Certain conditions have to be met for an attack to be successful

Oct 10, 2013 19:56 GMT  ·  By

BlackBerry has issued an advisory to warn users of BlackBerry Enterprise Service 10.0 to 10.1.2 about a remote code execution vulnerability in the Universal Device Service that’s installed by default in the impacted versions of Enterprise Service.

According to the company, only installations with Oracle Java Runtime 7 update 17 or earlier are impacted, so updating Java can mitigate potential attacks. Additionally, BlackBerry has addressed the security hole in Enterprise Service 10.1.3.

“A vulnerability exists due to a misconfiguration of the JBoss hosting environment in affected BES10 versions,” BlackBerry wrote in its advisory.

“The management software that allows administrators to use a more unified UI when deploying the UDS with BlackBerry Enterprise Service 10 (the wrapper) exposes a JBoss interface that allows a legitimate administrator to upload packages and make them available to clients,” the advisory continues.

“This JBoss interface functionality is not used in BES10. The misconfiguration could allow nonadministrative users to upload packages. Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code using the privileges of the BES10 administration service account.”

The company says there are several conditions that must be met in order for the attack to work. For instance, the attack must be launched from a computer within the corporate network with access to the system that’s hosting the Universal Device Service.

If the computer that hosts the Universal Device Service is behind a firewall, the attack fails. The attacker needs to overcome default settings, common configurations and general best practices in order to launch a successful attack.

There’s no evidence that the vulnerability is currently being exploited in the wild.

The United States Computer Emergency Readiness Team (US-CERT) has also picked up BlackBerry’s report, and advises users to review it and take appropriate measures.