Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2018.0747 Reflected XSS fixed in Blackberry UEM Management Console 14 March 2018 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Blackberry UEM Management Console Publisher: Blackberry Operating System: Windows Linux variants Mac OS Impact/Access: Cross-site Scripting -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2017-17442 Original Bulletin: http://support.blackberry.com/kb/articleDetail?language=en_US&articleNumber=000048073 - --------------------------BEGIN INCLUDED TEXT-------------------- BSRT-2018-001 Vulnerability in UEM Management Console impacts UEM Article Number: 000048073 First Published: March 13, 2018 Last Modified: March 13, 2018 Type: Security Advisory Overview This advisory addresses a reflected cross-site scripting vulnerability that has been discovered in UEM. BlackBerry is not aware of any exploitation of this vulnerability. BlackBerry customer risk is limited by the requirement that an attacker possess knowledge of the internal network and by the inability of an attacker to force exploitation of the vulnerability without customer interaction. Successful exploitation requires an attacker craft a malicious link and requires that a user with Management Console access click on the malicious link. If the requirements are met for exploitation, an attacker could potentially execute script commands in the context of a UEM Management Console user account. After installing the recommended software update, affected customers will be fully protected from this vulnerability. Who Should Read This Advisory? UEM administrators More information Have any BlackBerry customers been subject to an attack that exploits this vulnerability? BlackBerry is not aware of any attacks targeting BlackBerry customers using this vulnerability. What factors affected the release of this security advisory? This advisory addresses a privately disclosed vulnerability. BlackBerry publishes full details of a software update in a security advisory after the fix is available to our customers. Publishing this advisory ensures that all of our customers can protect themselves by updating their software. Where can I read more about the security of BlackBerry products and solutions? For more information on BlackBerry security, visit www.blackberry.com/ security and www.blackberry.com/bbsirt. Affected Products and Resolutions Read the following to determine if your UEM installation is affected. Affected Products UEM version 12.7.1 and earlier. Non Affected Products UEM version 12.7.2 and later. Resolution BlackBerry has issued a fix for this vulnerability, which is included in BlackBerry UEM 12.7.2. and later. This software update resolves this vulnerability on affected versions. To be fully protected from this issue, affected customers should update to BlackBerry UEM version 12.7.2 or later. Visit the BlackBerry UEM download page to download upgrades or maintenance releases https://swdownloads.blackberry.com/Downloads/entry.do?code Vulnerability Information A vulnerability exists in the UEM Management Console of affected versions of UEM. The Management Console is a web interface that allows administrators and users to manage enterprise-activated devices. Users can only manage their own devices. In order to exploit this vulnerability, an attacker must first know the URL of the UEM Management Console on the internal network and then craft a malicious link containing script commands. An attacker must then persuade a user with legitimate access to the Management Console to click on the link. Successful exploitation of this vulnerability could result in an attacker executing script commands in the context of the affected UEM Management Console account. description of the security issue that this security advisory addresses. CVE identifier: CVSSv3 score CVE-2017-17442: 5.9 Mitigations Mitigations are existing conditions that a potential attacker would need to overcome to mount a successful attack or that would limit the severity of an attack. Examples of such conditions include default settings, common configurations, and general best practices. This issue is mitigated for all customers by the prerequisite that an attacker must persuade a user with access to the Management Console to click a maliciously crafted link. An attacker cannot force the user to click the link or bypass the requirement that the user chooses to click the link. BlackBerry recommends that users do not click links in emails received from untrusted sources or within webpages they are otherwise directed to by untrusted sources. This issue is further mitigated by the prerequisite that an attacker must have knowledge of the internal network. Further, script commands are able to carry out actions within the context of the Management Console only and not the underlying system or database. Finally, the script execution is restricted to the context of the targeted victim's account permissions in the Management Console. Workarounds Workarounds are settings or configuration changes that a user or administrator can apply to help protect against an attack. BlackBerry recommends that all users apply the available software update to fully protect their system. There are no workarounds for this vulnerability; however, BlackBerry recommends that UEM administrators and users should only access the Management Console via known trusted sources (such as the direct URL or user-created bookmarks) and not by using any links supplied by untrusted sources. More information Are BES10 and BES5 affected by this vulnerability? No. Change Log 03-13-2018 Initial publication - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWqivTox+lLeg9Ub1AQj3vw//au7WvlP/OawfRVEgVpzr5Po3GjqSCaXP JE471/TdbQtL2DhfyDBdrDHBUbmM6M0JMDh0XOirHdz0PdZT6ETvpyO56yFe27Nr QZUeIZ8pBBLttoBcwolIAAOwfdoQpQPpdzOk1QN8Der2LxwJolbG9l7F9joWT/2j rcmKTxuP92fkoXv1Ybx9+m+TjNZ6Qj2FtNh2QJDXGko3FpF+1PgLbWnGQQGLJYXU lN/h4Z5rQDrLKceg5W+Bc4SgClhBnsSLPzNIZLAvi7gT81cpGlbFNIHQ2lmydoB+ khgMDqXOU/0lYfe34Hiilj23xvZ5rIWmO2gQsj7qGlqrCTj3k8ojm5PKPn1Cz1l5 xZOhWxmyTC6j/9bzHRK9tLvXZ5rvbWKQyP17+gMPMKxhTVxAgbMleVC4ZX87TIj2 x43zOh+nBSyPze3Qya6on2sUbNX+cemov1W2s4KBUEQ6OoGY1kFtwyyu0C7jvFhc Pfrn4hoqQUuH85Yf5NrymYxA6xVk0Usc64vbKc6DLOLYF9PdBsnLpcvMkV27VYa9 Gcg9Z8gKVNEDWuwTlAGJgy+nhLjoQ+b9jWzzpzCKuPuMcv+yp2NY8d4+8Vz44aZ5 h5uYPuGGXi524GaNDj1sejtaKrGjf/EoXozmI9WsbtvSXGBcvVFrdrXoOqHVaAaU ICsMb4Y2/Gs= =5peZ -----END PGP SIGNATURE-----