Privacy and Legal Notice

DOE-CIRC TECHNICAL BULLETIN

T-241: Blackberry OS NULL Character Flaw in Common Name Field Lets Remote Users Spoof Certficates

September 29, 2009 13:00 GMT
PROBLEM: A vulnerability was reported in Blackberry OS. A remote user can spoof certificates of arbitrary sites
PLATFORM: Blackberry OS prior to 4.5.0.173, 4.6.0.303, 4.6.1.309, 4.7.0.179, 4.7.1.57
ABSTRACT: The BlackBerry Browser dialog box informs the BlackBerry device user when there is a mismatch between the site domain name and the domain name indicated in the associated certificate, but does not properly illustrate that the mismatch is due to the presence of some hidden characters (for example, null characters) in the site domain name.
LINKS:  
  DOE-CIRC BULLETIN: http://www.doecirc.energy.gov/bulletins/t-241.shtml
  OTHER LINKS: Security Tracker
http://securitytracker.com/alerts/2009/Sep/1022951.html
BlackBerry Website
http://www.blackberry.com/btsc/viewContent.do?externalId=KB19552

IMPACT ASSESSMENT: This risk is medium. A remote user can create a certificate with a specially crafted Common Name field that contains a NULL character. Once the certificate is signed by a Certificate Authority, the certificate can be used to spoof a target site's certificate. 
Discussion:
A malicious user could create a web site that includes a certificate that is purposely altered using null (hidden) characters in the certificate's Common Name (CN) field or otherwise manipulated to deceive a BlackBerry device user into believing they have connected to a trusted web site.

If the malicious user then performs a phishing-style attack by sending the BlackBerry device user a link to the web site in an SMS or email message that appears to be from a trusted source, and the BlackBerry device user chooses to access that site, the BlackBerry Browser will correctly detect the mismatch between the certificate and the domain name and display a dialog box that prompts the user to close the connection. However, the dialog box does not display null characters, so the user may believe they are connecting to a trusted site and disregard the recommended action to close the connection.

Solution:
The vendor has issued a software update that resolves this issue in BlackBerry Device Software version 4.5 and later. All updates can be found at the link below:

http://www.blackberry.com/updates/
DOE-CIRC services are available to DOE, DOE Contractors, and the NIH. DOE-CIRC can be contacted at: 
    Voice:          866-941-2472
    E-mail:          doecirc@doecirc.energy.gov
    World Wide Web:  http://www.doecirc.energy.gov
UCRL-MI-119788