BlackBerry Forums Support Community               

Closed Thread
 
LinkBack Thread Tools
Old 07-11-2008, 07:16 AM   #1 (permalink)
BlackBerry Genius
 
hdawg's Avatar
 
Join Date: Aug 2006
Model: hdawg
PIN: port3101.org
Carrier: hdawg
Posts: 6,632
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default Vulnerability Notice - PDF distiller of the BlackBerry Attachment Service for the BES

Please Login to Remove!

KB15766 - Vulnerability in the PDF distiller of the BlackBerry Attachment Service for the BlackBerry Enterprise Server

-----
Environment
* BlackBerry® Enterprise Server software version 4.1 Service Pack 3 (4.1.3) through 4.1 Service Pack 5 (4.1.5)

Overview
This advisory describes a security issue that the BlackBerry Attachment Service component of the BlackBerry Enterprise Server is susceptible to. The issue relates to a known vulnerability in the PDF distiller component of the BlackBerry Attachment Service that affects how the BlackBerry Attachment Service processes PDF files.

This vulnerability has a Common Vulnerability Scoring System (CVSS) score of 9.0.

Problem
A security vulnerability in the PDF distiller of the BlackBerry Attachment Service could enable a malicious individual to use a specially crafted PDF file attachment in an email message to cause arbitrary code to execute on the computer that the BlackBerry Attachment Service runs on. If a BlackBerry smartphone user on a BlackBerry Enterprise Server opens and views the specially crafted PDF file attachment on the BlackBerry smartphone, the arbitrary code execution could compromise the computer.

Resolution
This issue has been escalated internally to our development team. No resolution time frame is currently available.

Workaround
Note: As a mobile device best practice, Research In Motion (RIM) recommends that BlackBerry smartphone users open attachments from trusted sources only.

Prevent the BlackBerry Attachment Service from processing PDF files in a BlackBerry Enterprise Server environment

You can prevent the BlackBerry Attachment Service from processing PDF files by editing the list of file format extensions that the BlackBerry Attachment Service opens, and then preventing the PDF attachment distiller from running on the BlackBerry Attachment Service.

To remove the PDF file extension from the list of supported file format extensions, complete the following actions:

1. From the Windows® Desktop, open the BlackBerry Server Configuration tool.
2. Click the Attachment Server tab.
3. In the Format Extensions field, delete pdf: from the colonxxx8211;delimited list of extensions.
4. Click Apply.
5. Click OK.

Until you prevent the PDF attachment distiller from running, the BlackBerry Attachment Service still detects a PDF file with a renamed extension (in other words, its extension is not .pdf) and attempts to process the file automatically. To prevent the PDF attachment distiller from running, complete the following actions:

1. On the Windows Desktop, open the BlackBerry Server Configuration tool.
2. Click the Attachment Server tab.
3. In the Configuration Option drop-down list, select Attachment Server.
4. In the Distiller Settings section, next to the distiller name Adobe PDF, clear the check box in the Enabled column.
5. Click Apply.
6. Click OK.
7. On the Windows Desktop, in Administrative Tools, open Services.
8. Right-click BlackBerry Attachment Service and click Stop.
9. Right-click BlackBerry Attachment Service and click Start.
10. Close Services.

In Microsoft® Exchange and Novell® GroupWise® environments, complete the following additional steps:

1. On the Windows Desktop, in Administrative Tools, open Services.
2. Right-click BlackBerry Dispatcher and click Stop.
3. Right-click BlackBerry Dispatcher and click Start.
4. Close Services.

Important: Restarting certain BlackBerry Enterprise Server services will delay email message delivery to BlackBerry smartphones. For more information, see KB04789.

In IBM® Lotus® Domino® environments, complete the following additional steps:

1. Open the IBM Lotus Domino Administrator.
2. Click the Server tab.
3. Click the Status tab.
4. Click Server Console.
5. In the Domino Command field, type tell BES quit and press ENTER.
6. In the Domino Command field, type load BES and press ENTER.
7. Close the IBM Lotus Domino Administrator.


Additional Information
You can install the BlackBerry Attachment Service on a remote computer and then place that computer on its own network segment to prevent the spread of potential attacks from the BlackBerry Attachment Service to another computer within your organizationxxx8217;s network. In a segmented network, attacks are isolated and contained on a single area of the network. Using segmented network architecture is designed to improve the security and performance of the BlackBerry Attachment Service network segment by filtering out attachment data that is not destined for other network segments. For more information about placing the BlackBerry Enterprise Solution components in a network architecture that is segmented to prevent the spread of potential malware attacks, see Placing the BlackBerry Enterprise Solution in a Segmented Network.

Visit BlackBerry - BlackBerry Enterprise Solution | Wireless Network Security for Corporate Data for more information on BlackBerry security.

CVSS is a vendor agnostic, industry open standard designed to convey the severity of vulnerabilities. CVSS scores may be used to determine the urgency for update deployment within an organization. CVSS scores range from 0.0 (no vulnerability) to 10.0 (critical). RIM uses CVSS in vulnerability assessments to present an immutable characterization of security issues. RIM assigns all security relevant issues a non-zero score.

