BlackBerry Forums Support Community - View Single Post

freakinvibe · 12-02-2009, 04:43 AM

A new critical PDF vulnerability in BES has been found:

Subject: [SA37562] BlackBerry Products PDF Distiller Unspecified Vulnerabilities

TITLE:
BlackBerry Products PDF Distiller Unspecified Vulnerabilities

SECUNIA ADVISORY ID:
SA37562

VERIFY ADVISORY:
https://ca.secunia.com/?page=viewadvisory&vuln_id=37562

CRITICAL:
Highly critical

IMPACT:
DoS, System access

WHERE:
From remote

SECUNIA CVSS SCORE:
10 (AV:N/AC:L/Au:N/C:C/I:C/A:C/E:U/RL:OF/RC:C)

SOFTWARE:
BlackBerry Enterprise Server 5.x
BlackBerry Enterprise Server 5.x - Advisories by Product - Secunia Advisories - Vulnerability Information - Secunia.com
BlackBerry Enterprise Server for Domino 4.x
BlackBerry Enterprise Server for Domino 4.x - Advisories by Product - Secunia Advisories - Vulnerability Information - Secunia.com
BlackBerry Enterprise Server for Exchange 4.x
BlackBerry Enterprise Server for Exchange 4.x - Advisories by Product - Secunia Advisories - Vulnerability Information - Secunia.com
BlackBerry Enterprise Server for Novell GroupWise 4.x
BlackBerry Enterprise Server for Novell GroupWise 4.x - Advisories by Product - Secunia Advisories - Vulnerability Information - Secunia.com
BlackBerry Professional Software 4.x
BlackBerry Professional Software 4.x - Advisories by Product - Secunia Advisories - Vulnerability Information - Secunia.com

DESCRIPTION:
Some vulnerabilities have been reported in BlackBerry Enterprise
Server and BlackBerry Professional Software, which can be exploited
by malicious people to cause a DoS (Denial of Service) and
potentially compromise a vulnerable system.

The vulnerabilities are caused due to unspecified errors within the
PDF distiller of the BlackBerry Attachment Service component. These
can be exploited to cause a memory corruption when a specially
crafted PDF file is opened for viewing on a BlackBerry smartphone.

Successful exploitation may allow execution of arbitrary code.

The vulnerabilities are reported in BlackBerry Enterprise Server
version 5.0.0, BlackBerry Enterprise Server version 4.1 Service Pack
3 (4.1.3) through 4.1 Service Pack 7 (4.1.7), and BlackBerry
Professional Software 4.1 Service Pack 4 (4.1.4).

SOLUTION:
Update to the latest version or apply the Interim Security Update.

BlackBerry Enterprise Server version 5.0 for Microsoft Exchange and
IBM Lotus Domino:
Update to version 5.0.1. or later, or apply Interim Security Update 3
for BlackBerry Enterprise Server software version 5.0.0.
http://www.blackberry.com/go/serverdownloads

BlackBerry Enterprise Server version 4.1.7 for Microsoft Exchange and
IBM Lotus Domino:
Apply Interim Security Update 1 for BlackBerry Enterprise Server
software version 4.1.7.
http://www.blackberry.com/go/serverdownloads

BlackBerry Enterprise Server version 4.1.6 for Microsoft Exchange and
IBM Lotus Domino:
Update to BlackBerry Enterprise Server Version 4.1.6 MR8 or later.
http://www.blackberry.com/go/serverdownloads

BlackBerry Enterprise Server version 4.1.6 for Novell GroupWise:
Update to BlackBerry Enterprise Server Version 4.1.6 MR6 or later.
http://www.blackberry.com/go/serverdownloads

BlackBerry Enterprise Server version 4.1.4:
Update to BlackBerry Enterprise Server Version 4.1.6 MR8 or later, or
apply Interim Security Update 5 for BlackBerry Enterprise Server
software version 4.1.4.
http://www.blackberry.com/go/serverdownloads

BlackBerry Professional Software:
Apply Interim Security Update 5 for affected BlackBerry Professional
Software versions.
BlackBerry - PDA Software Downloads - Support & Services at BlackBerry.com

PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor.

