BlackBerry Forums Support Community               

Closed Thread
 
LinkBack Thread Tools
Old 12-02-2009, 03:43 AM   #1 (permalink)
BlackBerry Extraordinaire
 
Join Date: Aug 2008
Location: Basel
Model: 9780
PIN: N/A
Carrier: Swisscom
Posts: 1,579
Post Thanks: 5
Thanked 119 Times in 116 Posts
Exclamation New critical PDF vulnerability in BES

Please Login to Remove!

A new critical PDF vulnerability in BES has been found:

Subject: [SA37562] BlackBerry Products PDF Distiller Unspecified Vulnerabilities

TITLE:
BlackBerry Products PDF Distiller Unspecified Vulnerabilities

SECUNIA ADVISORY ID:
SA37562

VERIFY ADVISORY:
https://ca.secunia.com/?page=viewadvisory&vuln_id=37562

CRITICAL:
Highly critical

IMPACT:
DoS, System access

WHERE:
From remote

SECUNIA CVSS SCORE:
10 (AV:N/AC:L/Au:N/C:C/I:C/A:C/E:U/RL:OF/RC:C)

SOFTWARE:
BlackBerry Enterprise Server 5.x
BlackBerry Enterprise Server 5.x - Advisories by Product - Secunia Advisories - Vulnerability Information - Secunia.com
BlackBerry Enterprise Server for Domino 4.x
BlackBerry Enterprise Server for Domino 4.x - Advisories by Product - Secunia Advisories - Vulnerability Information - Secunia.com
BlackBerry Enterprise Server for Exchange 4.x
BlackBerry Enterprise Server for Exchange 4.x - Advisories by Product - Secunia Advisories - Vulnerability Information - Secunia.com
BlackBerry Enterprise Server for Novell GroupWise 4.x
BlackBerry Enterprise Server for Novell GroupWise 4.x - Advisories by Product - Secunia Advisories - Vulnerability Information - Secunia.com
BlackBerry Professional Software 4.x
BlackBerry Professional Software 4.x - Advisories by Product - Secunia Advisories - Vulnerability Information - Secunia.com

DESCRIPTION:
Some vulnerabilities have been reported in BlackBerry Enterprise
Server and BlackBerry Professional Software, which can be exploited
by malicious people to cause a DoS (Denial of Service) and
potentially compromise a vulnerable system.

The vulnerabilities are caused due to unspecified errors within the
PDF distiller of the BlackBerry Attachment Service component. These
can be exploited to cause a memory corruption when a specially
crafted PDF file is opened for viewing on a BlackBerry smartphone.

Successful exploitation may allow execution of arbitrary code.

The vulnerabilities are reported in BlackBerry Enterprise Server
version 5.0.0, BlackBerry Enterprise Server version 4.1 Service Pack
3 (4.1.3) through 4.1 Service Pack 7 (4.1.7), and BlackBerry
Professional Software 4.1 Service Pack 4 (4.1.4).

SOLUTION:
Update to the latest version or apply the Interim Security Update.

BlackBerry Enterprise Server version 5.0 for Microsoft Exchange and
IBM Lotus Domino:
Update to version 5.0.1. or later, or apply Interim Security Update 3
for BlackBerry Enterprise Server software version 5.0.0.
http://www.blackberry.com/go/serverdownloads

BlackBerry Enterprise Server version 4.1.7 for Microsoft Exchange and
IBM Lotus Domino:
Apply Interim Security Update 1 for BlackBerry Enterprise Server
software version 4.1.7.
http://www.blackberry.com/go/serverdownloads

BlackBerry Enterprise Server version 4.1.6 for Microsoft Exchange and
IBM Lotus Domino:
Update to BlackBerry Enterprise Server Version 4.1.6 MR8 or later.
http://www.blackberry.com/go/serverdownloads