Last edited by juwaack68 : 07-18-2008 at 10:19 AM. Reason: Make it easier to read
Offline  
Old 07-11-2008, 07:40 AM   #2 (permalink)
Retired BBF Moderator
 
Sith_Apprentice's Avatar
 
Join Date: Aug 2005
Model: 9000
OS: 4.6.0.xxx
Carrier: AT&T
Posts: 10,149
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

What is amusing is this is that RIM will continue its stance that the BlackBerry has never gotten a virus, and this technically remains true. The system that the Attatchment handler sits on gets the virus.
Offline  
Old 07-11-2008, 08:38 AM   #3 (permalink)
BlackBerry Elite
 
knottyrope's Avatar
 
Join Date: Jan 2008
Location: Massachusetts
Model: Z30
OS: 10.2.1
PIN: t of blood has been taken
Carrier: AT&T-US with I dee ten tee errors
Posts: 6,722
Post Thanks: 272
Thanked 289 Times in 273 Posts
Default

Ok how serious is this?

How many are turning it off on their BES?

Would antivirus protect the server?
__________________
irony : many old timer posters have de-evolved into the trolls they once fought
I am on http://supportforums.blackberry.com
BES 10 running sweet for my Z30, Z10 and Q10
Offline  
Old 07-11-2008, 08:48 AM   #4 (permalink)
BlackBerry Genius
 
hdawg's Avatar
 
Join Date: Aug 2006
Model: hdawg
PIN: port3101.org
Carrier: hdawg
Posts: 6,632
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

I've not seen anything in the wild; and as such have informed customers of the vulnerability but am not recommending they make any changes.

I can't say one way or another if an AV software will help this however.
Offline  
Old 07-11-2008, 08:50 AM   #5 (permalink)
Retired BBF Moderator
 
Sith_Apprentice's Avatar
 
Join Date: Aug 2005
Model: 9000
OS: 4.6.0.xxx
Carrier: AT&T
Posts: 10,149
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

It would make sense that AV would help on the server level. Though again, this is just theory. If you have secured your server with AV, shouldnt it then detect any virus in an attachment, as it would any attachment coming through the mail server directly?
Offline  
Old 07-16-2008, 02:40 PM   #6 (permalink)
Knows Where the Search Button Is
 
conniet's Avatar
 
Join Date: Apr 2007
Location: Fredericton
Model: 8800
Carrier: Rogers
Posts: 22
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default We Are Turning Off Ability to Open PDF Attachments

Based on the fact that RIM gives no details on what the compromise entails and the fact that they have given it a severity rating of 9, we made the decision today to turn off the ability to open pdf attachments.

Now I can expect irate emails from my 1400 users!
Offline  
Old 07-16-2008, 03:16 PM   #7 (permalink)
Thumbs Must Hurt
 
Join Date: Jul 2006
Model: 8310
Carrier: ROGERS
Posts: 111
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Just follow the workaround and disable only PDF's, that should be sufficient for now.
__________________
BES 4.1.5 (2 BES servers, 1 physical, 1 VM)
Exchange 2003 SP2
BESMgmt on SQL 2005 remote cluster (Physical)
900+ users
Offline  
Old 07-16-2008, 03:45 PM   #8 (permalink)
Thumbs Must Hurt
 
Join Date: Dec 2007
Model: 9700
PIN: N/A
Carrier: T-Mobile
Posts: 120
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Did anyone notice their device(s) going through an Enterprise Activate after stopping and starting the Dispatcher service and sending test email?
Offline  
Old 07-16-2008, 04:03 PM   #9 (permalink)
BlackBerry Elite
 
knottyrope's Avatar
 
Join Date: Jan 2008
Location: Massachusetts
Model: Z30
OS: 10.2.1
PIN: t of blood has been taken
Carrier: AT&T-US with I dee ten tee errors
Posts: 6,722
Post Thanks: 272
Thanked 289 Times in 273 Posts
Default

Quote:
Originally Posted by bulletooth View Post
Did anyone notice their device(s) going through an Enterprise Activate after stopping and starting the Dispatcher service and sending test email?
what does this have to do with PDF vulnerability?
Please dont hijack threads, start a new one.

Edit:
Sorry did not realise this was because of the PDF issue.
But looked like a HiJack.
__________________
irony : many old timer posters have de-evolved into the trolls they once fought
I am on http://supportforums.blackberry.com
BES 10 running sweet for my Z30, Z10 and Q10

Last edited by knottyrope : 07-17-2008 at 10:14 AM. Reason: apology to bulletooth
Offline  
Old 07-16-2008, 04:09 PM   #10 (permalink)
Thumbs Must Hurt
 
Join Date: Jul 2006
Model: 8310
Carrier: ROGERS
Posts: 111
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Knottyrope, in bulletooth's defence RIM states that you should restart the dispatcher service and if this is causing the users to enterprise activate then there is an issue.
__________________
BES 4.1.5 (2 BES servers, 1 physical, 1 VM)
Exchange 2003 SP2
BESMgmt on SQL 2005 remote cluster (Physical)
900+ users
Offline  
Old 07-16-2008, 04:19 PM   #11 (permalink)
Thumbs Must Hurt
 
Join Date: Dec 2007
Model: 9700
PIN: N/A
Carrier: T-Mobile
Posts: 120
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by jnetter View Post
Knottyrope, in bulletooth's defence RIM states that you should restart the dispatcher service and if this is causing the users to enterprise activate then there is an issue.
Thanks jnetter-

after all the instructions and the restart of the dispatcher service, I sent myself a test Email from my Outlook client.

