SB2013101208 - Permissions, Privileges, and Access Controls in Blackberry Enterprise Service

Description

This security bulletin contains information about 1 vulnerability.

1) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2013-3693)

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

CVSSv4: CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

The BlackBerry Universal Device Service in BlackBerry Enterprise Service (BES) 10.0 through 10.1.2 does not properly restrict access to the JBoss Remote Method Invocation (RMI) interface, which allows remote attackers to upload and execute arbitrary packages via a request to port 1098.

Remediation

Install update from vendor's website.

References

• http://btsc.webapps.blackberry.com/btsc/viewdocument.do;jsessionid=1C7CE6911426BCFAF2A80C3834F4DF0F?externalId=KB35139&sliceId=1&cmd=displayKC&docType=kc&noCount=true&ViewedDocsListHelper=com.kanisa.apps.common.BaseViewedDocsListHelperImpl
• http://secunia.com/advisories/55187