RIM warns of data leakage, denial-of-service vulnerability

Research in Motion (RIM) has shipped a patch to cover a serious security vulnerability that could allow attackers to read files that contain only printable characters on the BlackBerry Enterprise Server, including unencrypted text files.

Research in Motion (RIM) has shipped a patch to cover a serious security vulnerability that could allow attackers to read files that contain only printable characters on the BlackBerry Enterprise Server, including unencrypted text files.

follow Ryan Naraine on twitter
The flaw, which may also allow denial-of-service attacks, is limited to the user permissions granted to the BlackBerry Administration API component, RIM said in an advisory.

Successful exploitation of this issue could allow information disclosure. Successful exploitation may also result in resource exhaustion and therefore could be leveraged as a partial denial of service (DoS).

RIM said issue affects the BlackBerry Administration Application Programming Interface (API) component within the BlackBerry Administration Service component of the following software versions:

  • BlackBerry Enterprise Server version 5.0.0 for Microsoft Exchange, IBM Lotus Domino and Novell GroupWise (with the BlackBerry® Administration API component installed as an option only)
  • BlackBerry Enterprise Server Express 5.0.0 for Microsoft Exchange and IBM Lotus Domino  (with the BlackBerry Administration API component installed as an option only)
  • BlackBerry Enterprise Server Express versions 5.0.1, 5.0.2 and 5.0.3 for Microsoft Exchange
  • BlackBerry Enterprise Server Express versions 5.0.2 and 5.0.3 for IBM Lotus Domino
  • BlackBerry Enterprise Server versions 5.0.1, 5.0.2 and 5.0.3 for Microsoft Exchange and IBM Lotus Domino
  • BlackBerry Enterprise Server versions 5.0.1 for GroupWise

The BlackBerry Device Software, Desktop Software and Internet Service are not affected by this vulnerability.  Patch information can be found in the RIM advisory.