by Al Sacco

RIM Patches “Severe” Flaw in BlackBerry Enterprise Server, BES Express

Aug 15, 20112 mins
MobileSecuritySmall and Medium Business

RIM has released a new security patch to fix a serious flaw within its BlackBerry Enterprise Server (BES) and BES Express for Microsoft Exchange, Lotus Domino and Novell GroupWise.

BlackBerry-maker Research In Motion (RIM) is advising its BlackBerry Enterprise Server (BES) customers to immediately update their BES software, after a serious flaw was identified that could allow hackers or other miscreants to not only access BES resources, but also other non-BlackBerry related corporate network components.

BlackBerry Torch 9800 with Padlock (Image Credit: Brian Sacco)
BlackBerry Torch 9800 with Padlock (Image Credit: Brian Sacco)

The flaw, initial reported by RIM last week, received a 10.0 rating on the Common Vulnerability Scoring System (CVSS), the highest possible CVSS. I’ve been covering RIM and BlackBerry for years, and I’ve reported on many BES vulnerabilities, but this is the only flaw I can remember to receive such a high CVSS score. And it appears to affect a wide array of BES and BES Express versions for Microsoft Exchange, IBM Lotus Domino and Novell GroupWise. The vulnerability does not appear to affect many of the latest versions of BES, though, so you may not need to install the patch if you’ve been keeping up with RIM’s updates.

From RIM:

“Vulnerabilities exist in how the BlackBerry MDS Connection Service and the BlackBerry Messaging Agent process PNG and TIFF images for rendering on the BlackBerry smartphone. Successful exploitation of any of these vulnerabilities might allow an attacker to gain access to and execute code on the BlackBerry Enterprise Server. Depending on the privileges available to the configured BlackBerry Enterprise Server service account, the attacker might also be able to extend access to other non-segmented parts of the network.

“To exploit these vulnerabilities in how the BlackBerry MDS Connection Service processes PNG and TIFF images, an attacker would need to create a specially crafted web page and then persuade the BlackBerry smartphone user to click a link to that web page. The attacker could provide the link to the user in an email or instant message.”

Visit RIM’s security advisor page for more details. And pop over to the BES server downloads page to grab the security update.


Via BerryReview