KB15766 - Vulnerability in the PDF distiller of the BlackBerry Attachment Service for the BlackBerry Enterprise Server

-----
Environment
* BlackBerry® Enterprise Server software version 4.1 Service Pack 3 (4.1.3) through 4.1 Service Pack 5 (4.1.5)

Overview
This advisory describes a security issue that the BlackBerry Attachment Service component of the BlackBerry Enterprise Server is susceptible to. The issue relates to a known vulnerability in the PDF distiller component of the BlackBerry Attachment Service that affects how the BlackBerry Attachment Service processes PDF files.

This vulnerability has a Common Vulnerability Scoring System (CVSS) score of 9.0.

Problem
A security vulnerability in the PDF distiller of the BlackBerry Attachment Service could enable a malicious individual to use a specially crafted PDF file attachment in an email message to cause arbitrary code to execute on the computer that the BlackBerry Attachment Service runs on. If a BlackBerry smartphone user on a BlackBerry Enterprise Server opens and views the specially crafted PDF file attachment on the BlackBerry smartphone, the arbitrary code execution could compromise the computer.

Resolution
This issue has been escalated internally to our development team. No resolution time frame is currently available.

Workaround
Note: As a mobile device best practice, Research In Motion (RIM) recommends that BlackBerry smartphone users open attachments from trusted sources only.

Prevent the BlackBerry Attachment Service from processing PDF files in a BlackBerry Enterprise Server environment

You can prevent the BlackBerry Attachment Service from processing PDF files by editing the list of file format extensions that the BlackBerry Attachment Service opens, and then preventing the PDF attachment distiller from running on the BlackBerry Attachment Service.

To remove the PDF file extension from the list of supported file format extensions, complete the following actions:

1. From the Windows® Desktop, open the BlackBerry Server Configuration tool.
2. Click the Attachment Server tab.
3. In the Format Extensions field, delete pdf: from the colon–delimited list of extensions.
4. Click Apply.
5. Click OK.

Until you prevent the PDF attachment distiller from running, the BlackBerry Attachment Service still detects a PDF file with a renamed extension (in other words, its extension is not .pdf) and attempts to process the file automatically. To prevent the PDF attachment distiller from running, complete the following actions:

1. On the Windows Desktop, open the BlackBerry Server Configuration tool.
2. Click the Attachment Server tab.
3. In the Configuration Option drop-down list, select Attachment Server.
4. In the Distiller Settings section, next to the distiller name Adobe PDF, clear the check box in the Enabled column.
5. Click Apply.
6. Click OK.
7. On the Windows Desktop, in Administrative Tools, open Services.
8. Right-click BlackBerry Attachment Service and click Stop.
9. Right-click BlackBerry Attachment Service and click Start.
10. Close Services.

In Microsoft® Exchange and Novell® GroupWise® environments, complete the following additional steps:

1. On the Windows Desktop, in Administrative Tools, open Services.
2. Right-click BlackBerry Dispatcher and click Stop.
3. Right-click BlackBerry Dispatcher and click Start.
4. Close Services.

Important: Restarting certain BlackBerry Enterprise Server services will delay email message delivery to BlackBerry smartphones. For more information, see KB04789.

In IBM® Lotus® Domino® environments, complete the following additional steps:

1. Open the IBM Lotus Domino Administrator.
2. Click the Server tab.
3. Click the Status tab.
4. Click Server Console.
5. In the Domino Command field, type tell BES quit and press ENTER.
6. In the Domino Command field, type load BES and press ENTER.
7. Close the IBM Lotus Domino Administrator.


Additional Information
You can install the BlackBerry Attachment Service on a remote computer and then place that computer on its own network segment to prevent the spread of potential attacks from the BlackBerry Attachment Service to another computer within your organization’s network. In a segmented network, attacks are isolated and contained on a single area of the network. Using segmented network architecture is designed to improve the security and performance of the BlackBerry Attachment Service network segment by filtering out attachment data that is not destined for other network segments. For more information about placing the BlackBerry Enterprise Solution components in a network architecture that is segmented to prevent the spread of potential malware attacks, see Placing the BlackBerry Enterprise Solution in a Segmented Network.

Visit BlackBerry - BlackBerry Enterprise Solution | Wireless Network Security for Corporate Data for more information on BlackBerry security.

CVSS is a vendor agnostic, industry open standard designed to convey the severity of vulnerabilities. CVSS scores may be used to determine the urgency for update deployment within an organization. CVSS scores range from 0.0 (no vulnerability) to 10.0 (critical). RIM uses CVSS in vulnerability assessments to present an immutable characterization of security issues. RIM assigns all security relevant issues a non-zero score.

What is amusing is this is that RIM will continue its stance that the BlackBerry has never gotten a virus, and this technically remains true. The system that the Attatchment handler sits on gets the virus.

Ok how serious is this?

How many are turning it off on their BES?

Would antivirus protect the server?

I've not seen anything in the wild; and as such have informed customers of the vulnerability but am not recommending they make any changes.

I can't say one way or another if an AV software will help this however.

It would make sense that AV would help on the server level. Though again, this is just theory. If you have secured your server with AV, shouldnt it then detect any virus in an attachment, as it would any attachment coming through the mail server directly?

