Microsoft and Adobe weren’t the only companies releasing security updates yesterday. BlackBerry piled on the patch parade with an update for its BlackBerry Enterprise Service 10 mobile device management product, fixing a remote code execution vulnerability.
The problem lies in the Universal Device Service (UDS) that’s installed by default in BlackBerry Enterprise Service (BES) versions 10.0 to 10.1.2. If an attacker has access to the corporate network that’s hosting the UDS and can determine its address, they can execute code as the BES10 admin service account without authentication.
This is because JBoss, BES10’s open source hosting environment, is misconfigured. In its current incarnation, JBoss allows non-admin users to upload packages and make them available to clients. If successfully exploited, the vulnerability also lets attackers execute arbitrary code.
It sounds easier said than done though.
“In order to exploit this vulnerability, an attacker must use the Remote Method Invocation (RMI) interface to serve a malicious package to JBoss from a second server on the network that is not blocked by a firewall,” reads BlackBerry’s advisory.
If for some reason BlackBerry users can’t update their system right away, there are a series of workarounds, considered “temporary measures,” by BlackBerry, that users can follow. These mitigations involve tweaking the RMI interface, blocking certain ports and updating Java.
BlackBerry’s BES10 is a mobile device management solution that allows IT professionals to control their users’ BlackBerry devices, Android devices, and iOS devices. Administrators can install and revoke licenses, manage accounts and conduct day-to-day administrative tasks with the service.
While they’re not aware of any attacks exploiting the vulnerability, BlackBerry is urging any Enterprise Service 10 administrators to apply the software update that released yesterday on the company’s Knowledge Base site.