From the device, I chose to "reconcile now" instead of trying to wait.

I then got the white screen with Enterprise Activation.

It completed successfully and then I received all of my tests.

FYI to those who are concerned about user impact of this workaround
Offline  
Old 07-16-2008, 04:42 PM   #12 (permalink)
Thumbs Must Hurt
 
Join Date: Mar 2005
Model: Torch
Carrier: ATT
Posts: 179
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

I disabled the pdf distiller on our 13 BES. The amount of complaints we get will give us a good idea how many of the 12K users actually use it.

None of the 10-12 other team members with Blackberries saw their devices undergo Enterprise Activations, FWIW.
Offline  
Old 07-16-2008, 06:47 PM   #13 (permalink)
rsk
Thumbs Must Hurt
 
Join Date: Jan 2007
Model: 9630
Carrier: Sprint
Posts: 134
Post Thanks: 0
Thanked 1 Time in 1 Post
Default

we are also considering disabling pdf's to the devices for our 7500 users..

have many others done this ?
Offline  
Old 07-16-2008, 08:18 PM   #14 (permalink)
Thumbs Must Hurt
 
Join Date: Dec 2007
Model: 9700
PIN: N/A
Carrier: T-Mobile
Posts: 120
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by rsk View Post
we are also considering disabling pdf's to the devices for our 7500 users..

have many others done this ?
See my post earlier- I've done it. I have 1 BES 2 XCHG. I had an EA message put I think it's only myself. I would've heard by now if it affected other users.

I think my force reconcile pi$$ed off the device because the services were restarted almost simultaneously.
Offline  
Old 07-17-2008, 05:14 AM   #15 (permalink)
Thumbs Must Hurt
 
Join Date: Sep 2005
Location: Rotterdam
Model: 8820
Carrier: KPN
Posts: 90
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

no word about BlackBerry Professional Software being affected?
Offline  
Old 07-17-2008, 05:42 AM   #16 (permalink)
Thumbs Must Hurt
 
Join Date: Mar 2007
Location: London
Model: 8310
Carrier: O2 UK
Posts: 75
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

We're going to disable PDF distiller until a patch is out. Only ~200 users though so it's not a huge impact, but we'll see
Offline  
Old 07-17-2008, 07:40 AM   #17 (permalink)
Thumbs Must Hurt
 
m4ilm4n's Avatar
 
Join Date: Oct 2006
Location: Loony bin
Model: 8800
Carrier: T-Mobile
Posts: 111
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Perhaps the EA message only affects Exchange BES (by restarting the dispatcher)? I shut PDFs off on our Domino server and did not subsequently receive an EA message.
Offline  
Old 07-17-2008, 08:03 AM   #18 (permalink)
Thumbs Must Hurt
 
Join Date: Dec 2007
Model: 9700
PIN: N/A
Carrier: T-Mobile
Posts: 120
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

In our XCHG environment, I believe I was the only one with the EA. No one else reported seeing this on their handhelds.
Offline  
Old 07-17-2008, 09:14 AM   #19 (permalink)
Talking BlackBerry Encyclopedia
 
Join Date: Oct 2004
Model: 9530
Carrier: Verizon
Posts: 302
Post Thanks: 0
Thanked 3 Times in 3 Posts
Default

Does anyone know if I can disable the BES PDF distiller and have users use Repligo for BES to view PDFs without the vulnerability? I'm thinking about doing that, but haven't heard back from Cerience yet....I wish I'd noticed this before today. Would be nice if RIM at least emailed TSupport subscribers on vulnerabilities.
Offline  
Old 07-17-2008, 10:24 AM   #20 (permalink)
Wireless Sith Lord
 
DarthBBerry's Avatar
 
Join Date: Jan 2007
Location: Online
Model: iOS 6
Carrier: Verizon x2
Posts: 1,458
Post Thanks: 2
Thanked 27 Times in 22 Posts
Default

I put "the fix" on my BES. Had a downtime of about 10 seconds.
__________________
DarthBBerry
6-Time BlackBerry World Champion (2007-2012)
BlackBerry® Certified Support Specialist v5.0
BlackBerry® Certified System Administrator v5.0
Offline  
Closed Thread


Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On





Copyright © 2004-2014 BlackBerryForums.com.
The names RIM © and BlackBerry © are registered Trademarks of BlackBerry Inc.