Vulnerability Note VU#520718

BlackBerry Enterprise Server fails to properly handle Microsoft Word attachments

Overview

A buffer overflow vulnerability in BlackBerry Enterprise Server may allow a remote attacker to execute arbitrary code.

I. Description

A buffer overflow vulnerability exists in the BlackBerry Attachment Service component of BlackBerry Enterprise Server. This vulnerability may allow a remote attacker to execute arbitrary code when the service fails to handle a malformed Microsoft Word (.doc) document.

BlackBerry states that the following systems are vulnerable:

BlackBerry Enterprise Server 2.2 and later for IBM Lotus Domino
BlackBerry Enterprise Server 3.6 and later for Microsoft Exchange
BlackBerry Enterprise Server 4.0 and later for Novell GroupWise

II. Impact

A remote attacker who can successfully convince a user to open a malicious Microsoft Word attachment on a BlackBerry Handheld device may be able to execute arbitrary code and compromise a vulnerable server.

III. Solution

BlackBerry provides the following solutions:

Microsoft Exchange

For BlackBerry Enterprise Server 3.6, Install Service Pack 7.
For BlackBerry Enterprise Server 4.0, Install Service Pack 3, then install version 4.0 Service Pack 3 Hotfix 3.

IBM Lotus Domino

For BlackBerry Enterprise Server 2.2, a resolution for this issue has been developed and is currently undergoing testing. A software upgrade will be made available as soon as testing is complete.
For BlackBerry Enterprise Server 4.0, install Service Pack 3, then install version 4.0 Service Pack 3 Hotfix 4.

Novell GroupWise

Install BlackBerry Enterprise Server 4.0 Service Pack 3, then install version 4.0 Service Pack 3 Hotfix 1.

Workarounds

BlackBerry provides the following workaround:

BlackBerry Enterprise Server administrators can exclude Microsoft Word (.doc) files from being processed by the Attachment Service in the BlackBerry Enterprise Server, or disable the Attachment Service completely.

To Exclude Microsoft Word (.doc) files from being processed by the Attachment Service:

On the desktop, click Start > Programs > BlackBerry Enterprise Server > BlackBerry Enterprise Server Configuration.
In the Format Extensions field, delete the .doc extension. Note: Format Extensions is an editable field that lists all the extensions that the Attachment Service will open. A colon is used as a delimiter.
Click Apply, then click OK.

Even though the .doc extension has been removed from the list of supported file types, the Attachment Service may automatically detect a .doc file with a renamed extension and attempt to process the file. Administrators may need to disable the Attachment Service.

To disable the Attachment Service

In Microsoft Windows� Administrative Tools, double-click Services.
Right-click BlackBerry Attachment Service, then click Stop.
Close the Services window.

Systems Affected

Vendor	Status	Date Notified	Date Updated
Research in Motion (RIM)	Vulnerable	17-Aug-2006

References

http://www.blackberry.com/knowledgecenterpublic/livelink.exe/fetch/2000/8021/8149/8052/Support_-_Corrupt_Word_file_may_cause_buffer_overflow_in_the_BlackBerry_Attachment_Service.html?nodeid=1181753&vernum=2
http://www.frsirt.com/english/advisories/2006/0530

Credit

This vulnerability was reported by BlackBerry.

This document was written by Katie Washok.

Other Information

Date Public:	2006-02-09
Date First Published:	2006-08-21
Date Last Updated:	2006-08-21
CERT Advisory:
CVE-ID(s):	CVE-2006-0761
NVD-ID(s):	CVE-2006-0761
US-CERT Technical Alerts:
Metric:	0.58
Document Revision:	14

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Produced 2006 by US-CERT, a government organization
Disclaimers and copyright information

Get Adobe Reader