You are here

V-179: Blackberry Z10 Flaw Lets Physically Local Users Access the Device

June 17, 2013 - 1:09am

Addthis

PROBLEM:

Blackberry Z10 Flaw Lets Physically Local Users Access the Device

PLATFORM:

BlackBerry 10 OS version 10.0.10.261 and earlier, except version 10.0.9.2743

ABSTRACT:

A vulnerability was reported in Blackberry Z10 Smartphones.

REFERENCE LINKS:

BlackBerry Security Advisory KB34458
SecurityTracker Alert ID:  1028669
CVE-2013-3692

IMPACT ASSESSMENT:

Medium

DISCUSSION:

On systems with BlackBerry Protect enabled, if the user resets the device password via BlackBerry Protect and downloads a specifically crafted applications, then a physically local user can access or modify data on the device.

The vulnerability is due to unsafe permissions on a BlackBerry Protect object. The physically local user can exploit this to obtain the device password (if a remote password reset command has been issued via the BlackBerry Protect website) and intercept and prevent the smartphone from acting on BlackBerry Protect commands (e.g., a remote smartphone wipe command).

IMPACT:

A physically local user can access or modify data on the target device.

SOLUTION:

The vendor has issued a fix (10.0.10.648).

 

Addthis