You are here

U-012: BlackBerry Enterprise Server Collaboration Service Bug Lets Remote Users Impersonate Intra-organization Messages

October 17, 2011 - 9:45am

Addthis

PROBLEM:

BlackBerry Enterprise Server Collaboration Service Bug Lets Remote Users Impersonate Intra-organization Messages.

PLATFORM:

Exchange and Domino 5.0.3 through 5.0.3 MR4
BlackBerry Client for use with Microsoft Office Communications Server 2007 R2
BlackBerry Client for use with Microsoft Lync Server 2010

ABSTRACT:

A vulnerability was reported in BlackBerry Enterprise Server. A remote user can impersonate another messaging user within the same organization.

reference LINKS:

BlackBerry Security Advisory ID: KB28524
SecurityTracker Alert ID: 1026179
CVE-2011-0290

IMPACT ASSESSMENT:

Medium

Discussion:

A vulnerability exists in the BlackBerry Collaboration Service component of the affected versions of the BlackBerry Enterprise Server. Successful exploitation of this vulnerability would allow a potentially malicious BlackBerry device user within an organization to log into the BlackBerry Collaboration Service as another BlackBerry Collaboration Service user within the organization. This would allow the potentially malicious user to send messages as the legitimate user and receive messages sent to the legitimate user, as well as prevent the legitimate user from accessing the BlackBerry Collaboration Service. This would also allow the potentially malicious user to access the legitimate user's enterprise instant messaging contact list.

Impact:

This vulnerability does not allow an attacker from outside the organization's environment to access the BlackBerry Collaboration Service or impersonate a user.

Solution:

RIM has issued the following interim security software updates that resolve this issue. If you are using a software version that is affected but is not listed below, update to one of the listed versions before applying the security software update.
For BlackBerry Enterprise Server for Microsoft Exchange version 5.0.3 MR4 and IBM Lotus Domino version 5.0.3 MR4
RIM Security Software Update.

Addthis