===================================================================== CERT-Renater Note d'Information No. 2011/VULN027 _____________________________________________________________________ DATE : 14/01/2011 HARDWARE PLATFORM(S) : / OPERATING SYSTEM(S) : Systems running BlackBerry Device Software versions prior to 6.0.0. ====================================================================== http://blackberry.com/btsc/KB24841 ______________________________________________________________________ Partial Denial of Service (DoS) in the BlackBerry browser application Article ID: KB24841 Type: Security Advisory First Published : 01-11-2011 Last Modified: 01-11-2011 Product(s) Affected: The issue affects the BlackBerry browser application of the following software versions: * BlackBerry® Device Software versions earlier than 6.0.0 Non Affected Software * BlackBerry® Desktop Software * BlackBerry® Enterprise Server Software Issue Severity This vulnerability has a Common Vulnerability Scoring System (CVSS) score of 5.0. Overview This advisory relates to a BlackBerry Device Software vulnerability that could allow an attacker to maliciously craft a web page such that, when the BlackBerry device user views the page on a device running the affected BlackBerry Device Software, the browser application becomes unresponsive. The BlackBerry device subsequently terminates the browser, and the browser eventually restarts and displays an error message. Successful exploitation of this issue relies on the user viewing the maliciously crafted web page on a device running the affected BlackBerry Device Software. The impact is limited to a partial Denial of Service (DoS) in the browser application in use on the BlackBerry device. Issue Status: Vulnerability confirmed. Check for software containing the security update based on your wireless service provider. For more information, see the Resolution section. Who should read this advisory * BlackBerry Enterprise Server administrators * BlackBerry device users Who should apply the software fix(es) * BlackBerry Enterprise Server administrators * BlackBerry device users Recommendation Complete the resolution actions documented in this advisory. References CVE® Identifier: CVE-2010-2599 Problem If the BlackBerry device user browses to a malformed web page, the BlackBerry browser application consumes sufficient resources to make the BlackBerry device appear unresponsive. Impact This issue results in a temporary, partial Denial of Service (DoS) without risk of information disclosure or loss of integrity. This issue does not have the potential to allow an attacker to access the BlackBerry device or its stored user data. Resolution RIM has issued a software update that resolves this issue in BlackBerry Device Software versions later than 5.0.0. BlackBerry Device Software version 4.7.0 and earlier is unsupported, and versions later than 6.0.0 are unaffected. To check for available updates for your BlackBerry Device Software, visit http://www.blackberry.com/updates/. BlackBerry smartphone model (running a supported applications version) Applications version to update to BlackBerry® Curve(TM) 8520 smartphone Version 5.0.0.1036 or later BlackBerry® Curve(TM) 8900 smartphone Version 5.0.0.1036 or later BlackBerry® Bold(TM) 9000 smartphone Version 5.0.0.1036 or later BlackBerry® Curve(TM) 8530 smartphone Version 5.0.0.882 or later BlackBerry® Pearl(TM) 9100 smartphone Version 5.0.0.882 or later BlackBerry® Pearl(TM) 9105 smartphone Version 5.0.0.882 or later BlackBerry® Storm2(TM) 9520 smartphone Version 5.0.0.882 or later BlackBerry® Storm2(TM) 9550 smartphone Version 5.0.0.882 or later BlackBerry® Curve(TM) 9300 Version 5.0.0.1039 or later BlackBerry® Curve(TM) 9330 smartphone Version 6.0.0.280 or later BlackBerry® Storm(TM) 9530 smartphone Version 5.0.0.1041 or later BlackBerry® Tour(TM) 9630 smartphone Version 5.0.0.973 or later BlackBerry® Bold(TM) 9650 smartphone Version 5.0.0.983 or later or Version 6.0.0.280 or later BlackBerry® Bold(TM) 9700 smartphone Version 6.0.0.380 or later If you are using a software version that is not listed above, update to one of the listed versions before applying the software update. Workaround If the browser application or the BlackBerry device stops responding, the following options are available to the user: * Wait for the BlackBerry device or the browser application to respond. This occurs after a period of time relative to the availability of the BlackBerry device resources. * Switch to another application on the BlackBerry device. Performance of that application may be degraded by the overall impact on the BlackBerry device performance by the browser application issue. * Reset the BlackBerry device. Acknowledgements RIM would like to thank Laurent Oudot of TEHTRI Security for his involvement in helping protect our customers. Disclaimer By downloading, accessing or otherwise using the Knowledge Base documents you agree: (a) that the terms of use for the documents found at www.blackberry.com/legal/knowledgebase apply to your use or reference to these documents; and (b) not to copy, distribute, disclose or reproduce, in full or in part any of the documents without the express written consent of RIM. Visit the BlackBerry Technical Solution Center at www.blackberry.com/btsc. ====================================================================== ========================================================= Les serveurs de référence du CERT-Renater http://www.urec.fr/securite http://www.cru.fr/securite http://www.renater.fr ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23 - 25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email: certsvp@renater.fr + =========================================================