===================================================================== CERT-Renater Note d'Information No. 2009/VULN014 _____________________________________________________________________ DATE : 13/01/2009 HARDWARE PLATFORM(S) : BlackBerry. OPERATING SYSTEM(S) : Systems running BlackBerry Enterprise Server versions 4.1.3 to 4.1.6, BlackBerry Unite! versions prior to 1.0 SP3 bundle 28, BlackBerry Professional Software 4.1.4. ====================================================================== http://www.blackberry.com/btsc/search.do?cmd=displayKC&docType=kc&externalId=KB17119 http://www.blackberry.com/btsc/search.do?cmd=displayKC&docType=kc&externalId=KB17118 ______________________________________________________________________ Vulnerabilities in the PDF distiller of the BlackBerry Attachment Service for BlackBerry Unite Doc ID : KB17119 Last Modified : 01-12-2009 Document Type : Security Advisory Environment * BlackBerry® Unite!™ software versions earlier than 1.0 Service Pack 3 (1.0.3) bundle 28 Note: This advisory does not replace KB15770, which describes an earlier, similar vulnerability. Customers affected by the issues described in this advisory should also review KB15770 to verify that they are protected from the vulnerability described in that advisory. Overview This advisory describes security issues that the BlackBerry Attachment Service component of BlackBerry Unite! is susceptible to. The issues relate to the handling of malformed and possibly malicious PDF files. These vulnerabilities each have a Common Vulnerability Scoring System (CVSS) score of 9.3. Acknowledgements RIM thanks Sean Larsson of iDefense Labs for reporting these issues to RIM, and working with RIM to protect its customers. Problem Multiple security vulnerabilities exist in the PDF distiller of some released versions of the BlackBerry Attachment Service. These vulnerabilities could enable a malicious individual to send an email message containing a specially crafted PDF file, which when opened for viewing on a BlackBerry smartphone, could cause memory corruption and possibly lead to arbitrary code execution on the computer that hosts the BlackBerry Attachment Service. RIM tracked the issues as SDR 278437, SDR 278003, SDR 278012, and SDR 278031. Resolution Upgrade to the latest version of the BlackBerry Unite! software. Visit http://www.blackberry.com/go/blackberryunite to obtain BlackBerry Unite! software. Workaround Note: As a mobile device best practice, Research In Motion (RIM) recommends that BlackBerry smartphone users open attachments from trusted sources only. Prevent the BlackBerry Attachment Service from processing PDF files in a BlackBerry Unite! environment 1. Open the command prompt. 2. Type the following command: net stop bbattachserver 3. Type the following command: reg.exe ADD "HKLM\Software\Research In Motion\BBAttachEngine\Distillers\LoadPDFDistiller" /v Enabled /t REG_DWORD /d 0 Important: Undertake registry modifications at your own risk, and only if you are confident in your ability to do so successfully. Serious, unsolvable problems that might require you to reinstall your operating system can occur if you modify the registry incorrectly. 4. Type the following command: net start bbtattachserver Additional Information CVSS is a vendor agnostic, industry open standard designed to convey the severity of vulnerabilities. CVSS scores may be used to determine the urgency for update deployment within an organization. CVSS scores range from 0.0 (no vulnerability) to 10.0 (critical). RIM uses CVSS in vulnerability assessments to present an immutable characterization of security issues. RIM assigns all security relevant issues a non-zero score. Visit www.blackberry.com/security for more information on BlackBerry security. # Document LinkVulnerability in the PDF distiller of the BlackBerry Attachment Service for BlackBerry Unite __________________________________________________________________________________ Vulnerabilities in the PDF distiller of the BlackBerry Attachment Service for the BlackBerry Enterprise Server Doc ID : KB17118 Last Modified : 01-12-2009 Document Type : Security Advisory Print this page Environment * BlackBerry® Enterprise Server software version 4.1 Service Pack 3 (4.1.3) through 4.1 Service Pack 6 (4.1.6) * BlackBerry® Professional Software 4.1 Service Pack 4 (4.1.4) Note: This advisory does not replace KB15766, which describes an earlier, similar vulnerability. Customers affected by the issues described in this advisory should also review KB15766 to verify that they are protected from the vulnerability described in that advisory. Overview This advisory describes security issues that the BlackBerry Attachment Service component of the BlackBerry Enterprise Server is susceptible to. The issues relate to the handling of malformed and possibly malicious PDF files. These vulnerabilities each have a Common Vulnerability Scoring System (CVSS) score of 9.3. Acknowledgements RIM thanks Sean Larsson of iDefense Labs for reporting these issues to RIM, and working with RIM to protect its customers. Problem Multiple security vulnerabilities exist in the PDF distiller of some released versions of the BlackBerry Attachment Service. These vulnerabilities could enable a malicious individual to send an email message containing a specially crafted PDF file, which