BlackBerry QNX-based
systems
Who Should Apply The Software Fix(es)?
Developers and project managers who develop or maintain BlackBerry QNX-based
systems
More information
Have any BlackBerry QNX customers been subject to an attack that exploits
these vulnerabilities?
BlackBerry QNX is not aware of any attacks targeting BlackBerry QNX customers
using these vulnerabilities.
What factors affected the release of this security advisory?
This advisory addresses privately disclosed vulnerabilities. BlackBerry QNX
publishes full details of a software update in a security advisory after the
fix is available to our customers. Publishing this advisory ensures that our
customers can protect themselves by updating their software, or employing
available workarounds if updating is not possible.
Where can I read more about the security of BlackBerry QNX products and
solutions?
For more information on BlackBerry QNX security, visit
http://blackberry.qnx.com/en/products/neutrino-rtos/neutrino-rtos#technology
Affected Products and Resolutions
Read the following to determine if the version of QNX SDP deployed in your
product is affected.
Affected Products
The following table outlines the affected versions for each vulnerability:
CVE Affected Versions of QNX SDP
CVE-2017-3891 6.6.0
CVE-2017-3892 6.6.0
CVE-2017-3893 6.6.0
CVE-2017-9369 6.6.0
6.5.0 SP1 and earlier
CVE-2017-9371 6.6.0
6.5.0 SP1 and earlier
Non Affected Products
The following table outlines the versions for each vulnerability that are
either fixed or were not affected:
CVE Affected Versions of QNX SDP
CVE-2017-3891 7.0.0 and later
6.5.0SP1 and earlier
CVE-2017-3892 7.0.0 and later
6.5.0SP1 and earlier
CVE-2017-3893 7.0.0 and later
6.5.0SP1 and earlier
CVE-2017-9369 7.0.0 and later
CVE-2017-9371 7.0.0 and later
Resolution
BlackBerry QNX has issued a fix for this vulnerability, which is included in
QNX SDP version 7.0.0 and later. This software update resolves this
vulnerability on affected versions. To be fully protected from this issue,
affected customers should update to QNX SDP version 7.0.0 or later. View the
release notes on the BlackBerry QNX download center for instructions to deploy
the fix. Customers running an affected version who cannot update at this time
should apply an available workaround. See the Workarounds section of this
advisory for details.
Vulnerability Information
Multiple vulnerabilities exist in affected versions of the QNX SDP.
CVE-2017-3891 Elevation of privilege vulnerability
A vulnerability exists in the Qnet protocol of affected versions of the QNX
SDP. The Qnet protocol extends inter-process communications transparently over
a network of microkernels.
In order to exploit this vulnerability, an attacker must execute commands
targeting arbitrary QNet nodes from a secondary QNet node running version
6.6.0.
Successful exploitation of this vulnerability could result in an attacker
gaining access to local and remote files or taking ownership of files on other
QNet nodes, regardless of permissions.
CVE-2017-3892 Information disclosure vulnerability
A vulnerability exists in the procfs system service of affected versions of
the QNX SDP. The procfs service is a resource manager responsible for managing
process information.
In order to exploit this vulnerability, an attacker must execute commands
targeting procfs resources.
Successful exploitation of this vulnerability could result in an attacker
gaining information relating to memory layout that could be used in a blended
attack.
CVE-2017-3893 Incomplete vulnerability mitigations
Multiple incomplete vulnerability mitigations exist in the memory corruption
protection, RELRO, and ASLR security features of affected versions of the QNX
SDP.
In order to exploit the most severe weakness, an attacker must successfully
execute a buffer overflow attack against certain memory structures.
Successful exploitation of the most severe weakness as part of a blended
attack could result in an attacker being able to overwrite the contents of
these tables to cause arbitrary function calls.
CVE-2017-9369 Information disclosure across privilege barriers
An information disclosure vulnerability exists in the default configuration of
the setuid binaries in affected versions of the QNX SDP.
In order to exploit this vulnerability, an attacker who has access to a system
shell must successfully manipulate environment variables that influence the
loader.
Successful exploitation of this vulnerability could result in an attacker
gaining information relating to memory layout of higher privileged processes.
CVE-2017-9371 Random number service used deprecated algorithm
The random number service used an older algorithm and may have been subject to
input-based attacks.
In order to exploit this vulnerability, an attacker would need control over
environmental factors that influence seed generation.
Successful exploitation of this vulnerability could result in an attacker
being able to reduce the entropy of the PRNG and this could make other blended
attacks more practical.
This advisory addresses multiple vulnerabilities, the most severe of which has
a Common Vulnerability Scoring System (CVSSv3) score of 9.6. View the linked
Common Vulnerability and Exposures (CVE) identifiers for a description of the
security issue that this security advisory addresses.
CVE identifier CVSSv3 score
CVE-2017-3891 9.6
CVE-2017-3892 3.8
CVE-2017-3893 1.9
CVE-2017-9369 3.8
CVE-2017-9371 2.6
Mitigations
Mitigations are existing conditions that a potential attacker would need to
overcome to mount a successful attack or that would limit the severity of an
attack. Examples of such conditions include default settings, common
configurations, and general best practices.
CVE-2017-3891 is completely mitigated for network configurations that do not
support multiple QNet nodes.
CVE-2017-3891 is mitigated in configurations with multiple QNet nodes by the
requirement that an attacker must gain access to a secondary QNet node or
physical access to the network.
CVE-2017-3892 is completely mitigated on systems that do not allow shell or
debug access.
