BSRT-2021-001 Vulnerability in SAML Authentication Impacts BlackBerry Workspaces Server (deployed with Appliance-X)

Knowledge Base

BSRT-2021-001 Vulnerability in SAML Authentication Impacts BlackBerry Workspaces Server (deployed with Appliance-X)

Article Number: 000078926 First Published:  Last Modified: May 11, 2021 Type: Security Advisory

Overview

This advisory addresses an Authentication Bypass vulnerability in the SAML authentication of affected versions of BlackBerry® Workspaces Server (deployed with Appliance-X) that could potentially allow a successful attacker to gain access to the application in the context of the targeted user’s account. BlackBerry® is not aware of any exploitation of this vulnerability.

BlackBerry investigates all reports of security vulnerabilities affecting supported products and services. A security advisory is issued once the investigation is complete and the software update is released. Installing the recommended update(s) in this advisory will help maintain the security of your BlackBerry product(s).

Vulnerability Information

Vulnerability CategoriesVulnerability Details
CVE IdentifierCVE-2021-22155
Vulnerability TypeAuthentication Bypass
CSSv3 Score      8.3
Affected Product(s)                                    BlackBerry Workspaces Server (deployed with Appliance-X) versions 10.1, 9.1 and earlier
Affected Component(s)SAML Authentication - SAML authentication is the component responsible for verifying the user's identity and credentials.
Non-Affected Product(s) 
  • BlackBerry Workspaces Clients
  • BlackBerry Workspaces Server (deployed with vApp) version 9.0
  • BlackBerry UEM
Who Should Read This Advisory/Apply Software Update(s)
  • Administrators who deploy and support BlackBerry Workspaces Server (deployed with Appliance-X)
Requirements for Attacker to be SuccessfulIn order to exploit this vulnerability, an attacker must craft a malicious link, or fraudulently obtain a valid user-generated link. 
Impact If Requirements are metA successful attacker could potentially gain access to the application in the context of the targeted user's account.
Mitigation(s)This issue is mitigated by the requirement that the attacker must persuade the user to either click a maliciously crafted or fraudulently obtained valid link or provide the attacker with sensitive information.
Workaround(s)/Recommendation(s)There are no known workarounds.
Software Update(s)Affected customers should contact their support or professional services representative to acquire an updated release.

More information

Where can I read more about the security of BlackBerry products and services?
For more information on BlackBerry security visit  http://www.blackberry.com/psirt.

 

Definitions

CVE
Common Vulnerabilities and Exposures is a dictionary of common names (CVE Identifiers) for publicly known information security vulnerabilities maintained by the MITRE Corporation.

CVSS
Common Vulnerability Scoring System is a vendor agnostic, industry open standard designed to convey the severity of a vulnerability. CVSS scores may be used to determine the urgency for update deployment within an organization and can range from 0.0 (no vulnerability) to 10.0 (critical). BlackBerry uses CVSSv3 in vulnerability assessments to present an immutable characterization of security vulnerabilities. BlackBerry assigns all relevant security vulnerabilities a non-zero score. Customers performing their own risk assessments of vulnerabilities that may impact them can benefit from using the same industry-recognized CVSS metrics.

Mitigations
Mitigations are existing conditions that a potential attacker would need to overcome to mount a successful attack or that would limit the severity of an attack. Examples of such conditions include default settings, common configurations and general best practices.
Workarounds
Workarounds are settings or configuration changes that a user or administrator can apply to help protect against an attack.
 

Legal Disclaimer

All data and information provided in this advisory (“Information”) are provided for informational purposes only and are provided “as is” without any warranties or guarantees, express or implied, including without limitation, any warranties or guarantees relating to the accuracy or reliability of the contents of the Information. In no event shall BlackBerry Limited and/or its subsidiaries and affiliates (“BlackBerry”) be liable to any party for any direct, indirect, special, punitive, consequential, or incidental damages in connection with any reliance on or use of the Information, including without limitation, loss of business revenue or earnings, lost data, damages caused by delays, lost profits or a failure to realize expected savings or revenues, even if BlackBerry was expressly advised of the possibility of such damages. 
 

Change Log

05-11-2021
Initial publication