TECHNICAL BULLETIN
TECHNICAL BULLETIN
| PROBLEM: | BlackBerry Attachment Service PDF Distiller Multiple Unspecified Security Vulnerabilities. |
| PLATFORM: | BlackBerry® Enterprise Server software version 4.1 Service Pack 3 (4.1.3) through 5.0 BlackBerry® Professional Software 4.1 Service Pack 4 (4.1.4) |
| ABSTRACT: | Multiple security vulnerabilities exist in the PDF distiller of some released versions of the BlackBerry Attachment Service. These vulnerabilities could enable a malicious individual to send an email message containing a specially crafted PDF file, which when opened for viewing on a BlackBerry smartphone, could cause memory corruption and possibly lead to arbitrary code execution on the computer that hosts the BlackBerry Attachment Service. Attackers can leverage these issues to execute arbitrary machine code in the context of the vulnerable service, possibly with SYSTEM-level privileges. Successful exploits will compromise the server. Failed attacks will likely result in denial-of-service conditions. |
| LINKS: | |
| DOE-CIRC BULLETIN: | http://www.doecirc.energy.gov/bulletins/t-146.shtml |
| OTHER LINKS: | Vupen Security http://www.vupen.com/english/advisories/2009/1429 Security Focus http://www.securityfocus.com/bid/35102/info Blackberry KB18327 http://www.blackberry.com/btsc/dynamickc.do?externalId=KB18327&sliceID=1&command=show&forward=nonthreadedKC&kcId=KB18327 |
| IMPACT ASSESSMENT: | This risk is high. BlackBerry Attachment Service is prone to multiple remote code-execution vulnerabilities when handling specially crafted PDF files. |
Workaround:
Prevent the BlackBerry Attachment Service from processing PDF files in a BlackBerry Enterprise Server environment
You can prevent the BlackBerry Attachment Service from processing PDF files by editing the list of file format extensions
that the BlackBerry Attachment Service opens, and then preventing the PDF attachment distiller from running on the
BlackBerry Attachment Service.
To remove the PDF file extension from the list of supported file format extensions, complete the following actions:
For BlackBerry Enterprise Server versions earlier than 5.0, and BlackBerry Professional Software
1. From the Windows Desktop, open the BlackBerry Server Configuration tool.
2. Click the Attachment Server tab.
3. In the Format Extensions field, delete pdf: from the colon-delimited list of
extensions.
4. Click Apply.
5. Click OK.
For BlackBerry Enterprise Server version 5.0 or later
1. In the BlackBerry Administration Service, on the Servers and components menu,
expand BlackBerry Solution topology > BlackBerry Domain > Component view >
Attachment > Connector.
2. Click the BlackBerry Attachment Connector instance that is associated with the
BlackBerry Attachment Service that you want to change.
3. In the Support Attachment Server instances tab, click Edit instance.
4. Click the Edit icon.
5. Click the Delete icon for the PDF extension.
6. Click Save all.
Until you prevent the PDF attachment distiller from running, the BlackBerry Attachment Service still detects a PDF file with
a renamed extension (in other words, its extension is not .pdf) and attempts to process the file automatically. To prevent
the PDF attachment distiller from running, complete the following actions:
For BlackBerry Enterprise Server versions earlier than 5.0, and BlackBerry Professional Software
1. On the Windows Desktop, open the BlackBerry Server Configuration tool.
2. Click the Attachment Server tab.
3. In the Configuration Option drop-down list, select Attachment Server.
4. In the Distiller Settings section, next to the distiller name Adobe PDF, clear the check box in the Enabled column.
5. Click Apply.
6. Click OK.
7. On the Windows Desktop, in Administrative Tools, open Services.
8. Right-click BlackBerry Attachment Service and click Stop.
9. Right-click BlackBerry Attachment Service and click Start.
10. Close Services.
For BlackBerry Enterprise Server version 5.0 or later
1. In the BlackBerry Administration Service, on the Servers and components menu,
expand BlackBerry Solution topology > BlackBerry Domain > Component view >
Attachment > Server.
2. Click the instance that you want to change.
3. Click Edit instance.
4. In the Distiller section, in the Allowed column, specify which distillers are
supported for the instance.
5. Click Save.
6. Restart the BlackBerry Attachment Service.
For all versions
In Microsoft Exchange and Novell GroupWise environments, complete the following additional steps:
1. On the Windows Desktop, in Administrative Tools, open Services.
2. Right-click BlackBerry Dispatcher and click Stop.
3. Right-click BlackBerry Dispatcher and click Start.
4. Close Services.
Note: Restarting BlackBerry Enterprise Server services might delay message delivery to BlackBerry devices. For more
information, see KB04789.
In IBM Lotus Domino environments, complete the following additional steps:
For BlackBerry Enterprise Server versions earlier than 5.0, and BlackBerry Professional Software
1. Open the Lotus Domino Administrator.
2. Click the Server tab.
3. Click the Status tab
4. Click Server Console.
5. In the Domino Command field, type tell BES quit and press ENTER.
6. In the Domino Command field, type load BES and press ENTER.
7. Close the Lotus Domino Administrator.
For BlackBerry Enterprise Server version 5.0 or later
Note: You should not use the IBM® Lotus® Domino® console to stop and start the BlackBerry Messaging Agent. If you use the
IBM Lotus Domino console, the BlackBerry Messaging Agent libraries might not load properly and, if you configure high
availability, the BlackBerry Messaging Agent might not start correctly as the primary or standby instance.
1. Stop and start the BlackBerry Controller service and BlackBerry Dispatcher service in the Windows Services, or stop
and start the BlackBerry Enterprise Server in the BlackBerry Administration Service.
Voice: 866-941-2472
E-mail: doecirc@doecirc.energy.gov
World Wide Web: http://www.doecirc.energy.gov