BlackBerry Enterprise Server version 4.1.6 for Novell GroupWise:
Update to BlackBerry Enterprise Server Version 4.1.6 MR6 or later.
http://www.blackberry.com/go/serverdownloads

BlackBerry Enterprise Server version 4.1.4:
Update to BlackBerry Enterprise Server Version 4.1.6 MR8 or later, or
apply Interim Security Update 5 for BlackBerry Enterprise Server
software version 4.1.4.
http://www.blackberry.com/go/serverdownloads

BlackBerry Professional Software:
Apply Interim Security Update 5 for affected BlackBerry Professional
Software versions.
BlackBerry - PDA Software Downloads - Support & Services at BlackBerry.com

PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor.

ORIGINAL ADVISORY:
View Document
Offline  
Old 12-02-2009, 02:25 PM   #2 (permalink)
Wireless Sith Lord
 
DarthBBerry's Avatar
 
Join Date: Jan 2007
Location: Online
Model: iOS 6
Carrier: Verizon x2
Posts: 1,458
Post Thanks: 2
Thanked 27 Times in 22 Posts
Default

C'mon man..... fix it already....
Back to the BB Cave to read the release notes...
__________________
DarthBBerry
6-Time BlackBerry World Champion (2007-2012)
BlackBerry® Certified Support Specialist v5.0
BlackBerry® Certified System Administrator v5.0
Offline  
Old 12-02-2009, 02:35 PM   #3 (permalink)
x14
BlackBerry Extraordinaire
 
Join Date: Jul 2005
Location: NYC
Model: 9800
OS: 6.0.0.546
Carrier: AT&T
Posts: 2,344
Post Thanks: 0
Thanked 17 Times in 16 Posts
Default

yada yada yada....

Wish I can disable it for good.
__________________
Exchange 2007/BES 5.0.2 MR2
Offline  
Old 12-02-2009, 02:37 PM   #4 (permalink)
Wireless Sith Lord
 
DarthBBerry's Avatar
 
Join Date: Jan 2007
Location: Online
Model: iOS 6
Carrier: Verizon x2
Posts: 1,458
Post Thanks: 2
Thanked 27 Times in 22 Posts
Default

Quote:
Originally Posted by x14 View Post
yada yada yada....

Wish I can disable it for good.
DoS for all PDFs on your BES. Deep 6 those b1tches!
__________________
DarthBBerry
6-Time BlackBerry World Champion (2007-2012)
BlackBerry® Certified Support Specialist v5.0
BlackBerry® Certified System Administrator v5.0
Offline  
Old 12-02-2009, 03:50 PM   #5 (permalink)
Thumbs Must Hurt
 
jeffro01's Avatar
 
Join Date: Oct 2006
Location: 67235
Model: 9700
OS: 5.0.0.423
PIN: 2277C472
Carrier: At&t (Company)
Posts: 173
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Same here but we work with a lot of PDFs in the company i work for... Can't ax the PDFs or my upper management will freak...

Jeff
Offline  
Old 12-03-2009, 09:41 AM   #6 (permalink)
Thumbs Must Hurt
 
Join Date: Dec 2005
Model: 9330
Carrier: Verizon
Posts: 75
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Those of you on 4.1.6 MR7 - Who is:

- Going to MR8
- Going to SP7, w/ fix 396617
__________________
BES: 5.0.2, SQL 2005 (remote)/ WIN2K8,R2 / EXCHANGE 2010, RTM+RU4
Offline  
Old 12-03-2009, 09:45 AM   #7 (permalink)
BlackBerry Extraordinaire
 
Join Date: Aug 2008
Location: Basel
Model: 9780
PIN: N/A
Carrier: Swisscom
Posts: 1,579
Post Thanks: 5
Thanked 119 Times in 116 Posts
Default

I upgraded to MR8. No problem encountered.
Offline  
Old 12-03-2009, 10:15 AM   #8 (permalink)
Thumbs Must Hurt
 
