===================================================================== CERT-Renater Note d'Information No. 2014/VULN169 _____________________________________________________________________ DATE : 18/08/2014 HARDWARE PLATFORM(S): Z30, Z10, Q10, Q5. OPERATING SYSTEM(S): BlackBerry 10 OS version prior to 10.2.1.1925. ====================================================================== http://www.blackberry.com/btsc/KB36174 ______________________________________________________________________ BSRT-2014-006 Vulnerability in file sharing service affects BlackBerry Z10, BlackBerry Z30, BlackBerry Q10, and BlackBerry Q5 smartphones Article ID: KB36174 Type: BlackBerry Security Advisory First Published: 08-12-2014 Last Modified: 08-12-2014 Product(s) Affected: Z30 Z10 Q10 Q5 Overview This advisory addresses a file sharing authentication bypass vulnerability that is not currently being exploited but affects BlackBerry Z10, BlackBerry Z30, BlackBerry Q10, and BlackBerry Q5 smartphone customers. BlackBerry customer risk is limited by the default file sharing settings and a requirement for an attacker to have access to the same physical network. Successful exploitation requires an attacker to locate and connect to an affected smartphone over a Wi-Fi network and requires that a user must have enabled file sharing over Wi-Fi. If the requirements are met for exploitation, an attacker could potentially gain access to, read or modify data on the device. After installing the recommended software update, affected BlackBerry 10 smartphone customers will be fully protected from this vulnerability. Who should read this advisory? BlackBerry 10 smartphone users IT administrators who deploy BlackBerry 10 smartphones in an enterprise Who should apply the software fix(es)? BlackBerry 10 smartphone users IT administrators who deploy BlackBerry 10 smartphones in an enterprise More Information Have any BlackBerry customers been subject to an attack that exploits this vulnerability? BlackBerry is not aware of any attacks targeting BlackBerry 10 smartphone customers using this vulnerability. What factors affected the release of this security advisory? This advisory addresses a privately disclosed authentication bypass vulnerability in the BlackBerry 10 file sharing service. BlackBerry publishes full details of a software update in a security advisory after the fix is available to the majority of our customers and wireless service provider partners. Publishing this advisory ensures that all of our customers can protect themselves by updating their software, or employing available workarounds if updating is not possible. Customers for whom the software update is not yet available should contact their wireless service provider to request BlackBerry 10 smartphone version 10.2.1.1925 or later. Where can I read more about BlackBerry 10 smartphone security? For more information on security features in BlackBerry smartphones, read the BlackBerry Enterprise Service 10 Security Technical Overview. Affected Software and Resolutions Read the following information to determine if your BlackBerry 10 smartphone is affected. Affected Software BlackBerry 10 OS earlier than version 10.2.1.1925 Non-Affected Software BlackBerry 10 OS version 10.2.1.1925 and later Are BlackBerry smartphones affected? Yes Resolution BlackBerry has issued a fix for this vulnerability, which is included in BlackBerry 10 OS version 10.2.1.1925 and later. This software updates resolve this vulnerability on affected versions of BlackBerry 10 smartphones. Update BlackBerry 10 smartphone software to version 10.2.1.1925 or later to be fully protected from this issue. Note: If customers are running a BlackBerry 10 OS earlier than 10.2.1.1925, but do not see a software update notification and the device indicates that the software is up to date, customers should contact their wireless service provider to request BlackBerry 10 OS version 10.2.1.1925 or later. For information on how to manage potential risk until the software update is available for all customers, see the Mitigations section of this advisory. Update by Accessing the Software Update Notification BlackBerry 10 smartphones use notifications to keep customers informed about software updates. When a new software update notification is available, it appears in the Notifications section of the BlackBerry Hub on affected BlackBerry smartphones. Review the notifications and follow the steps to access the latest software update notification and complete the software update. Manually Check for Software Updates on BlackBerry 10 smartphones From the home screen, swipe down from the top of the screen. Tap Settings, then Software Updates. Tap Check for Updates. Customers can also update their BlackBerry smartphone software using BlackBerry Link. For more information, see the Help documentation for BlackBerry Link. More Information How can I find out what version of the BlackBerry 10 OS I am running? From the home screen, swipe down from the top of the screen. Tap Settings, then Software Updates. Tap About, and view the OS Version or Software Release field in the OS settings. Are new (still in the box) BlackBerry 10 smartphone exposed to this vulnerability? As long as the customer fully completes the smartphone setup, including the smartphone software update, the smartphone will not be affected. During the initial setup process, BlackBerry 10 smartphones will download and install the latest version of the OS available from the customers carrier. The fix for this vulnerability is included in all versions of BlackBerry 10 OS after version 10.2.1.1925. Note: If customers are running an affected version earlier