ORIGINAL ADVISORY:
View Document

12-02-2009, 04:43 AM	#1
freakinvibe BlackBerry Extraordinaire Join Date: Aug 2008 Location: Basel Model: Class PIN: N/A Carrier: Swisscom Posts: 1,616	New critical PDF vulnerability in BES Please Login to Remove! A new critical PDF vulnerability in BES has been found: Subject: [SA37562] BlackBerry Products PDF Distiller Unspecified Vulnerabilities TITLE: BlackBerry Products PDF Distiller Unspecified Vulnerabilities SECUNIA ADVISORY ID: SA37562 VERIFY ADVISORY: https://ca.secunia.com/?page=viewadvisory&vuln_id=37562 CRITICAL: Highly critical IMPACT: DoS, System access WHERE: From remote SECUNIA CVSS SCORE: 10 (AV:N/AC:L/Au:N/C:C/I:C/A:C/E:U/RL:OF/RC:C) SOFTWARE: BlackBerry Enterprise Server 5.x BlackBerry Enterprise Server 5.x - Advisories by Product - Secunia Advisories - Vulnerability Information - Secunia.com BlackBerry Enterprise Server for Domino 4.x BlackBerry Enterprise Server for Domino 4.x - Advisories by Product - Secunia Advisories - Vulnerability Information - Secunia.com BlackBerry Enterprise Server for Exchange 4.x BlackBerry Enterprise Server for Exchange 4.x - Advisories by Product - Secunia Advisories - Vulnerability Information - Secunia.com BlackBerry Enterprise Server for Novell GroupWise 4.x BlackBerry Enterprise Server for Novell GroupWise 4.x - Advisories by Product - Secunia Advisories - Vulnerability Information - Secunia.com BlackBerry Professional Software 4.x BlackBerry Professional Software 4.x - Advisories by Product - Secunia Advisories - Vulnerability Information - Secunia.com DESCRIPTION: Some vulnerabilities have been reported in BlackBerry Enterprise Server and BlackBerry Professional Software, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. The vulnerabilities are caused due to unspecified errors within the PDF distiller of the BlackBerry Attachment Service component. These can be exploited to cause a memory corruption when a specially crafted PDF file is opened for viewing on a BlackBerry smartphone. Successful exploitation may allow execution of arbitrary code. The vulnerabilities are reported in BlackBerry Enterprise Server version 5.0.0, BlackBerry Enterprise Server version 4.1 Service Pack 3 (4.1.3) through 4.1 Service Pack 7 (4.1.7), and BlackBerry Professional Software 4.1 Service Pack 4 (4.1.4). SOLUTION: Update to the latest version or apply the Interim Security Update. BlackBerry Enterprise Server version 5.0 for Microsoft Exchange and IBM Lotus Domino: Update to version 5.0.1. or later, or apply Interim Security Update 3 for BlackBerry Enterprise Server software version 5.0.0. http://www.blackberry.com/go/serverdownloads BlackBerry Enterprise Server version 4.1.7 for Microsoft Exchange and IBM Lotus Domino: Apply Interim Security Update 1 for BlackBerry Enterprise Server software version 4.1.7. http://www.blackberry.com/go/serverdownloads BlackBerry Enterprise Server version 4.1.6 for Microsoft Exchange and IBM Lotus Domino: Update to BlackBerry Enterprise Server Version 4.1.6 MR8 or later. http://www.blackberry.com/go/serverdownloads BlackBerry Enterprise Server version 4.1.6 for Novell GroupWise: Update to BlackBerry Enterprise Server Version 4.1.6 MR6 or later. http://www.blackberry.com/go/serverdownloads BlackBerry Enterprise Server version 4.1.4: Update to BlackBerry Enterprise Server Version 4.1.6 MR8 or later, or apply Interim Security Update 5 for BlackBerry Enterprise Server software version 4.1.4. http://www.blackberry.com/go/serverdownloads BlackBerry Professional Software: Apply Interim Security Update 5 for affected BlackBerry Professional Software versions. BlackBerry - PDA Software Downloads - Support & Services at BlackBerry.com PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: View Document __________________ Blackberry Engineering in Switzerland - Dexion Services AG
Offline