===================================================================== CERT-Renater Note d'Information No. 2013/VULN451 _____________________________________________________________________ DATE : 10/10/2013 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running BlackBerry Universal Device Service version 10. ====================================================================== http://btsc.webapps.blackberry.com/btsc/viewdocument.do;jsessionid=F3258B64AC414EFC1D91E10415CFA549?externalId=KB35139&sliceId=1&cmd=displayKC&docType=kc&noCount=true&ViewedDocsListHelper=com.kanisa.apps.common.BaseViewedDocsListHelperImpl ______________________________________________________________________ BSRT-2013-011 Vulnerability in BlackBerry Universal Device Service wrapper impacts BlackBerry Enterprise Service 10 Article ID: KB35139 Type: BlackBerry Security Advisory First Published: 10-08-2013 Last Modified: 10-08-2013 Overview This advisory addresses a remote code execution vulnerability that is not currently being exploited but affects the BlackBerry Universal Device Service installed by default with BlackBerry® Enterprise Service (BES) version 10.0 to 10.1.2. BlackBerry customer risk is limited by the requirement that an attack must be launched from a location within the corporate network with access to the system hosting the UDS. Successful exploitation requires that an attacker know the address of the UDS component of BES10. If the requirements are met for exploitation, an attacker could execute code as the BES10 administration service account. After installing the recommended software update or modifying the configuration file, affected BES customers will be fully protected from this vulnerability. Who should read this advisory? BlackBerry Enterprise Service 10 administrators Who should apply the software fix(es)? BlackBerry Enterprise Service 10 administrators More Information Have any BlackBerry customers been subject to an attack that exploits this vulnerability? BlackBerry is not aware of any attacks targeting BlackBerry customers using this vulnerability. What factors affected the release of this security advisory? This advisory addresses a publicly known vulnerability. BlackBerry publishes full details of a software update in a security advisory after the fix is available to the majority of our customers. Publishing this advisory ensures that all of our customers can protect themselves by updating their software, or applying available workarounds if updating is not possible. Where can I read more about the security of BlackBerry products and solutions? For more information on BlackBerry security, visit http://us.blackberry.com/business/topics/security.html. Affected Software and Resolutions Customers can read the following lists to determine if their BlackBerry Enterprise Service 10 installation is affected. Affected Software BlackBerry Enterprise Service version 10.0 in which BlackBerry Device Service or Universal Device Service was installed, with Oracle Java Runtime 7 update 17 or earlier BlackBerry Enterprise Service version 10.1 to 10.1.2 with Oracle Java Runtime 7 update 17 or earlier Non-Affected Software BlackBerry Enterprise Service version 10.0 in which only BlackBerry Management Studio was installed BlackBerry Enterprise Service version 10.0 to 10.1.2 with Oracle Java Runtime 7 update 18 or later BlackBerry Enterprise Service version 10.1.3 BlackBerry Enterprise Server version 5.0.4 MR5 and earlier BlackBerry Universal Device Service when not installed with BES10 Are BlackBerry smartphones affected? No. Resolution BlackBerry has issued a fix for this vulnerability, which is included in BlackBerry Enterprise Service version 10.1.3. This software update resolves this vulnerability on affected BES10 versions. To be fully protected from this issue, update the BlackBerry Enterprise Service software to version 10.1.3 or later. To prevent an attack, affected customers running BlackBerry Enterprise Service 10 version 10.0 to 10.1.2 who cannot update at this time should apply an available workaround. See the Workarounds section of this advisory for instructions. Vulnerability Information A vulnerability exists due to a misconfiguration of the JBoss hosting environment in affected BES10 versions. The management software that allows administrators to use a more unified UI when deploying the UDS with BlackBerry Enterprise Service 10 (the wrapper) exposes a JBoss interface that allows a legitimate administrator to upload packages and make them available to clients. This JBoss interface functionality is not used in BES10. The misconfiguration could allow nonadministrative users to upload packages. Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code using the privileges of the BES10 administration service account. In order to exploit this vulnerability, an attacker must use the Remote Method Invocation (RMI) interface to serve a malicious package to JBoss from a second server on the network that is not blocked by a firewall. This vulnerability has a Common Vulnerability Scoring System (CVSS) score of 8.3. For a description of the security issue that this security advisory addresses, see the CVE® identifier CVE-2013-3693. Mitigations Mitigations are existing conditions that a potential attacker would need to overcome to mount a successful attack or that would limit the severity of an attack. Examples of such conditions include default settings, common configurations, and general best practices. This issue is mitigated for all customers by the prerequisite that any attack must be launched from a location within the corporate network with access to the system hosting the UDS. Systems hosting the UDS that are placed behind a firewall that blocks the affected ports are protected from attackers who might exploit this vulnerability. Workarounds Workarounds are settings or configuration changes that a user or administrator can apply to help protect against an attack. BlackBerry recommends that all users apply the available software update to fully protect their system. All workarounds should be considered temporary measures for customers to apply if they cannot install the update immediately or must perform standard testing and risk analysis. BlackBerry recommends that customers who are able to do so install the update to secure their systems. When the administrator’s choice of workaround is applied, the Universal Device Service and BlackBerry Enterprise Service 10 will run normally. Prevent network users from calling the RMI interface by changing the configuration file Edit the jboss-service.xml file to permit only local users to call the RMI interface. Locate the jboss-service.xml file. Open the jboss-service.xml file in a text editor. Modify the jboss-service.xml file to include the following settings: 1099 127.0.0.1 1098 127.0.0.1 Save and close the jboss-service.xml file. Restart the BlackBerry Administration Service – Application Server service, if present. Restart the BlackBerry Web Services service. Block affected ports to prevent RMI access Administrators can block the affected ports 1098 and 1099 using a firewall appliance or using IPSec on the Windows server. To block these affected ports using IPSec on the Microsoft Windows Server®, use the instructions located at http://support.microsoft.com/kb/813878. Update the Java Runtime to version 7 update 18 or later Administrators can update the Java Runtime to be protected from this vulnerability. To find instructions for manually upgrading the Java Runtime Environment, see KB34385 How to manually upgrade the Java Runtime Environment on BlackBerry Enterprise Service 10 version 10.1 to 10.1.2 More Information What is JBoss®? JBoss is an open source component that acts as a container and host for BlackBerry-written components within the BlackBerry Enterprise Service. JBoss is developed and maintained by JBoss, a division of Red Hat. Definitions CVE Common Vulnerabilities and Exposures (CVE) is a dictionary of common names (CVE Identifiers) for publicly known information security vulnerabilities maintained by the MITRE Corporation. CVSS CVSS is a vendor agnostic, industry open standard designed to convey the severity of vulnerabilities. CVSS scores may be used to determine the urgency for update deployment within an organization. CVSS scores can range from 0.0 (no vulnerability) to 10.0 (critical). BlackBerry uses CVSS in vulnerability assessments to present an immutable characterization of security issues. BlackBerry assigns all relevant security issues a non-zero score. Customers performing their own risk assessments of vulnerabilities that may impact them can benefit from using the same industry-recognized CVSS metrics. Acknowledgements This vulnerability was discovered by Paul O’Grady of Security Compass, who assisted BlackBerry in identifying the cause of the issue. Change Log 10-08-2013 Initial publication. ========================================================= Serveur de référence du CERT-Renater https://services.renater.fr/ssi/ ========================================================== + CERT-RENATER | tel : 01-53-94-20-44 + + 23 - 25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email: cert@support.renater.fr + ==========================================================