Based on the fact that RIM gives no details on what the compromise entails and the fact that they have given it a severity rating of 9, we made the decision today to turn off the ability to open pdf attachments.

Now I can expect irate emails from my 1400 users!

Just follow the workaround and disable only PDF's, that should be sufficient for now.

Did anyone notice their device(s) going through an Enterprise Activate after stopping and starting the Dispatcher service and sending test email?

what does this have to do with PDF vulnerability?
Please dont hijack threads, start a new one.

Edit:
Sorry did not realise this was because of the PDF issue.
But looked like a HiJack.

Knottyrope, in bulletooth's defence RIM states that you should restart the dispatcher service and if this is causing the users to enterprise activate then there is an issue.

Thanks jnetter-

after all the instructions and the restart of the dispatcher service, I sent myself a test Email from my Outlook client.

From the device, I chose to "reconcile now" instead of trying to wait.

I then got the white screen with Enterprise Activation.

It completed successfully and then I received all of my tests.

FYI to those who are concerned about user impact of this workaround

I disabled the pdf distiller on our 13 BES. The amount of complaints we get will give us a good idea how many of the 12K users actually use it.

None of the 10-12 other team members with Blackberries saw their devices undergo Enterprise Activations, FWIW.

we are also considering disabling pdf's to the devices for our 7500 users..

have many others done this ?

See my post earlier- I've done it. I have 1 BES 2 XCHG. I had an EA message put I think it's only myself. I would've heard by now if it affected other users.

I think my force reconcile pi$$ed off the device because the services were restarted almost simultaneously.

no word about BlackBerry Professional Software being affected?

We're going to disable PDF distiller until a patch is out. Only ~200 users though so it's not a huge impact, but we'll see

Perhaps the EA message only affects Exchange BES (by restarting the dispatcher)? I shut PDFs off on our Domino server and did not subsequently receive an EA message.

In our XCHG environment, I believe I was the only one with the EA. No one else reported seeing this on their handhelds.

Does anyone know if I can disable the BES PDF distiller and have users use Repligo for BES to view PDFs without the vulnerability? I'm thinking about doing that, but haven't heard back from Cerience yet....I wish I'd noticed this before today. Would be nice if RIM at least emailed TSupport subscribers on vulnerabilities.

I put "the fix" on my BES. Had a downtime of about 10 seconds.

Does anybody know if this vulderability affects BES Version 4.0 Service Pack 5 ? The article states only versions 4.1.3 to 4.1.5, but I just wanted to be safe.

I disabled PDF processing on my production BES (4.1.4) and my test BES (4.1.5). It's just not worth the risk. All it takes, is 'one' malformed PDF file.

did any one have a luck finding what that "specially crafted" pdf file may look or feel like?

Not taking the chance. Why look for trouble when it can be prevented in the first place?

I'm just about to put the block in. Not worth the risk..

We're recommending this temporary workaround to all of our clients as of now...It's way too risky

We have put the work around in place, but just curious to see if our antivirus and antispam systems can capture such pdf file at entry level before even touching exchange !!!

we're putting the workaround in place, too. don't really think it's necessary in our case due to some additional safeguards we have in place, but like someone else said...why take the chance? If many of our 4000 users complain and a fix from RIM isn't forthcoming, we'll perhaps revisit the decision.

We have also put this into effect. Not worth the risk.

Workaround was implemented tonight.

BES 4.1.6 was just released, which addresses the vulnerability. (Advisory has been updated to reflect that.) Downloading now...

The Quick Fixes are also available for 4.1 SP3, SP4 and SP5.

BES 4.1 SP5 does not require the MR1 patch, although it is recommended.
BES 4.1 SP4 requires MR6 to be installed.
BES 4.1 SP3 requires HF2 to be installed.

The Quick Fix is a zip file with the updated files. There are manual commands for un-registering and re-registering some DLL files. The BlackBerry Attachment Service and BlackBerry Dispatcher will need to be stopped during this change and restarted afterwards.

Thanks for the heads-up, jibi. Workaround backed out, and the "interim security software update" has been applied.

My BES is reported as 4.1.4.15

Do i need the patch and if so does it need anything else before i put it on. Not sure what MR6 means?

Sorry - could someone please clarify if you have a minute!


Many thanks

Jon

Cant find the Hotfix for 4.1.3 and 4.1.4 only the SP6 .
Can someone help with a link ?

Hmm , 4.1 SP3 HF2 is nothing new , i installed that i think 6 month ago.
Does this fix the problem or is the SP6 needed ?

The release notes for SP6 dont even mentions that the distiller problem is fixed ....

We run 4.1.4 MR1. The vulnerability fix says MR6 is required. I see only in the Download area up to MR3 (no MR4, MR5 or MR6). Where can I find MR6?
If that is a typo and instead it should read 'MR3', can I install MR3 without first installing MR2?
Thanks for any info,

So, if I install the 'quick fix'/interim update will people be able to get PDF's on their device still or does this block all PDF's?

We are currently running 4.14mr5 + the Out of Office quickfix so that OOF messages work ok on Exchange 2007 mailboxes. Will that fix work with 4.14mr6 and the .pdf fix?

we are at BES 4.1 SP4 MR4
what happend to MR5 ? on RIM site there is MR6 after MR4 ???