by Al Sacco

RIM Patches New BES Security Flaw, Releases BES 5.0.3 MR3 Update

Jul 14, 20112 mins
MobileSmall and Medium BusinessSmartphones

RIM this week issued new security and maintenance updates for many versions of its BlackBerry Enterprise Server (BES) software, and the company says BES administrators should update immediately to avoid potential security issues.

BlackBerry-maker Research In Motion (RIM) this week issued a security advisor and a related fix for a newly discovered flaw in a number of versions of its BlackBerry Enterprise Server (BES) software that could allow hackers or other miscreants to access sensitive BES data or even launch a form of denial of service (DoS) attack.

BlackBerry Torch 9800 with Padlock (Image Credit: Brian Sacco)
BlackBerry Torch 9800 with Padlock (Image Credit: Brian Sacco)

RIM also released a new maintenance update for BES 5.0 Service Pack 3, or 5.0.3, for Microsoft Exchange and Lotus Domino, called BES v.5.0.3 maintenance release 3 (MR3).

The BES vulnerability appears to affect all of the most recent versions of BES 5.0 and BES Express for Exchange, Domino and Novell GroupWise. It has a Common Vulnerability Scoring System (CVSS) rating of 4.8, with 0 representing no significant threat, and 10 representing the most serious threats. RIM recommends that all BES administrators running any of these software versions install the new security updates immediately to address the flaw.

From RIM:

“A vulnerability exists in the BlackBerry Administration API which could allow an attacker to read files that contain only printable characters on the BlackBerry Enterprise Server, including unencrypted text files. Binary file formats, including those used for message storage, are not affected. This vulnerability is limited to the user permissions granted to the BlackBerry Administration API component.

“Successful exploitation of this issue could allow information disclosure. Successful exploitation may also result in resource exhaustion and therefore could be leveraged as a partial denial of service (DoS).”

Pop on over to RIM’s BES security advisory page for more details, to see if your version of BES is affected and to download any necessary security patches.

Along with the security update, RIM also released a new BES maintenance update for BES v5.0 for Exchange and Lotus Domino. BES 5.0.3 MR3, though it did not yet post up any sort of release notes to identify any bug fixes or feature enhancements.

Download the BES 5.0.3 MR3 for Microsoft Exchange or IBM Lotus Domino on RIM’s server downloads page.


Via @banthon