BlackBerry Enterprise Server Collaboration Service Bug Lets Remote Users Impersonate Intra-organization Messages.
Exchange and Domino 5.0.3 through 5.0.3 MR4
BlackBerry Client for use with Microsoft Office Communications Server 2007 R2
BlackBerry Client for use with Microsoft Lync Server 2010
A vulnerability was reported in BlackBerry Enterprise Server. A remote user can impersonate another messaging user within the same organization.
A vulnerability exists in the BlackBerry Collaboration Service component of the affected versions of the BlackBerry Enterprise Server. Successful exploitation of this vulnerability would allow a potentially malicious BlackBerry device user within an organization to log into the BlackBerry Collaboration Service as another BlackBerry Collaboration Service user within the organization. This would allow the potentially malicious user to send messages as the legitimate user and receive messages sent to the legitimate user, as well as prevent the legitimate user from accessing the BlackBerry Collaboration Service. This would also allow the potentially malicious user to access the legitimate user's enterprise instant messaging contact list.
This vulnerability does not allow an attacker from outside the organization's environment to access the BlackBerry Collaboration Service or impersonate a user.
RIM has issued the following interim security software updates that resolve this issue. If you are using a software version that is affected but is not listed below, update to one of the listed versions before applying the security software update.
For BlackBerry Enterprise Server for Microsoft Exchange version 5.0.3 MR4 and IBM Lotus Domino version 5.0.3 MR4
RIM Security Software Update.