Join Date: Apr 2007
Model: 9700
Carrier: AT&T
Posts: 155
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by Mikey_AGBoston View Post
Those of you on 4.1.6 MR7 - Who is:

- Going to MR8
- Going to SP7, w/ fix 396617
Same question here....its confusing because it looks like 4.1.6 MR8 was released after SP7? And SP7 has a ton of known issues according to the release notes.
Offline  
Old 12-03-2009, 01:30 PM   #9 (permalink)
BlackBerry Elite
 
knottyrope's Avatar
 
Join Date: Jan 2008
Location: Massachusetts
Model: Z30
OS: 10.2.1
PIN: t of blood has been taken
Carrier: AT&T-US with I dee ten tee errors
Posts: 6,721
Post Thanks: 272
Thanked 289 Times in 273 Posts
Default

Time to flip a coin on what route to go.
__________________
irony : many old timer posters have de-evolved into the trolls they once fought
I am on http://supportforums.blackberry.com
BES 10 running sweet for my Z30, Z10 and Q10
Offline  
Old 12-03-2009, 01:50 PM   #10 (permalink)
Thumbs Must Hurt
 
Join Date: Dec 2005
Model: 9330
Carrier: Verizon
Posts: 75
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by icontech View Post
Same question here....its confusing because it looks like 4.1.6 MR8 was released after SP7? And SP7 has a ton of known issues according to the release notes.
Yeah, that's what I am talking about
__________________
BES: 5.0.2, SQL 2005 (remote)/ WIN2K8,R2 / EXCHANGE 2010, RTM+RU4
Offline  
Old 12-03-2009, 04:10 PM   #11 (permalink)
Thumbs Must Hurt
 
jeffro01's Avatar
 
Join Date: Oct 2006
Location: 67235
Model: 9700
OS: 5.0.0.423
PIN: 2277C472
Carrier: At&t (Company)
Posts: 173
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

I'm still not sure either... Probably neither since we are about to go to 5.

Jeff
Offline  
Old 12-07-2009, 08:07 AM   #12 (permalink)
Wireless Sith Lord
 
DarthBBerry's Avatar
 
Join Date: Jan 2007
Location: Online
Model: iOS 6
Carrier: Verizon x2
Posts: 1,458
Post Thanks: 2
Thanked 27 Times in 22 Posts
Default

Quote:
Originally Posted by Mikey_AGBoston View Post
Those of you on 4.1.6 MR7 - Who is:

- Going to MR8
- Going to SP7, w/ fix 396617
Yep yep, already removed PDFs accessibility from the BES, installing MR8 this Wednesday night (12/9).
We'll be going to BES 5.0.x eventually... when RIM stops breaking thing with each SP and/or MR for 5.0. And when I get some money for a separate HA machine and a BAS/Monitoring station.
__________________
DarthBBerry
6-Time BlackBerry World Champion (2007-2012)
BlackBerry® Certified Support Specialist v5.0
BlackBerry® Certified System Administrator v5.0
Offline  
Old 12-09-2009, 10:25 AM   #13 (permalink)
Thumbs Must Hurt
 
Join Date: Apr 2007
Model: 9700
Carrier: AT&T
Posts: 155
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by DarthBBerry View Post
Yep yep, already removed PDFs accessibility from the BES, installing MR8 this Wednesday night (12/9).
We'll be going to BES 5.0.x eventually... when RIM stops breaking thing with each SP and/or MR for 5.0. And when I get some money for a separate HA machine and a BAS/Monitoring station.
Let us know how the MR8 installation goes....are you going to SP7 eventually too?

