Vulnerability in the PDF distiller of the BlackBerry Attachment Service for BES

[Gregmyers]

Vulnerability in the PDF distiller of the BlackBerry Attachment Service for the BlackBerry Enterprise Server


Doc ID : KB15766
Last Modified : 2008-07-17
Document Type : Security Advisory

Environment

• BlackBerry® Enterprise Server software version 4.1 Service Pack 3 (4.1.3) through 4.1 Service Pack 5 (4.1.5)

Overview

This advisory describes a security issue that the BlackBerry Attachment Service component of the BlackBerry Enterprise Server is susceptible to. The issue relates to a known vulnerability in the PDF distiller component of the BlackBerry Attachment Service that affects how the BlackBerry Attachment Service processes PDF files.
This vulnerability has a Common Vulnerability Scoring System (CVSS) score of 9.0.

Problem

A security vulnerability exists in the PDF distiller of some released versions of the BlackBerry Attachment Service. This vulnerability could enable a malicious individual to send an email message containing a specially crafted PDF file, which when opened for viewing on a BlackBerry smartphone, could cause memory corruption and possibly lead to arbitrary code execution on the computer that the BlackBerry Attachment Service runs on.

Resolution

Upgrade to BlackBerry Enterprise Server software version 4.1 Service Pack 6 (4.1.6).

RIM has also issued an interim security software update that resolves this vulnerability. Visit http://www.blackberry.com/go/serverdownloads to obtain the interim security software update for affected release versions earlier than BlackBerry Enterprise Server software version 4.1.6.

Workaround

Note: As a mobile device best practice, Research In Motion (RIM) recommends that BlackBerry smartphone users open attachments from trusted sources only.

Prevent the BlackBerry Attachment Service from processing PDF files in a BlackBerry Enterprise Server environment

You can prevent the BlackBerry Attachment Service from processing PDF files by editing the list of file format extensions that the BlackBerry Attachment Service opens, and then preventing the PDF attachment distiller from running on the BlackBerry Attachment Service.


To remove the PDF file extension from the list of supported file format extensions, complete the following actions:

1. From the Windows® Desktop, open the BlackBerry Server Configuration tool.
2. Click the Attachment Server tab.
3. In the Format Extensions field, delete pdf: from the colon–delimited list of extensions.
4. Click Apply.
5. Click OK.

Until you prevent the PDF attachment distiller from running, the BlackBerry Attachment Service still detects a PDF file with a renamed extension (in other words, its extension is not .pdf) and attempts to process the file automatically. To prevent the PDF attachment distiller from running, complete the following actions:

1. On the Windows Desktop, open the BlackBerry Server Configuration tool.
2. Click the Attachment Server tab.
3. In the Configuration Option drop-down list, select Attachment Server.
4. In the Distiller Settings section, next to the distiller name Adobe PDF, clear the check box in the Enabled column.
5. Click Apply.
6. Click OK.
7. On the Windows Desktop, in Administrative Tools, open Services.
8. Right-click BlackBerry Attachment Service and click Stop.
9. Right-click BlackBerry Attachment Service and click Start.
10. Close Services.

In Microsoft® Exchange and Novell® GroupWise® environments, complete the following additional steps:

1. On the Windows Desktop, in Administrative Tools, open Services.
2. Right-click BlackBerry Dispatcher and click Stop.
3. Right-click BlackBerry Dispatcher and click Start.
4. Close Services.

Important: Restarting certain BlackBerry Enterprise Server services will delay email message delivery to BlackBerry smartphones. For more information, see KB04789.


In IBM® Lotus® Domino® environments, complete the following additional steps:

1. Open the IBM Lotus Domino Administrator.
2. Click the Server tab.
3. Click the Status tab.
4. Click Server Console.
5. In the Domino Command field, type tell BES quit and press ENTER.
6. In the Domino Command field, type load BES and press ENTER.
7. Close the IBM Lotus Domino Administrator.

Additional Information

You can install the BlackBerry Attachment Service on a remote computer and then place that computer on its own network segment to prevent the spread of potential attacks from the BlackBerry Attachment Service to another computer within your organization’s network. In a segmented network, attacks are isolated and contained on a single area of the network. Using segmented network architecture is designed to improve the security and performance of the BlackBerry Attachment Service network segment by filtering out attachment data that is not destined for other network segments. For more information about placing the BlackBerry Enterprise Solution components in a network architecture that is segmented to prevent the spread of potential malware attacks, see Placing the BlackBerry Enterprise Solution in a Segmented Network.

Visit www.blackberry.com/security for more information on BlackBerry security.

CVSS is a vendor agnostic, industry open standard designed to convey the severity of vulnerabilities. CVSS scores may be used to determine the urgency for update deployment within an organization. CVSS scores range from 0.0 (no vulnerability) to 10.0 (critical). RIM uses CVSS in vulnerability assessments to present an immutable characterization of security issues. RIM assigns all security relevant issues a non-zero score.