when opened for viewing on a BlackBerry smartphone, could cause memory corruption and possibly lead to arbitrary code execution on the computer that hosts the BlackBerry Attachment Service. RIM tracked the issues as SDR 278437, SDR 278003, SDR 278012, and SDR 278031. Resolution Research In Motion (RIM) has issued an interim security software update that resolves this vulnerability in affected versions of the BlackBerry Enterprise Server and BlackBerry Professional Software. Download and install Interim Security Update 2 for the software version that you are running. For BlackBerry Enterprise Server Visit http://www.blackberry.com/go/serverdownloads to obtain Interim Security Update 2 for affected BlackBerry Enterprise Server software versions. For BlackBerry Professional Software Visit http://na.blackberry.com/eng/support/downloads/#tab_professional to obtain Interim Security Update 2 for affected BlackBerry Professional Software versions. Workaround Note: As a mobile device best practice, Research In Motion (RIM) recommends that BlackBerry smartphone users open attachments from trusted sources only. Prevent the BlackBerry Attachment Service from processing PDF files in a BlackBerry Enterprise Server environment You can prevent the BlackBerry Attachment Service from processing PDF files by editing the list of file format extensions that the BlackBerry Attachment Service opens, and then preventing the PDF attachment distiller from running on the BlackBerry Attachment Service. To remove the PDF file extension from the list of supported file format extensions, complete the following actions: 1. From the Windows Desktop, open the BlackBerry Server Configuration tool. 2. Click the Attachment Server tab. 3. In the Format Extensions field, delete pdf: from the colon–delimited list of extensions. 4. Click Apply. 5. Click OK. Until you prevent the PDF attachment distiller from running, the BlackBerry Attachment Service still detects a PDF file with a renamed extension (in other words, its extension is not .pdf) and attempts to process the file automatically. To prevent the PDF attachment distiller from running, complete the following actions: 1. On the Windows Desktop, open the BlackBerry Server Configuration tool. 2. Click the Attachment Server tab. 3. In the Configuration Option drop-down list, select Attachment Server. 4. In the Distiller Settings section, next to the distiller name Adobe PDF, clear the check box in the Enabled column. 5. Click Apply. 6. Click OK. 7. On the Windows Desktop, in Administrative Tools, open Services. 8. Right-click BlackBerry Attachment Service and click Stop. 9. Right-click BlackBerry Attachment Service and click Start. 10. Close Services. In Microsoft Exchange and Novell GroupWise environments, complete the following additional steps: 1. On the Windows Desktop, in Administrative Tools, open Services. 2. Right-click BlackBerry Dispatcher and click Stop. 3. Right-click BlackBerry Dispatcher and click Start. 4. Close Services. Note: Restarting BlackBerry Enterprise Server services might delay message delivery to BlackBerry devices. For more information, see KB04789. In IBM Lotus Domino environments, complete the following additional steps: 1. Open the Lotus Domino Administrator. 2. Click the Server tab. 3. Click the Status tab 4. Click Server Console. 5. In the Domino Command field, type tell BES quit and press ENTER. 6. In the Domino Command field, type load BES and press ENTER. 7. Close the Lotus Domino Administrator. Additional Information You can install the BlackBerry Attachment Service on a remote computer and then place that computer on its own network segment to prevent the spread of potential attacks from the BlackBerry Attachment Service to another computer within your organization’s network. In a segmented network, attacks are isolated and contained on a single area of the network. Using segmented network architecture is designed to improve the security and performance of the BlackBerry Attachment Service network segment by filtering out attachment data that is not destined for other network segments. For more information about placing the BlackBerry Enterprise Solution components in a network architecture that is segmented to prevent the spread of potential malware attacks, see Placing the BlackBerry Enterprise Solution in a Segmented Network. CVSS is a vendor agnostic, industry open standard designed to convey the severity of vulnerabilities. CVSS scores may be used to determine the urgency for update deployment within an organization. CVSS scores range from 0.0 (no vulnerability) to 10.0 (critical). RIM uses CVSS in vulnerability assessments to present an immutable characterization of security issues. RIM assigns all security relevant issues a non-zero score. Visit www.blackberry.com/security for more information on BlackBerry security. # Document LinkVulnerability in the PDF distiller of the BlackBerry Attachment Service for the BlackBerry Enterprise Server ========================================================= Les serveurs de référence du CERT-Renater http://www.urec.fr/securite http://www.cru.fr/securite http://www.renater.fr ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 151 bd de l'Hopital | fax : 01-53-94-20-41 + + 75013 Paris | email: certsvp@renater.fr + =========================================================