Security Holes Found In RIM BlackBerry Service

An anonymous reader writes "Researchers have found several security holes in Blackberry handheld devices and the servers that power them, according to a story at Washingtonpost.com. The research points out serious flaws in the BlackBerry server, which could be exploited by convincing Blackberry handheld users to click on an image file attachment. From the article: 'Lindner's slides from his presentation -- which he agreed not to release until RIM has fully fixed this problem -- show that the Blackberry server which manages all of the encryption keys needed to unscramble e-mail traffic to and from all Blackberry devices registered on the network stores them on a Microsoft SQL database server in plain, unencrypted text. Lindner found that by convincing a Blackberry user to click on a special image attachment, that handheld device could be made to pass on malicious code to the Blackberry server, which could then be taken over and used to intercept e-mails or as a staging point for other attacks within the network.'"

How could they let this slip?

[Kasracer]

I'm no SQL guru, but even I know how to avoid these kinds of attacks. Plus, storing information like that in plain text is just... dumb.

Re:How could they let this slip?

I'm not really sure when the change happened, but the SQL server upgrade happened at version 4.0...previously the enterprise server did not use SQL. This is probably the only reason it took so long to find the flaw.

BTW version 4 is causing duplicate calendar and address book entries for lotus notes users (all 800 of our blackberries are showing this bug yah!). We are debating going back to 3.6 as 4.0 only added wireless synch for address and memo dbs for the user. Not that big of a deal to plug it into a pc once in a while vs. getting duplicate entries.

Re:READ!

[garylian]

Yeah, my wife works for Mercedes, and they are telling ALL users to not open any email with any type of graphics attachment on it, not just the .tiff and .png stuff.

It is a pretty darn huge security hole, and one that shouldn't impact the home user (at least not yet) in any major fashion.

Then again, it is probably wishful thinking that Blackberry users are more technically knowledgeable than the average home user, and wouldn't open dumb emails from unsolicited sources.

Re:READ!

[ejhuff]

From TFA:

Lindner said the real problem -- a vulnerability in the way Blackberry servers handle portable network graphics (PNG) images, was not disclosed by either RIM or the US-CERT advisory.

From the top of the CERT advisory:

By causing the service to render a specially crafted TIFF file, an attacker could execute arbitrary code or cause a denial of service.

Should an exploit be developed, this arbitrary code would run inside the corporate firewall on a windows system, possibly with administrator privileges, and possibly with access to the SQL server containing the encryption keys.

From the advisory:

To disable the image attachment distiller 1. On the desktop, click Start > Programs > BlackBerry Enterprise Server > BlackBerry Enterprise Server Configuration. 2. On the Attachment Server tab, select Attachment Server from the Configuration Option drop-down list. 3. In the Distiller Settings section of the window, clear the Enabled check box for Image Attachments. 4. Click Apply, then click OK. 5. In Microsoft Windows® Administrative Tools, double-click Services. 6. Right-click BlackBerry Attachment Service, then click Stop. 7. Right-click BlackBerry Attachment Service, then click Start. 8. Close the Services window.

Note that they disable all image attachments, not just all TIFF attachments, although they do claim they only need to disable TIFF.

In summary, the CERT advisory says it might be possible to execute arbitrary code on the server. The Blackberry advisory recommends disabling all image attachment processing on the server. No one has proved that an exploit exists to take advantage of this, but how can you know there isn't an exploit. In cases like this, the burden of proof lies with the one who claims it's safe to continue processing image attachments. Maybe there isn't a serious problem. Would you leave the attachment service running with without disabling the image attachments?

Re:More info here...

[blincoln]

I had no idea the server backend was so...crummy. Why do geeks running FreeBSD at home have their passwords encrypted within MySQL, but big companies with million dollar products don't?

The entire server backend is like that. Some of the more amusing examples:

- When it starts, it has a fixed number of threads it can use to talk to the Exchange server. Let's say it's 1000. If a thread is killed off, e.g. because it timed out, it is not returned to the pool. So over the course of a week or so, you run out of threads and the app will no longer do anything. Consequently, we now reboot the server every night.

- If you have Outlook installed on the Blackberry server, it breaks the Blackberry server software, because it will only work with a very specific nonstandard version of the MAPI DLL.

- 50% of the time when you call their support line, the answer to your question mysteriously turns out to be that your server is under too heavy of a load and you need to buy another server license. Even if the server is working fine for all but one user, or if it was working fine for everyone until you switched license keys.

Basically the entire thing is a giant Rube Goldberg contraption. The handhelds are decent for what they do, but not spectacular.