===================================================================== CERT-Renater Note d'Information No. 2011/VULN335 _____________________________________________________________________ DATE : 13/04/2011 HARDWARE PLATFORM(S) : / OPERATING SYSTEM(S) : Systems running BlackBerry Enterprise Server Express, BlackBerry Enterprise Server. ====================================================================== http://blackberry.com/btsc/KB25966 http://blackberry.com/btsc/KB26296 ______________________________________________________________________ Vulnerabilities in Apache Tomcat implementation impact BlackBerry Enterprise Server components Products Affected Software These issues affect the following software versions: * BlackBerry Enterprise Server Express versions 5.0.1 through 5.0.2 MR1 for Microsoft Exchange * BlackBerry Enterprise Server Express version 5.0.2 for IBM Lotus Domino * BlackBerry Enterprise Server versions 4.1.4 through 5.0.2 MR1 for Microsoft Exchange * BlackBerry Enterprise Server versions 4.1.4 through 5.0.2 for IBM Lotus Domino * BlackBerry Enterprise Server versions 4.1.4 through 5.0.1 for Novell GroupWise Non Affected Software * BlackBerry Device Software * BlackBerry Desktop Software * BlackBerry Internet Service Are BlackBerry smartphones and the BlackBerry Device Software affected? No. Issue Severity These vulnerabilities have Common Vulnerability Scoring System (CVSS) scores that range from 1.8 to 4.8 (low to moderate severity). See the References section below for the CVSS scores of each issue, listed by CVE issue identifier. Overview Security issues exist in the versions of the Apache Tomcat web server that some BlackBerry Enterprise Server components use to serve administration pages. The BlackBerry Administration Service, the BlackBerry Mobile Data System Connection Service, and the BlackBerry Monitoring Service use the Apache Tomcat web server. These issues primarily affect the Apache Tomcat web server version that the BlackBerry Administration Service uses. Some minor issues impact the BlackBerry Mobile Data System Connection Service and the BlackBerry Monitoring Service. These issues do not affect BlackBerry messaging. Who should read this advisory BlackBerry Enterprise Server administrators Who should apply the software fix(es) BlackBerry Enterprise Server administrators Recommendation Complete the resolution actions documented in this advisory. References View the linked CVE Identifiers for descriptions of the Apache Tomcat web server security issues that this security advisory addresses. CVE Identifier for issue CVSS score CVE-2007-3385 2.9 CVE-2007-5333 3.3 CVE-2008-1678 3.3 CVE-2008-5515 3.3 CVE-2007-1858 1.8 CVE-2009-3555 4.3 CVE-2010-2227 4.8 Problem The BlackBerry Enterprise Server and BlackBerry Enterprise Server Express products that use the vulnerable versions of the Apache Tomcat web server may be susceptible to the issues referenced above. Impact These issues may result in a Denial of Service (DoS) impacting the ability of the affected components to serve administration pages. There is a more limited potential for these issues to result in information disclosure or Cross-Site Scripting (XSS) on the affected components. Resolution RIM has issued the following updates that resolve these vulnerabilities in affected versions of the BlackBerry Enterprise Server and the BlackBerry Enterprise Server Express. These updates replace the installed Apache Tomcat web server components with components that are not affected by the vulnerabilities. The updates for BlackBerry Enterprise Server and BlackBerry Enterprise Server Express versions 5.0.1 through 5.0.2 MR1 install Apache Tomcat web server version 6.0.28 components. The updates for BlackBerry Enterprise Server versions 4.1.6 and 4.1.7 install Apache Tomcat web server version 5.5.31 components. For BlackBerry Enterprise Server Express versions 5.0.1 and 5.0.2 for Microsoft Exchange * Visit http://www.blackberry.com/go/serverdownloads to obtain Interim Security Software Update for April 12, 2011. For BlackBerry Enterprise Server Express version 5.0.2 for IBM Lotus Domino * Visit http://www.blackberry.com/go/serverdownloads to obtain Interim Security Software Update for April 12, 2011. For BlackBerry Enterprise Server versions 5.0.2 and 5.0.2 MR1 for Microsoft Exchange * Visit http://www.blackberry.com/go/serverdownloads to obtain BlackBerry Enterprise Server version 5.0.2 MR5. For BlackBerry Enterprise Server versions 4.1.6, 4.1.7, and 5.0.1 for Microsoft Exchange * Visit http://www.blackberry.com/go/serverdownloads to obtain Interim Security Software Update for April 12, 2011. For BlackBerry Enterprise Server versions 4.1.6, 4.1.7, 5.0.1, and 5.0.2 for IBM Lotus Domino * Visit http://www.blackberry.com/go/serverdownloads to obtain Interim Security Software Update for April 12, 2011. For BlackBerry Enterprise Server versions 4.1.6, 4.1.7, and 5.0.1 for Novell GroupWise * Visit http://www.blackberry.com/go/serverdownloads to obtain Interim Security Software Update for April 12, 2011. If you are using a software version that is not listed above, update to