Privacy and Legal Notice

CIAC INFORMATION BULLETIN

S-369: BlackBerry Attachment Service PDF Distiller Vulnerability

[US-CERT Vulnerability Note VU#289235]

August 20, 2008 16:00 GMT
PROBLEM: The PDF Distiller service that is provided with BlackBerry Enterprise Server contains a vulnerability that may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.
PLATFORM: BlackBerry Enterprise Server
BlackBerry Unite!
DAMAGE: Execute arbitrary code.
SOLUTION: Upgrade to the appropriate version.
VULNERABILITY
ASSESSMENT:		 The risk is MEDIUM. By convincing a user to open a spsecially-crafted PDF attachment on a BlackBerry smartphone, a remote, unauthenticated attacker may be able to execute arbitrary code on the system that runs the BlackBerry Attachment Service.
CVSS 2 BASE SCORE:
   TEMPORAL SCORE:
   VECTOR:		 7.5
6.2
(AV:N/AC:L/Au:N/C:P/I:P/A:P/E:F/RL:OF/RC:C)
LINKS:  
  CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/s-369.shtml
  ORIGINAL BULLETIN: http://www.kb.cert.org/vuls/id/289235 
[***** Start US-CERT Vulnerability Note VU#289235 *****]

Vulnerability Note VU#289235

BlackBerry Attachment Service PDF distiller vulnerable to arbitrary code execution

Overview

The PDF Distiller service that is provided with BlackBerry Enterprise Server contains a vulnerability that may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.

I. Description

The BlackBerry Attachment Service is a component of the BlackBerry Enterprise Server (BES) and BlackBerry Unite!. The BlackBerry Attachment Service renders certain types of files sent as email attachments for display on BlackBerry Handhelds and other BlackBerry client devices. An unspecified vulnerability in the PDF distiller component of the BlackBerry Attachment Service may allow arbitrary code execution on the system that runs the vulnerable service.

II. Impact

By convincing a user to open a specially-crafted PDF attachment on a BlackBerry smartphone, a remote, unauthenticated attacker may be able to execute arbitrary code on the system that runs the BlackBerry Attachment Service.

III. Solution

Apply an update

This issue is addressed in BlackBerry Enterprise Server 4.1 Service Pack 6 (4.1.6). Please see BlackBerry document KB15766 for more details.
This issue is also addressed in BlackBerry Unite! 1.0 Service Pack 1 (1.0.1) bundle 36. Please see BlackBerry document KB15770 for more details.

Prevent the BlackBerry Attachment Service from processing PDF files

BlackBerry document KB15766 and KB15770 outline several ways of preventing the BlackBerry Enterprise Server and BlackBerry Unite! from processing PDF files, which can help mitigate this vulnerability.

Systems Affected

Vendor Status Date Updated
Research in Motion (RIM) Vulnerable 18-Jul-2008

References


http://www.blackberry.com/btsc/search.do?cmd=displayKC&docType=kc&externalId=KB15766
http://www.blackberry.com/btsc/articles/660/KB15766_f.SAL_Public.html
http://www.blackberry.com/btsc/articles/635/KB15770_f.SAL_Public.html
http://secunia.com/advisories/31092/
http://secunia.com/advisories/31141/

Credit

This issue was reported by Research In Motion.

This document was written by Will Dormann.

Other Information

Date Public 07/17/2008
Date First Published 07/18/2008 10:07:57 AM
Date Last Updated 07/18/2008
CERT Advisory  
CVE-ID(s)  
NVD-ID(s)  
US-CERT Technical Alerts  
Metric 20.31
Document Revision 6 

[***** End US-CERT Vulnerability Note VU#289235 *****]
CIAC wishes to acknowledge the contributions of US-CERT for the information contained in this bulletin.
CIAC services are available to DOE, DOE Contractors, and the NIH. CIAC can be contacted at: 
    Voice:          +1 925-422-8193 (7 x 24)
    FAX:            +1 925-423-8002
    STU-III:        +1 925-423-2604
    E-mail:          ciac@ciac.org
    World Wide Web:  http://www.ciac.org/
    Anonymous FTP:   ftp.ciac.org
This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes.
UCRL-MI-119788
[Privacy and Legal Notice]