PROBLEM: | The PDF Distiller service that is provided with BlackBerry Enterprise Server contains a vulnerability that may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system. |
PLATFORM: | BlackBerry Enterprise Server BlackBerry Unite! |
DAMAGE: | Execute arbitrary code. |
SOLUTION: | Upgrade to the appropriate version. |
VULNERABILITY ASSESSMENT: |
The risk is MEDIUM. By convincing a user to open a spsecially-crafted PDF attachment on a BlackBerry smartphone, a remote, unauthenticated attacker may be able to execute arbitrary code on the system that runs the BlackBerry Attachment Service. |
CVSS 2 BASE SCORE: TEMPORAL SCORE: VECTOR: |
7.5 6.2 (AV:N/AC:L/Au:N/C:P/I:P/A:P/E:F/RL:OF/RC:C) |
LINKS: | |
CIAC BULLETIN: | http://www.ciac.org/ciac/bulletins/s-369.shtml |
ORIGINAL BULLETIN: | http://www.kb.cert.org/vuls/id/289235 |
[***** Start US-CERT Vulnerability Note VU#289235 *****]
This issue is addressed in BlackBerry Enterprise Server 4.1 Service Pack 6 (4.1.6). Please see BlackBerry document KB15766 for more details.
This issue is also addressed in BlackBerry Unite! 1.0 Service Pack 1 (1.0.1) bundle 36. Please see BlackBerry document KB15770 for more details.
Prevent the BlackBerry Attachment Service from processing PDF files
BlackBerry document KB15766 and KB15770 outline several ways of preventing the BlackBerry Enterprise Server and BlackBerry Unite! from processing PDF files, which can help mitigate this vulnerability.
Vendor | Status | Date Updated |
---|---|---|
Research in Motion (RIM) | Vulnerable | 18-Jul-2008 |
http://www.blackberry.com/btsc/search.do?cmd=displayKC&docType=kc&externalId=KB15766
http://www.blackberry.com/btsc/articles/660/KB15766_f.SAL_Public.html
http://www.blackberry.com/btsc/articles/635/KB15770_f.SAL_Public.html
http://secunia.com/advisories/31092/
http://secunia.com/advisories/31141/
This issue was reported by Research In Motion.
This document was written by Will Dormann.
Date Public | 07/17/2008 |
Date First Published | 07/18/2008 10:07:57 AM |
Date Last Updated | 07/18/2008 |
CERT Advisory | |
CVE-ID(s) | |
NVD-ID(s) | |
US-CERT Technical Alerts | |
Metric | 20.31 |
Document Revision | 6 |
[***** End US-CERT Vulnerability Note VU#289235 *****]
Voice: +1 925-422-8193 (7 x 24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org