BSRT-2021-002 Vulnerabilities in the Management Console Impact BlackBerry UEM
Article Number: 000078971
First Published:
Last Modified: May 28, 2021
Type: Security Advisory
Overview
This advisory addresses multiple vulnerabilities in the Management Console of affected versions of BlackBerry® UEM that could potentially allow a successful attacker to prevent new user connections, cause the spreadsheet application to run commands on the victim’s local machine with the authority of the user, or bypass Cross Site Request Forgery mitigations. BlackBerry® is not aware of any exploitation of these vulnerabilities.
BlackBerry investigates all reports of security vulnerabilities affecting supported products and services. A security advisory is issued once the investigation is complete and the software update is released. Installing the recommended update(s) in this advisory will help maintain the security of your BlackBerry product(s).
BlackBerry investigates all reports of security vulnerabilities affecting supported products and services. A security advisory is issued once the investigation is complete and the software update is released. Installing the recommended update(s) in this advisory will help maintain the security of your BlackBerry product(s).
Vulnerability Information
| Vulnerability Categories | CVE-2021-22152 Details | CVE-2021-22153 Details | CVE-2021-22154 Details |
|---|---|---|---|
| CVE Identifier | CVE-2021-22154 | ||
| Vulnerability Type | Denial of Service | Remote Code Execution via Exported CSV Injection | Information Disclosure |
| CVSS Score | 5.5 | 7.6 | 4.3 |
| Affected Product(s) |
| ||
| Affected Component(s) | UEM Management Console - The Management Console is a web interface that allows administrators and users to manage enterprise-activated devices. Users can only manage their own devices | ||
| Non-Affected Product(s) |
| ||
| Who Should Read This Advisory/Apply Software Fixes |
| ||
| Requirements for Attacker to be Successful | To exploit this vulnerability, a privileged attacker must inject malformed data into the administration console. | To exploit this vulnerability, a privileged attacker must add a maliciously crafted formula to the UEM data model. | To exploit this vulnerability, an attacker must gain access to a victim's web history. |
| Impact if Requirements are met (exploitation results) | A successful attacker could potentially prevent any new user connections. | A successful attacker could potentially cause the spreadsheet application to run commands on the victim's local machine with the authority of the user. | A successful attacker could potentially bypass Cross Site Request Forgery mitigations. |
| Mitigations(s) | This issue is mitigated by the requirement that an attacker have administrative access to the Management Console. | This issue is mitigated by the requirement that an attacker have access to the Management Console and must persuade a target user to download a spreadsheet. This attack is further mitigated by the requirement that a victim, in the default spreadsheet application's configuration, must disregard any security warnings displayed and click through multiple dialogs with an affirmative response. | This issue is mitigated by the requirement that to exploit the vulnerability, the attacker must then convince a victim to click a specially-crafted link. |
| Workaround(s)/Recommendation(s) All workarounds should be considered temporary measures. BlackBerry recommends that customers install the latest update(s) to protect their systems. | There are no workarounds for this vulnerability. | If the option is available for the spreadsheet application, administrators should enforce administrative policies that disable active content in spreadsheets. | There are no workarounds for this vulnerability. |
| Software Update(s) | Click the following link to download the software update(s). https://besc.webapps.blackberry.com/myaccount/downloads/servers | ||
More information
Where can I read more about the security of BlackBerry products and services?
For more information on BlackBerry security visit http://www.blackberry.com/psirt.
Definitions
CVE
Common Vulnerabilities and Exposures is a dictionary of common names (CVE Identifiers) for publicly known information security vulnerabilities maintained by the MITRE Corporation.
CVSS
Common Vulnerability Scoring System is a vendor agnostic, industry open standard designed to convey the severity of a vulnerability. CVSS scores may be used to determine the urgency for update deployment within an organization and can range from 0.0 (no vulnerability) to 10.0 (critical). BlackBerry uses CVSSv3 in vulnerability assessments to present an immutable characterization of security vulnerabilities. BlackBerry assigns all relevant security vulnerabilities a non-zero score. Customers performing their own risk assessments of vulnerabilities that may impact them can benefit from using the same industry-recognized CVSS metrics.
Mitigations
Mitigations are existing conditions that a potential attacker would need to overcome to mount a successful attack or that would limit the severity of an attack. Examples of such conditions include default settings, common configurations, and general best practices.
Workarounds
Workarounds are settings or configuration changes that a user or administrator can apply to help protect against an attack.
Common Vulnerabilities and Exposures is a dictionary of common names (CVE Identifiers) for publicly known information security vulnerabilities maintained by the MITRE Corporation.
CVSS
Common Vulnerability Scoring System is a vendor agnostic, industry open standard designed to convey the severity of a vulnerability. CVSS scores may be used to determine the urgency for update deployment within an organization and can range from 0.0 (no vulnerability) to 10.0 (critical). BlackBerry uses CVSSv3 in vulnerability assessments to present an immutable characterization of security vulnerabilities. BlackBerry assigns all relevant security vulnerabilities a non-zero score. Customers performing their own risk assessments of vulnerabilities that may impact them can benefit from using the same industry-recognized CVSS metrics.
Mitigations
Mitigations are existing conditions that a potential attacker would need to overcome to mount a successful attack or that would limit the severity of an attack. Examples of such conditions include default settings, common configurations, and general best practices.
Workarounds
Workarounds are settings or configuration changes that a user or administrator can apply to help protect against an attack.
Acknowledgements
BlackBerry would like to thank Siddartha Tripathy, NCC Group Singapore for reporting these vulnerabilities and helping protect our customers.
Legal Disclaimer
All data and information provided in this advisory (“Information”) are provided for informational purposes only and are provided “as is” without any warranties or guarantees, express or implied, including without limitation, any warranties or guarantees relating to the accuracy or reliability of the contents of the Information. In no event shall BlackBerry Limited and/or its subsidiaries and affiliates (“BlackBerry”) be liable to any party for any direct, indirect, special, punitive, consequential, or incidental damages in connection with any reliance on or use of the Information, including without limitation, loss of business revenue or earnings, lost data, damages caused by delays, lost profits or a failure to realize expected savings or revenues, even if BlackBerry was expressly advised of the possibility of such damages.
Change Log
May 28, 2021
Added fixed release version numbers to top of non-affected products list for clarity on which released versions address the vulnerabilities.
May 11, 2021
Initial publication
Added fixed release version numbers to top of non-affected products list for clarity on which released versions address the vulnerabilities.
May 11, 2021
Initial publication