ID: 3660
Date: 16/07/2008
Title: 3660 - Vulnerability in the PDF distiller of the BlackBerry Attachment Service for the BlackBerry Enterprise Server
Platform level affected:Net Application - Enterprise
Net-enabled software: Mail Server
Remediation Summary:The manufacturer has reported a problem with this product but has yet to publish a solution. CPNI advise that additional care is exercised when using this product.
Vendors affected:BlackBerry
Applications affected:Attachment Service
Adversity source: Unknown
Attack Vector: Vulnerability exploitation
Virulence: Unknown
Warning Status: Unknown
Potential Damage: Remote execution/modification
Possible Duration: Unknown
Availability of fix: Future
Type of fix: Workaround
Source: Blackberry
Reliability of source: Known
Source URL: http://www.blackberry.com/btsc/dynamickc.do?externalId=KB15766&sliceId=SAL_Public&command=show&forward=nonthreadedKC&kcId=KB15766
Abstract: Description of a security issue with the BlackBerry Attachment Service that relates to a known vulnerability in the PDF distiller component.
Vulnerability in the PDF distiller of the BlackBerry Attachment Service for the BlackBerry Enterprise Server
--------------------------------------------------------------------------------
Doc ID : KB15766
Last Modified : 2008-07-10
Document Type : Security Advisory
Environment
BlackBerry® Enterprise Server software version 4.1 Service Pack 3 (4.1.3) through 4.1 Service Pack 5 (4.1.5)
--------------------------------------------------------------------------------
Overview
This advisory describes a security issue that the BlackBerry Attachment Service component of the BlackBerry Enterprise Server is susceptible to. The issue relates to a known vulnerability in the PDF distiller component of the BlackBerry Attachment Service that affects how the BlackBerry Attachment Service processes PDF files.
This vulnerability has a Common Vulnerability Scoring System (CVSS) score of 9.0.
--------------------------------------------------------------------------------
Problem
A security vulnerability in the PDF distiller of the BlackBerry Attachment Service could enable a malicious individual to use a specially crafted PDF file attachment in an email message to cause arbitrary code to execute on the computer that the BlackBerry Attachment Service runs on. If a BlackBerry smartphone user on a BlackBerry Enterprise Server opens and views the specially crafted PDF file attachment on the BlackBerry smartphone, the arbitrary code execution could compromise the computer.
Resolution
This issue has been escalated internally to the development team. No resolution time frame is currently available.
--------------------------------------------------------------------------------
Workaround
A description of the workaround can be found at:
http://www.blackberry.com/btsc/dynamickc.do?externalId=KB15766&sliceId=SAL_Public&command=show&forward=nonthreadedKC&kcId=KB15766
This advisory contains information released by the original author. Some of the information may have changed since it was released. If the issue affects you, it may be prudent to retrieve the advisory from the site of the original source to ensure that you receive the most current information concerning that problem. Reference to any specific commercial product, process, or service by trade name, trademark manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favouring by CPNI.
The views and opinions of authors expressed within this notice shall not be used for advertising or product endorsement purposes. CPNI shall not accept responsibility for any errors or omissions contained within this advisory. In particular, they shall not be liable for any loss or damage whatsoever, arising from or in connection with the usage of information contained within this advisory.
CSIRTUK is a member of the Forum of Incident Response and Security Teams (FIRST) and has contacts with other international Incident Response Teams (IRTs) in order to foster cooperation and coordination in incident prevention, to prompt rapid reaction to incidents, and to promote information sharing amongst its members and the community at large.
Wed, 16 Jul 2008 11:35:00 GMT
Domain affected: Technical