[slammers]

Does this affect the Professional Software version?

If so, I don't see an option to remove the .pdf under the Configuration Option since it only show the Attachment Server in the drop down and not Connector Configuration.

thanks!
Stephen

[GaryCutri]

Quote:

Originally Posted by slammers

Does this affect the Professional Software version?

If so, I don't see an option to remove the .pdf under the Configuration Option since it only show the Attachment Server in the drop down and not Connector Configuration.

thanks!
Stephen

BlackBerry Professional is actually BES 4.1.4 so it will be affected by this vulnerability.

[slammers]

thanks for the reply. that being the case, I don't seem to have this option:

"To remove the PDF file extension from the list of supported file format extensions, complete the following actions:

From the Windows® Desktop, open the BlackBerry Server Configuration tool.
Click the Attachment Server tab.
In the Format Extensions field, delete pdf: from the colon–delimited list of extensions.
Click Apply.
Click OK. "

Under Attachment server Tab, the Configuration Option only has "Attachment server or Test Attachment Service".

[GaryCutri]

Quote:

Originally Posted by slammers

thanks for the reply. that being the case, I don't seem to have this option:

"To remove the PDF file extension from the list of supported file format extensions, complete the following actions:

From the Windows® Desktop, open the BlackBerry Server Configuration tool.
Click the Attachment Server tab.
In the Format Extensions field, delete pdf: from the colon–delimited list of extensions.
Click Apply.
Click OK. "

Under Attachment server Tab, the Configuration Option only has "Attachment server or Test Attachment Service".

It appears that this option isn't available in BlackBerry Professional and you will have to wait until the service pack is released. At this stage for BES sites running the Enterprise version the fix will be in SP6, at this stage I can't confirm the BlackBerry Professional details.

[supabrudda]

Looks like they've got a patch for Professional now too.

BlackBerry - PDA Software Downloads - Support & Services at BlackBerry.com

[supabrudda]

If anyone wants a quick & dirty script to install this patch, I knocked up the following batch file.
1) unzip the patch into say c:\temp
(so you will have c:\temp\BBdecorator & c:\temp\BBDistiller)
2) copy the script below into a new file c:\temp\runme.bat
3) click on runme.bat
4) It will prompt OK 6 times,
- The first 3 unregister the old dlls, the last 3 register the new dlls
5) Make sure they all say "success".
For quiet mode, add a /s after all 6 regsvr32 (i.e. regsvr32 /s .....)

It stops & starts the relevant services.
-------------------------------------------------


Net stop "Blackberry Dispatcher"
net stop "Blackberry Attachment Service"

regsvr32 /u "%ProgramFiles%\Research In Motion\BlackBerry Enterprise Server\AttachServer\BBDecorator\BBrenderingdecorat or.dll"
regsvr32 /u "%ProgramFiles%\Research In Motion\BlackBerry Enterprise Server\AttachServer\BBDecorator\BBXrenderingdecora tor.dll"
regsvr32 /u "%ProgramFiles%\Research In Motion\BlackBerry Enterprise Server\AttachServer\BBDistiller\BBDM_Pdf.dll"

copy ".\BBDecorator\BBrenderingdecorator.dll" "%ProgramFiles%\Research In Motion\BlackBerry Enterprise Server\AttachServer\BBDecorator\"
copy ".\BBDecorator\BBXrenderingdecorator.dll" "%ProgramFiles%\Research In Motion\BlackBerry Enterprise Server\AttachServer\BBDecorator\"
copy ".\BBDistiller\BBDM_Pdf.dll" "%ProgramFiles%\Research In Motion\BlackBerry Enterprise Server\AttachServer\BBDistiller\"

regsvr32 "%ProgramFiles%\Research In Motion\BlackBerry Enterprise Server\AttachServer\BBDecorator\BBrenderingdecorat or.dll"
regsvr32 "%ProgramFiles%\Research In Motion\BlackBerry Enterprise Server\AttachServer\BBDecorator\BBXrenderingdecora tor.dll"
regsvr32 "%ProgramFiles%\Research In Motion\BlackBerry Enterprise Server\AttachServer\BBDistiller\BBDM_Pdf.dll"

Net start "Blackberry Dispatcher"
net start "Blackberry Attachment Service"

[GaryCutri]

I have uploaded Service Pack 6 to our web server to allow everyone to download at high speed (compared to RIM's 29KB/sec download). Please refer to the links below:

BES 4.1 Service Pack 6 For Exchange

BES 4.1 Service Pack 6 for Domino

[Mike]

Thanks for the fast link too thats great. It brings back memorys of 2400 baud modems downloading from Blackberry

[GaryCutri]

BlackBerry Professional Service Pack 4 Interim Security Update - Domino

BlackBerry Professional Service Pack 4 Interim Security Update - Exchange