than 10.2.1.1925 but do not see a software update notification but their device indicates that the software is up to date, customers should contact their wireless service provider to request BlackBerry 10 OS version 10.2.1.1925 or later. Are Z3 smartphones exposed to this vulnerability? No. The fix for this vulnerability is included in all versions of the Z3 smartphone software. Does the BlackBerry 10 smartphone force me to update my software? No, customer action is required to update the software. BlackBerry 10 smartphones use notifications to keep customers informed about software updates and provide instructions for customers to easily install a software update. Customers can also manually check for software updates. For instructions to update customer software, see the Resolution section of this advisory. Can a BlackBerry 10 smartphone user update the file sharing service without performing a full BlackBerry 10 OS upgrade? No. The service is provided as an integral part of the BlackBerry 10 smartphone installation, and they must be updated together. Vulnerability Information A vulnerability that could allow authentication bypass exists in the Wi-Fi file sharing service supplied with affected versions of the BlackBerry 10 OS. This service allows a BlackBerry 10 smartphone to share files from the SD card and the media folder over a Wi-Fi network. Successful exploitation of this vulnerability could potentially result in an attacker gaining the ability to read, write, or modify data on the device. In order to exploit this vulnerability, an attacker must connect to an affected BlackBerry smartphones file sharing service. This vulnerability has a Common Vulnerability Scoring System (CVSS) score of 5.4. View the linked Common Vulnerabilities and Exposures (CVE) identifier for a description of the security issue that this security advisory addresses. CVE identifier CVSS score CVE-2014-1470 5.4 Mitigations Mitigations are existing conditions that a potential attacker would need to overcome in order to mount a successful attack or that would limit the severity of an attack. Examples of such conditions include default settings, common configurations and general best practices. This issue is mitigated for all customers by the prerequisite that the attacker must persuade the customer to turn on file sharing over Wi-Fi or locate a customer on the Wi-Fi network who has file sharing over Wi-Fi turned on. File sharing over Wi-Fi is not enabled by default. Workarounds Workarounds are settings or configuration changes that a user or administrator can apply to help protect against an attack. BlackBerry recommends that all users apply the available software update to fully protect their smartphone. All workarounds should be considered temporary measures for customers to apply if they cannot install the update immediately or must perform standard testing and risk analysis. BlackBerry recommends that customers who are able to do so install the update to secure their smartphones. Disabling file sharing over Wi-Fi networks On the home screen of your BlackBerry device, swipe down from the top of the screen. Tap Settings > Storage and Access. Set the Access using Wi-Fi switch to Off. Once customers have upgraded their BlackBerry 10 OS, they can resume file sharing over Wi-Fi. Restrict users from file sharing over Wi-Fi networks Administrators who deploy work space only devices and regulated BlackBerry Balance devices in their networks can use the Computer Access to Device IT policy rule to prevent computers from accessing content on devices using the file-sharing option with a Wi-Fi connection. If you set this rule to Disallow, users cannot connect their devices to BlackBerry Link. Related best practices Users should enable Wi-Fi file sharing only while they are connected to trusted networks and intend to share files. Users should not enable Wi-Fi file sharing on their BlackBerry 10 smartphone when they are not actively sharing files. Users should connect their BlackBerry 10 smartphone over USB connections to trusted computers only. More Information Does setting a unique password for file sharing help protect me against this vulnerability? No, using a password for file sharing is not a workaround for this vulnerability. Definitions CVE Common Vulnerabilities and Exposures (CVE) is a dictionary of common names (CVE Identifiers) for publicly known information security vulnerabilities maintained by the MITRE Corporation. CVSS CVSS is a vendor agnostic, industry open standard designed to convey the severity of vulnerabilities. CVSS scores may be used to determine the urgency for update deployment within an organization. CVSS scores can range from 0.0 (no vulnerability) to 10.0 (critical). BlackBerry uses CVSS in vulnerability assessments to present an immutable characterization of security issues. BlackBerry assigns all relevant security issues a non-zero score. Customers performing their own risk assessments of vulnerabilities that may impact them can benefit from using the same industry-recognized CVSS metrics. Acknowledgements This vulnerability was discovered by David Gullasch, Max Moser, and Martin Schobert of modzero, who assisted BlackBerry in identifying the cause of the issue. Change Log 08-12-2014 Initial publication ========================================================= Serveur de référence du CERT-Renater https://services.renater.fr/ssi/ ========================================================== + CERT-RENATER | tel : 01-53-94-20-44 + + 23 - 25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email: cert@support.renater.fr + ==========================================================