BlackBerry PDF flaw threatens corporate networks

A flaw in the way BlackBerry Enterprise Server opens PDF attachments could be exploited to compromise corporate networks, RIM has warned

RIM is warning businesses to disable the function that allows a BlackBerry to read PDF files until an update can be issued, after a security flaw was found in the company's software.

A 'high' severity flaw affecting how BlackBerry Enterprise Server (BES) opens PDF attachments could be exploited to compromise a corporate network. RIM quietly disclosed the flaw last week, but is yet to issue a patch.

"This issue has been escalated internally to our development team. No resolution time frame is currently available," RIM stated in its advisory.

Until the company can issue a patch, RIM has warned customers to disable the BlackBerry Attachment Service, which allows BES to process PDF attachments for users to view on their BlackBerry devices. The flaw relates to how the BlackBerry Attachment Service processes PDF files, which can be exploited via a maliciously crafted PDF.

Vulnerable systems include BES software version 4.1 Service Pack 3 (4.1.3) through to 4.1 Service Pack 5 (4.1.5). RIM has given the advisory a 'high' severity rating.

"If a BlackBerry smartphone user on a BlackBerry Enterprise Server opens and views the specially crafted PDF file attachment on the BlackBerry smartphone, the arbitrary code execution could compromise the computer," RIM stated in its advisory.

According to Sense of Security's principal consultant, Jason Edelstein, this means that corporate networks are at risk due to the flaw. Most organisations place the BES within key networks, such as email servers, giving it privileged access to other computers on that network.

"Given the BES needs to access the data store from the mail server, obviously that's quite a high privilege. If you can execute with the privileges of BES, it's significant what you could do on an email server or another domain name service," he said.

RIM is aware of this weakness and said in its advisory that the BlackBerry Attachment Service can be installed on a remote computer in an isolated environment to prevent attacks affecting other computers.

Maarten Van Horenbeeck, security researcher at the Internet Storm Center, said: "This vulnerability is... one of those cases where it appears the BlackBerry, which opens a file, may be at risk, but what is really exposed is the enterprise set-up housed in the centre of the corporate network."

Edelstein said there were "quite a few architectural problems" with BlackBerry implementations. "Most organisations put the BES on an internal server on the network, which actually is a conduit between the internal server and RIM's servers based in Canada," he said.

"If someone loses their device and it's not locked in some way, you could browse internally to that company's web-based resources," he said.

"The way the end user can determine if they are vulnerable is to try to open the browser on the BlackBerry and attempt to access your intranet resources; if it comes up on the BlackBerry and you know it's not published on the internet, that should raise alarm bells," Edelstein added.