CVE-2017-3892 is mitigated by the requirement that an attacker must gain
access to the shell or the QNX debug service.
CVE-2017-3893 is mitigated by the requirement that an attacker must make a
successful blended attack to exploit this weakness.
CVE-2017-9369 is completely mitigated on systems that do not allow shell
access.
CVE-2017-9369 is mitigated by the requirement than attacker must have access
to a system shell.
CVE-2017-9371 is mitigated by the presence of multiple entropy sources
contributing to PRNG seeding.
Workarounds
Workarounds are settings or configuration changes that a user or administrator
can apply to help protect against an attack. BlackBerry QNX recommends that
all users apply the available software update to fully protect their system.
All workarounds should be considered temporary measures for customers to apply
if they cannot install the update immediately or must perform standard testing
and risk analysis. BlackBerry QNX recommends that customers who are able to do
so install the update to secure their systems.
For CVE-2017-3891
Developers, project managers, and administrators can prevent this attack by
disabling QNet if it is not required. If QNet is required, it should be
deployed in physically secure conditions and on air-gapped networks.
Instructions for the configuration of QNet can be found in the documentation
located in the QNX download center.
Additionally, developers and project managers who develop or maintain
QNX-based systems should ship only required utilities on production targets,
avoiding system utilities that allow management of OS features that allow
reconfiguration.
For CVE-2017-3892
Developers, project managers, and administrators of production systems can
limit non-root access to critical /proc virtual file system resources by
setting the procnto '-u' option. Instructions to set this option can be found
in the Utilities reference documentation:
For QNX SDP 6.5.0:
http://www.qnx.com/developers/docs/6.5.0/index.jsp?topic=%2Fcom.qnx.doc.neutrino_utilities%2Fp%2Fprocnto.html&cp=13_12_18_56
For QNX SDP 6.6.0:
http://www.qnx.com/developers/docs/6.6.0.update/com.qnx.doc.neutrino.utilities/topic/p/procnto.html
When this workaround is deployed, non-root pidin will no longer display
information on processes other than itself.
For CVE-2017-3893
There are no workarounds for these weaknesses.
For CVE-2017-9369
Developers and project managers can prevent this attack by updating the
runtime libraries specified in the release notes to the latest version. View
the release notes on the BlackBerry QNX download center for instructions.
Additionally, system developers should avoid deploying unnecessary
command-line functionality on released systems as good practice.
For CVE-2017-9371
There are no workarounds for this weakness.
Definitions
CVE
Common Vulnerability and Exposures (CVE) is a dictionary of common names (CVE
Identifiers) for publicly known information security vulnerability maintained
by the MITRE Corporation.
CVSS
CVSS is a vendor agnostic, industry open standard designed to convey the
severity of vulnerability. CVSS scores may be used to determine the urgency
for update deployment within an organization. CVSS scores can range from 0.0
(no vulnerability) to 10.0 (critical). BlackBerry QNX uses CVSSv3 in
vulnerability assessments to present an immutable characterization of security
issues. BlackBerry QNX assigns all relevant security issues a non-zero score.
Customers performing their own risk assessments of vulnerability that may
impact them can benefit from using the same industry-recognized CVSS metrics.
RELRO
Read-only relocations, a security feature that ensures a process's data
section is unmodifiable.
GOT
Global offset table. PLT Procedure linkage table. Contains an entry for each
external function called from a shared library.
PRNG
Pseudorandom number generator. An algorithm for generating a sequence of
numbers whose properties approximate the properties of sequences of random
numbers.
Acknowledgements
BlackBerry QNX thanks and credits Jos Wetzels with Midnight Blue with
discovery of these issues.
Change Log
11-14-2017
Initial publication
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBWgz024x+lLeg9Ub1AQhYAQ/+PkPhDpy9Gds0WDlzDSHGCqSQnBjInj/J
WmOKY13aIEKdZyclmFZkfmDbCo5zW6+hKfwLAuvRd8+kPmIh8N8g3X3+SsxPfUUv
ZXnynUKZVrW6irWOMHDeTHjGoZrvSnUf0WbCRAxSfk5vmds/8mpKysXdm70uDjy8
jOobXW37q1fuU2JDB/oMN0rbKBppLDwDsYLACLYfDz1zFtPf+Se+iizc6/u1Rt8X
47s/AKmHERV6VoPxr9h8fqk8rZRPzkMDMy5pGoyusI3TJ+0hgdB7E1ONFH4/zhha
bSwI1wY0Zci5/lLW6xg0nJUpQYe/9Mrjsj+//NLsz7Kas+uJpEIgvIKM2u4G2EWA
9ViikpChQ2ImdGg8UnTflrbjuYyXVya90E4FIDOMJhiFt6FKiU45mjIr2zEo85Sa
ARJiOLT92KfKOYpB4XZBOfXbfa+NFh47GYT2SLTDy2heXU7ckMlimfYAFqdRppaT
djasuC8/qGLep0OxmoA/CXtymndvaNIxuMmbjezKCGBixQ75JML8WVUyUtq+Kir0
8+0Ea4Un7AOd9NTFbPFDiG51rgGaW3bDnDvSYdLqCZUQA6pEn3e0ttjdjf3/znyq
XEyERnn2by8qF4phHee2alkVh+VzwNGREVyiSCUAtVX/l2wt9oegFmwCzATzBZ3u
GUNGr6Y++Xo=
=jdQu
-----END PGP SIGNATURE-----