BSRT-2020-003 Vulnerability in UEM Core Impacts BlackBerry UEM

Knowledge Base

BSRT-2020-003 Vulnerability in UEM Core Impacts BlackBerry UEM

Article Number: 000068112 First Published:  Last Modified: October 15, 2020 Type: Security Advisory

Overview

This advisory addresses an improper input validation vulnerability in the UEM Core of affected versions of BlackBerry UEM that could potentially allow a successful attacker to cause a Denial of Service (DoS) of the UEM Core service. BlackBerry is not aware of any exploitation of this vulnerability.

BlackBerry investigates all reports of security vulnerabilities affecting supported products and services. A security advisory is issued once the investigation is complete and the software update is released. Installing the recommended update(s) in this advisory will help maintain the security of your BlackBerry product(s).
 

Vulnerability Information

Vulnerability CategoriesVulnerability Details
CVE IdentifierCVE-2020-6933
Vulnerability TypeImproper input validation
CVSS3.1 Score7.5
Affected Product(s)
  • BlackBerry UEM version 12.13.0
  • BlackBerry UEM version 12.12.1a QF2 and earlier
  • BlackBerry UEM version 12.11.1 QF3 and earlier
Affected Component(s)UEM Core - UEM Core is the central component of the BlackBerry UEM architecture.
Non-Affected Product(s)
  • BlackBerry UEM version 12.13.1 and later
  • BlackBerry UEM version 12.12.1a QF3 and later
  • BlackBerry UEM version 12.11.1 QF4 and later
  • BlackBerry Enterprise Mobility Server (BEMS)
  • BlackBerry Workspaces
  • BES 5
Who Should Read This Advisory/Apply Software Update(s)Administrators who deploy and support BlackBerry UEM.
 
Requirements for Attacker to be SuccessfulIn order to exploit this vulnerability, an attacker must have a valid BlackBerry UEM Internet Protocol (IP) address and have access to the local network.

Alternatively, this vulnerability can be exploited externally by obtaining a valid tenant identifier (SRP ID).
 
Impact if Requirements are met If the requirements are met for exploitation an attacker could potentially cause a Denial of Service (DoS) of the UEM Core service.
Mitigation(s)There are no known mitigations.
Workaround(s)/Recommendation(s)
All workarounds should be considered temporary measures. BlackBerry recommends that customers install the latest update(s) to protect their systems.
There are no known workarounds.
Software Update(s)Click the following link to download the software update(s). https://besc.webapps.blackberry.com/myaccount/downloads/servers
 

More information

Where can I read more about the security of BlackBerry products and services?
For more information on BlackBerry security visit www.blackberry.com/psirt.


 

Definitions

CVE
Common Vulnerabilities and Exposures is a dictionary of common names (CVE Identifiers) for publicly known information security vulnerabilities maintained by the MITRE Corporation.

CVSS
Common Vulnerability Scoring System is a vendor agnostic, industry open standard designed to convey the severity of a vulnerability. CVSS scores may be used to determine the urgency for update deployment within an organization and can range from 0.0 (no vulnerability) to 10.0 (critical). BlackBerry uses CVSSv3 in vulnerability assessments to present an immutable characterization of security vulnerabilities. BlackBerry assigns all relevant security vulnerabilities a non-zero score. Customers performing their own risk assessments of vulnerabilities that may impact them can benefit from using the same industry-recognized CVSS metrics.

Mitigations
Mitigations are existing conditions that a potential attacker would need to overcome to mount a successful attack or that would limit the severity of an attack. Examples of such conditions include default settings, common configurations and general best practices.
Workarounds
Workarounds are settings or configuration changes that a user or administrator can apply to help protect against an attack.
 

Legal Disclaimer

Disclaimer
All data and information provided in this advisory (“Information”) are provided for informational purposes only and are provided “as is” without any warranties or guarantees, express or implied, including without limitation, any warranties or guarantees relating to the accuracy or reliability of the contents of the Information. In no event shall BlackBerry Limited and/or its subsidiaries and affiliates (“BlackBerry”) be liable to any party for any direct, indirect, special, punitive, consequential, or incidental damages in connection with any reliance on or use of the Information, including without limitation, loss of business revenue or earnings, lost data, damages caused by delays, lost profits or a failure to realize expected savings or revenues, even if BlackBerry was expressly advised of the possibility of such damages. 
 

Change Log

10-15-2020
Fixed the software update link.

Added “(SRP ID)” to the description in the “Requirements for an Attacker to be Successful” section.

10-13-2020
Initial publication