I just read all the realease notes for SP7 and I dont' have a good feeling about the upgrade. Does anyone know if the known issues they list occur after the upgrade or are they cumlative from previous versions that have not been resolved? Some of the known issues specifically list the problem as occurring during the upgrade. I have seen a bunch of the known issues with 4.1.6 MR6 and MR7, so I believe they are just recognizing previous problems. This makes me want to jump to 5.0 even more...
Offline  
Old 12-09-2009, 05:29 PM   #14 (permalink)
Wireless Sith Lord
 
DarthBBerry's Avatar
 
Join Date: Jan 2007
Location: Online
Model: iOS 6
Carrier: Verizon x2
Posts: 1,458
Post Thanks: 2
Thanked 27 Times in 22 Posts
Default

MR 8 went super smooth. No problems with the install; I didnt even need to reboot. I just restarted the services (Domino last) and it just picked up and continued as if nothing happened. I'll monitor tomorrow for problems, but dont anticipate any.

Total downtime: 23 minutes.
__________________
DarthBBerry
6-Time BlackBerry World Champion (2007-2012)
BlackBerry® Certified Support Specialist v5.0
BlackBerry® Certified System Administrator v5.0
Offline  
Old 12-10-2009, 08:01 AM   #15 (permalink)
Thumbs Must Hurt
 
Join Date: Apr 2007
Model: 9700
Carrier: AT&T
Posts: 155
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by DarthBBerry View Post
MR 8 went super smooth. No problems with the install; I didnt even need to reboot. I just restarted the services (Domino last) and it just picked up and continued as if nothing happened. I'll monitor tomorrow for problems, but dont anticipate any.

Total downtime: 23 minutes.
Thanks for the info. So do you plan on going to SP7?
Offline  
Old 12-10-2009, 09:42 AM   #16 (permalink)
Wireless Sith Lord
 
DarthBBerry's Avatar
 
Join Date: Jan 2007
Location: Online
Model: iOS 6
Carrier: Verizon x2
Posts: 1,458
Post Thanks: 2
Thanked 27 Times in 22 Posts
Default

Quote:
Originally Posted by icontech View Post
Thanks for the info. So do you plan on going to SP7?
Dunno about SP7 yet. My philosophy is that if there isn't a positive impact to the server in our current configuration and everything is working as intended, why do the upgrade?

Just my thought.
__________________
DarthBBerry
6-Time BlackBerry World Champion (2007-2012)
BlackBerry® Certified Support Specialist v5.0
BlackBerry® Certified System Administrator v5.0
Offline  
Old 12-11-2009, 07:20 AM   #17 (permalink)
Thumbs Must Hurt
 
Join Date: Apr 2007
Model: 9700
Carrier: AT&T
Posts: 155
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by DarthBBerry View Post
Dunno about SP7 yet. My philosophy is that if there isn't a positive impact to the server in our current configuration and everything is working as intended, why do the upgrade?

Just my thought.
Thats a valid point. We don't have any current plans on going to 5.0 yet so I would like to keep our current environment running as good as it can. I asked this before but do you know if the list of "known issues" are cumlative up to SP7? I'm sure alot of these issues are resolved in 5.0 but we're just not ready to make the jump.

Last edited by icontech : 12-11-2009 at 07:22 AM.
Offline  
Old 12-11-2009, 07:31 AM   #18 (permalink)
Wireless Sith Lord
 
DarthBBerry's Avatar
 
Join Date: Jan 2007
Location: Online
Model: iOS 6
Carrier: Verizon x2
Posts: 1,458
Post Thanks: 2
Thanked 27 Times in 22 Posts
Default

Quote:
Originally Posted by icontech View Post
Thats a valid point. We don't have any current plans on going to 5.0 yet so I would like to keep our current environment running as good as it can. I asked this before but do you know if the list of "known issues" are cumlative up to SP7? I'm sure alot of these issues are resolved in 5.0 but we're just not ready to make the jump.
Check the release notes.
__________________
DarthBBerry
6-Time BlackBerry World Champion (2007-2012)
BlackBerry® Certified Support Specialist v5.0
BlackBerry® Certified System Administrator v5.0
Offline  
Closed Thread


Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On





Copyright © 2004-2014 BlackBerryForums.com.
The names RIM © and BlackBerry © are registered Trademarks of BlackBerry Inc.