==================================================================== CERT-Renater Note d'Information No. 2016/VULN073 _____________________________________________________________________ DATE : 24/02/2016 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running BES versions prior to 12.4. ====================================================================== http://support.blackberry.com/kb/articleDetail?articleNumber=000038033 _____________________________________________________________________ BSRT-2016-001 Vulnerabilities in BES12 Management Console impacts BES12 Article Number: 000038033 First Published: February 17, 2016 Last Modified: February 17, 2016 Type: Security Advisory Overview This advisory addresses multiple vulnerabilities that are not currently being exploited but affect BES12 customers. BlackBerry customer risk is limited by the requirement that a potential attacker possess knowledge of the internal network and, in most cases, by the inability of an attacker to force exploitation of the vulnerabilities without customer interaction. Successful exploitation requires an attacker craft a malicious link and requires that a user with Management Console access click on the malicious link. If the requirements are met for exploitation, an attacker could potentially monitor, modify or exfiltrate data. After installing the recommended software update, affected customers will be fully protected from these vulnerabilities. Who Should Read This Advisory? BES12 administrators Who Should Apply The Software Fix(es)? BES12 administrators More Information Have any BlackBerry customers been subject to an attack that exploits these vulnerabilities? BlackBerry is not aware of any attacks targeting BlackBerry customers using these vulnerabilities. What factors affected the release of this security advisory? This advisory addresses privately disclosed vulnerabilities. BlackBerry publishes full details of a software update in a security advisory after the fix is available to most of our customers. Publishing this advisory ensures that all of our customers can protect themselves by updating their software, or employing available workarounds if updating is not possible. Where can I read more about the security of BlackBerry products and solutions? For more information on BlackBerry security, visit www.blackberry.com/security and www.blackberry.com/bbsirt. Affected Products and Resolutions Read the following to determine if your BES12 installation is affected. Affected Products BES12 version 12.3.1 and earlier Non Affected Products BES12 version 12.4 and later Are BlackBerry Devices Affected? No. Resolution BlackBerry has issued a fix for these vulnerabilities, which is included in BES12 version 12.4 and later. This software update resolves these vulnerabilities on affected versions. To be fully protected from this issue, affected customers should update to BES12 version 12.4 or later. Visit http://web.blackberry.com/support/business/bes-support/bes-support-downloads.html to download upgrades or maintenance releases. Customers running an affected version who cannot update at this time should apply an available workaround. See the Workarounds section of this advisory for instructions. Are BES10 and BES5 affected by these vulnerabilities? No. Vulnerability Information Vulnerabilities exist in the BES12 Management Console of affected versions of BES12. The Management Console is a web interface that allows administrators and users to manage enterprise-activated devices. Users can only manage their own devices. There are two potential vulnerability scenarios: SQL Injection - CVE-2016-1914 Successful exploitation of this vulnerability could result in an attacker invoking actions within the BES UI or modifying or exfiltrating data from the SQL database. In order to exploit this vulnerability, an attacker must first know the URL of the BES12 Management Console on the internal network and then craft a malicious link. An external attacker must then persuade a user with legitimate access to the Management Console to click on the link. An internal attacker with legitimate access could also click on the malicious link themselves. Reflected Cross-Site Scripting - CVE-2016-1915 Successful exploitation of this vulnerability could result in an attacker logging keystrokes, obtaining the user's credentials for BES12 or invoking actions within the BES UI. In order to exploit this vulnerability, an attacker must first know the URL of the BES12 Management Console on the internal network and then craft a malicious link. An attacker must then persuade a user with legitimate access to the Management Console to click on the link. This advisory addresses multiple vulnerabilities, with a maximum Common Vulnerability Scoring System (CVSS) score of 6.8. View the linked Common Vulnerabilities and Exposures (CVE) identifiers for descriptions of the security issues that this security advisory addresses. CVE identifier - CVSS score CVE-2016-1914 - 6.8 CVE-2016-1915 - 5.8 Mitigations Mitigations are existing conditions that a potential attacker would need to overcome to mount a successful attack or that would limit the severity of an attack. Examples of such conditions include default settings, common configurations, and general best practices. These issues are mitigated for all customers by the prerequisite that, in most cases, an attacker must persuade a user with access to the Management Console to click a maliciously crafted link. An attacker cannot force the user to click the link or bypass the requirement that the user chooses to click the link. BlackBerry recommends that customers do not click links in emails received from untrusted sources or within webpages they are otherwise directed to by untrusted sources. This issue is further mitigated by the prerequisite that an attacker must have knowledge of the internal network. Captured credentials for the Management Console would not be usable by an external attacker outside of the compromised session as the Management Console is not accessible from the Internet. Workarounds Workarounds are settings or configuration changes that a user or administrator can apply to help protect against an attack. BlackBerry recommends that all users apply the available software update to fully protect their system. All workarounds should be considered temporary measures for customers to apply if they cannot install the update immediately or must perform standard testing and risk analysis. BlackBerry recommends that customers who are able to do so install the update to secure their systems. There are no workarounds for these vulnerabilities. Definitions CVE Common Vulnerabilities and Exposures (CVE) is a dictionary of common names (CVE Identifiers) for publicly known information security vulnerabilities maintained by the MITRE Corporation. CVSS CVSS is a vendor agnostic, industry open standard designed to convey the severity of vulnerabilities. CVSS scores may be used to determine the urgency for update deployment within an organization. CVSS scores can range from 0.0 (no vulnerability) to 10.0 (critical). BlackBerry uses CVSS in vulnerability assessments to present an immutable characterization of security issues. BlackBerry assigns all relevant security issues a non-zero score. Customers performing their own risk assessments of vulnerabilities that may impact them can benefit from using the same industry-recognized CVSS metrics. Change Log 02-17-2016 Initial publication ========================================================== Serveur de référence du CERT-Renater https://services.renater.fr/ssi/ ========================================================== + CERT-RENATER | tel : 01-53-94-20-44 + + 23 - 25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email: cert@support.renater.fr + ==========================================================