RIM BlackBerry Enterprise Server Attachment Service does not properly handle PNG image files

2006-01-09T00:00:00
ID VU:646976
Type cert
Reporter CERT
Modified 2006-01-09T22:28:00

Description

Overview

The Research in Motion (RIM) BlackBerry Attachment Service contains a vulnerability in the way the service handles PNG files. By causing the service to render a specially crafted PNG file and convincing a user to view the file on a BlackBerry Handheld device, an attacker could execute arbitrary code or cause a denial of service to the Attachment Service.

Description

The BlackBerry Attachment Service is a component of the BlackBerry Enterprise Server (BES). The BlackBerry Attachment Service renders certain types of files sent as email attachments for display on BlackBerry Handhelds and other BlackBerry client devices. A vulnerability in the way the service renders Portable Network Graphic (PNG) format image files could allow an attacker supplying a specially crafted PNG file to execute arbitrary code or cause the service to stop functioning. A user must view the attacker-supplied attachment on a BlackBerry Handheld in order to trigger the vulnerability.

The underlying vulnerability may be related to the way PNG uses zlib.


Impact

By supplying a specially crafted PNG image as an email attachment and convincing a user to view the image on a BlackBerry Handheld, a remote, unauthenticated attacker could execute arbitrary code or cause a denial of service to the Blackberry Attachment Service. The attacker may be able to take control of a vulnerable system.
A denial of service may only affect some users, and the Attachment Service may start new threads immediately or after a specified time period (25 minutes by default).


Solution

Upgrade
From RIM Technical Knowledge Center article KB-04756:

For Microsoft Exchange

Install BlackBerry Enterprise Server 4.0 Service Pack 3, then install version 4.0 Service Pack 3, Hotfix 1.

For IBM Lotus Domino and Novell GroupWise

Install BlackBerry Enterprise Server 4.0 Service Pack 3.

To obtain the BlackBerry Enterprise Server software, go to www.blackberry.com/Downloads.


Disable PNG processing, image attachment distiller, and/or Attachment Service

As described in RIM Technical Knowledge Center article KB-04756, "An administrator can exclude PNG images from being processed by the Attachment Service in the BlackBerry Enterprise Server, or disable the Attachment Service completely."


Vendor Information

646976

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Vendor has issued information

__ Sort by: Status Alphabetical

Expand all

Affected Unknown __ Unaffected

Javascript is disabled. Click here to view vendors.

__ Research in Motion (RIM)

Updated: January 09, 2006

Status

__ Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Please see RIM Technical Knowledge Center article KB-04756.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

CVSS Metrics

Group | Score | Vector
---|---|---
Base | N/A | N/A
Temporal | N/A | N/A
Environmental | | N/A

References

  • <http://events.ccc.de/congress/2005/fahrplan/events/596.en.html>
  • <http://www.blackberry.com/knowledgecenterpublic/livelink.exe/fetch/2000/8021/728075/728850/728215/?nodeid=1167794>

Credit

This vulnerability was reported by FX of Phenoelit. Thanks to RIM for information used in this document.

This document was written by Art Manion.

Other Information

CVE IDs: | CVE-2005-2344
---|---
Severity Metric:** | 17.55
Date Public:
| 2005-12-27
Date First Published: | 2006-01-09
Date Last Updated: | 2006-01-09 22:28 UTC
Document Revision: | 22