Information Disclosure Vulnerability Patched in BlackBerry Enterprise Server

RIM has released security updates for its BlackBerry Enterprise Server (BES) product in order to address an information disclosure and denial of service flaw.

The vulnerability, CVE-2011-0287, is located in the BlackBerry Administration API component which passes requests to the BlackBerry Administration Service.

"A vulnerability exists in the BlackBerry Administration API which could allow an attacker to read files that contain only printable characters on the BlackBerry Enterprise Server, including unencrypted text files," RIM says in its official advisory.

Binary file formats are not affected and the impact is limited by the API component's access level. The vulnerability bears a score of 4.8 on the CVSS severity scale and successful exploitation can also result in a denial of service condition.

Affected products include BlackBerry® Enterprise Server version 5.0.0 for Microsoft Exchange, IBM Lotus Domino and Novell GroupWise (with the BlackBerry® Administration API component installed as an option only); BlackBerry® Enterprise Server Express 5.0.0 for Microsoft Exchange and IBM Lotus Domino (with the BlackBerry® Administration API component installed as an option only); BlackBerry® Enterprise Server Express versions 5.0.1, 5.0.2 and 5.0.3 for Microsoft Exchange; BlackBerry® Enterprise Server Express versions 5.0.2 and 5.0.3 for IBM Lotus Domino; BlackBerry® Enterprise Server versions 5.0.1, 5.0.2 and 5.0.3 for Microsoft Exchange and IBM Lotus Domino; and BlackBerry® Enterprise Server versions 5.0.1 for GroupWise.

Updates are only available for the 5.0.1, 5.0.2 and 5.0.3 versions of the server. Users running 5.0.0 or older versions are advised to upgrade.

In addition to deploying the patches as soon as possible, and as a matter of security best practices, administrators are advised to deploy BES in a segmented network configuration. This involves running each component on a separate computer and having those computers operate on their own network segments.

Such a measure has the benefit of restricting the compromise to a single computer instead of endangering the entire network and BES. RIM credits Richard Leach of NGSSecure for reporting the vulnerability.