one of the listed versions to apply the upgrade. Copyright 2010 Research In Motion Limited, unless otherwise noted. _____________________________________________________________________________ Cross-site scripting (XSS) vulnerability in the BlackBerry Web Desktop Manager component of the BlackBerry Enterprise Server Products Affected Software This issue affects the BlackBerry Web Desktop Manager component of the following software versions: * BlackBerry Enterprise Server Express versions 5.0.1 and 5.0.2 for Microsoft Exchange * BlackBerry Enterprise Server Express version 5.0.2 for IBM Lotus Domino * BlackBerry Enterprise Server versions 5.0.0 through 5.0.3 for Microsoft Exchange and IBM Lotus Domino * BlackBerry Enterprise Server version 5.0.1 for Novell GroupWise Non Affected Software * BlackBerry Device Software * BlackBerry Desktop Software * BlackBerry Internet Service Are BlackBerry smartphones and the BlackBerry Device Software affected? No. Issue Severity This vulnerability has a Common Vulnerability Scoring System (CVSS) score of 8.1. Overview This advisory describes a security issue whereby the BlackBerry Web Desktop Manager component of the BlackBerry Enterprise Server is susceptible to a reflective cross-site scripting (XSS) vulnerability. (Reflective cross-site scripting vulnerabilities are sometimes referred to as non-persistent or Type I cross-site scripting vulnerabilities.) Who should read this advisory BlackBerry Enterprise Server administrators Who should apply the software fix(es) BlackBerry Enterprise Server administrators Recommendation Complete the resolution actions documented in this advisory. References CVE Identifier: CVE-2011-0286 Problem The vulnerability could allow an attacker to execute externally supplied scripts using the user privileges of the BlackBerry Web Desktop Manager. This could allow the attacker to perform any BlackBerry Web Desktop Manager task that the legitimate user could perform on a BlackBerry smartphone while the user is logged in to the BlackBerry Web Desktop Manager. Such tasks include remotely resetting the device password and locking the device, remotely wiping and disabling the device, and activating the user's account on another device over the wireless network. Successful exploitation of this issue requires an attacker to persuade the legitimate user to click a specially crafted URL. The URL that the attacker persuades the legitimate user to click may be in a web browser or an email or instant message. Mitigations * As a best practice, RIM recommends that access to administrative functions of the BlackBerry Enterprise Server, including BlackBerry Web Desktop Manager, be allowed only from trusted networks or specific hosts. * Refer to the documentation for your web browser to learn about potential mitigation of cross-site scripting vulnerabilities. Resolution The following released versions of the BlackBerry Enterprise Server resolve this issue: BlackBerry Enterprise Server version 5.0.3 MR1 for Microsoft Exchange and IBM Lotus Domino * Visit http://www.blackberry.com/go/serverdownloads to obtain BlackBerry Enterprise Server version 5.0.3 MR1. BlackBerry Enterprise Server version 5.0.2 MR5 for Microsoft Exchange * Visit http://www.blackberry.com/go/serverdownloads to obtain BlackBerry Enterprise Server version 5.0.2 MR5. RIM has issued the following interim security software updates that resolve the vulnerability in affected versions of the BlackBerry Enterprise Server and the BlackBerry Enterprise Server Express. For BlackBerry Enterprise Server version 5.0.2 for IBM Lotus Domino * Visit http://www.blackberry.com/go/serverdownloads to obtain Interim Security Software Update for April 12, 2011. For BlackBerry Enterprise Server version 5.0.1 for Microsoft Exchange, IBM Lotus Domino, and Novell GroupWise * Visit http://www.blackberry.com/go/serverdownloads to obtain Interim Security Software Update for April 12, 2011. For BlackBerry Enterprise Server Express version 5.0.2 for Microsoft Exchange and IBM Lotus Domino * Visit http://www.blackberry.com/go/serverdownloads to obtain Interim Security Software Update for April 12, 2011 For BlackBerry Enterprise Server Express version 5.0.1 for Microsoft Exchange * Visit http://www.blackberry.com/go/serverdownloads to obtain Interim Security Software Update for April 12, 2011. If you are using a software version that is not listed above, update to one of the listed versions to apply the upgrade. Acknowledgements RIM would like to thank Ivan Huertas of Cybsec (http://www.cybsec.com) for his involvement in helping to protect our customers. Copyright 2010 Research In Motion Limited, unless otherwise noted. ====================================================================== ========================================================= Les serveurs de référence du CERT-Renater http://www.urec.fr/securite http://www.cru.fr/securite http://www.renater.fr ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23 - 25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email: certsvp@renater.fr + =========================================================