HexView advisory on BlackBerry device buffer overflow and data loss

[BESadmin]

HexView advisory on BlackBerry device buffer overflow and data loss

Doc ID : KB03422
Last Modified : 2007-07-06
Document Type : Security Advisory

Environment

Advisory Posted: 29 October 2004

• BlackBerry® device
• BlackBerry® Device Software 3.7 Service Pack 1
• BlackBerry® Enterprise Server
• IBM® Lotus® Domino®
• Microsoft® Exchange

Overview

A HexView advisory (ID number HEXVIEW*2004*10*12*1) published on 12 October 2004 identified an issue in BlackBerry Device Software 3.7 Service Pack 1 that is known to Research In Motion (RIM) and has been corrected in BlackBerry Device Software 3.8 and later.

The HexView advisory correctly identifies a scenario that can be manufactured to cause a BlackBerry device to reset, but RIM believes that the advisory contains several incorrect conclusions. While exploiting the software issue may cause a BlackBerry device to reset, it does not constitute a buffer overflow or data loss vulnerability. To date, RIM has not received any customer reports of this issue being exploited in practice.

Impact

A BlackBerry device reset may occur.

Problem

HexView published a brief advisory on 12 October 2004. HexView's policy at that time was not to contact vendors in advance unless a vendor had a prior agreement with HexView. RIM was not notified in advance and was not able to provide any feedback to HexView prior to the publication of the advisory. RIM has since contacted HexView and HexView was helpful in assisting RIM with this issue.

The advisory states the issue can be created by sending a Microsoft Outlook® meeting request with a large string (over 128 KB) in the Location field. It is important to note that Microsoft Outlook limits the size of the Location field to 255 characters, or bytes, so a large Location field cannot be normally or inadvertently created. Despite this restriction, RIM has replicated the issue defined by HexView on BlackBerry devices running BlackBerry Device Software 3.7 Service Pack 1 and confirmed that a BlackBerry device reset may occur. However, RIM believes the following conclusions in HexView's advisory are incorrect:

• A buffer overflow and stack corruption occur.
• Stored messages and BlackBerry device user data are lost. (These are stored in non-volatile Flash memory, not in RAM.)
• Malicious code can be embedded and executed on the BlackBerry device.

Note: The Watchdog Timer also causes the BlackBerry device to reset.

Resolution

Install BlackBerry Device Software 3.8 or later.
RIM has implemented further safeguards at the BlackBerry Enterprise Server level with the release of the following BlackBerry products:

• BlackBerry Enterprise Server software version 4.0
• BlackBerry Enterprise Server software version 3.6 Service Pack 4 Hot Fix 1 for Microsoft Exchange
• BlackBerry Enterprise Server software version 2.2 Service Pack 4 Hot Fix 1 for IBM Lotus Domino

These safety measures will prevent artificially large or problematic meeting requests from being delivered to the BlackBerry device. This eliminates the need for BlackBerry Device Software to be upgraded to version 3.8 or later.

Additional Information

Note: HexView has posted an updated advisory (ID number HEXVIEW*2004*10*14*1).
For more information on BlackBerry security, refer to the following documents:

• BlackBerry Enterprise Solution Security Version 4.0.x: Technical Overview
• BlackBerry Security for IBM Lotus Domino
• BlackBerry Security for Microsoft Exchange
• Application Security for Java-based BlackBerry Handhelds