BSRT-2021-002 Vulnerabilities in the Management Console Impact BlackBerry UEM

Knowledge Base

BSRT-2021-002 Vulnerabilities in the Management Console Impact BlackBerry UEM

Article Number: 000078971 First Published:  Last Modified: May 28, 2021 Type: Security Advisory

Overview

This advisory addresses multiple vulnerabilities in the Management Console of affected versions of BlackBerry® UEM that could potentially allow a successful attacker to prevent new user connections, cause the spreadsheet application to run commands on the victim’s local machine with the authority of the user, or bypass Cross Site Request Forgery mitigations. BlackBerry® is not aware of any exploitation of these vulnerabilities.

BlackBerry investigates all reports of security vulnerabilities affecting supported products and services. A security advisory is issued once the investigation is complete and the software update is released. Installing the recommended update(s) in this advisory will help maintain the security of your BlackBerry product(s).

 

Vulnerability Information

Vulnerability CategoriesCVE-2021-22152 DetailsCVE-2021-22153 Details CVE-2021-22154 Details
CVE Identifier
CVE-2021-22152          
CVE-2021-22154
Vulnerability TypeDenial of ServiceRemote Code Execution via Exported CSV InjectionInformation Disclosure
CVSS Score5.57.64.3
Affected Product(s)
  • UEM version 12.13.1 QF2 and earlier
  • UEM version 12.12.1a QF6 and earlier
Affected Component(s)UEM Management Console - The Management Console is a web interface that allows administrators and users to manage enterprise-activated devices. Users can only manage their own devices
Non-Affected Product(s)
  • UEM 12.14 PR
  • UEM 12.13.1 QF3
  • UEM 12.12.1a QF7
  • BlackBerry Enterprise Mobility Server (BEMS)
  • BlackBerry Workspaces
Who Should Read This Advisory/Apply Software Fixes
  • Administrators who deploy and support BlackBerry UEM in an enterprise
Requirements for Attacker to be SuccessfulTo exploit this vulnerability, a privileged attacker must inject malformed data into the administration console.To exploit this vulnerability, a privileged attacker must add a maliciously crafted formula to the UEM data model.To exploit this vulnerability, an attacker must gain access to a victim's web history.
Impact if Requirements are met (exploitation results)A successful attacker could potentially prevent any new user connections.A successful attacker could potentially cause the spreadsheet application to run commands on the victim's local machine with the authority of the user.A successful attacker could potentially bypass Cross Site Request Forgery mitigations.
Mitigations(s)This issue is mitigated by the requirement that an attacker have administrative access to the Management Console.This issue is mitigated by the requirement that an attacker have access to the Management Console and must persuade a target user to download a spreadsheet. This attack is further mitigated by the requirement that a victim, in the default spreadsheet application's configuration, must disregard any security warnings displayed and click through multiple dialogs with an affirmative response. This issue is mitigated by the requirement that to exploit the vulnerability, the attacker must then convince a victim to click a specially-crafted link.
Workaround(s)/Recommendation(s)
All workarounds should be considered temporary measures. BlackBerry recommends that customers install the latest update(s) to protect their systems.
There are no workarounds for this vulnerability.If the option is available for the spreadsheet application, administrators should enforce administrative policies that disable active content in spreadsheets.There are no workarounds for this vulnerability.
Software Update(s)Click the following link to download the software update(s).
https://besc.webapps.blackberry.com/myaccount/downloads/servers

 

More information

Where can I read more about the security of BlackBerry products and services?
For more information on BlackBerry security visit  http://www.blackberry.com/psirt.

 

Definitions

CVE
Common Vulnerabilities and Exposures is a dictionary of common names (CVE Identifiers) for publicly known information security vulnerabilities maintained by the MITRE Corporation.

CVSS
Common Vulnerability Scoring System is a vendor agnostic, industry open standard designed to convey the severity of a vulnerability. CVSS scores may be used to determine the urgency for update deployment within an organization and can range from 0.0 (no vulnerability) to 10.0 (critical). BlackBerry uses CVSSv3 in vulnerability assessments to present an immutable characterization of security vulnerabilities. BlackBerry assigns all relevant security vulnerabilities a non-zero score. Customers performing their own risk assessments of vulnerabilities that may impact them can benefit from using the same industry-recognized CVSS metrics.

Mitigations
Mitigations are existing conditions that a potential attacker would need to overcome to mount a successful attack or that would limit the severity of an attack. Examples of such conditions include default settings, common configurations, and general best practices.

Workarounds

Workarounds are settings or configuration changes that a user or administrator can apply to help protect against an attack.
 

Acknowledgements

BlackBerry would like to thank Siddartha Tripathy, NCC Group Singapore for reporting these vulnerabilities and helping protect our customers.

Legal Disclaimer

All data and information provided in this advisory (“Information”) are provided for informational purposes only and are provided “as is” without any warranties or guarantees, express or implied, including without limitation, any warranties or guarantees relating to the accuracy or reliability of the contents of the Information. In no event shall BlackBerry Limited and/or its subsidiaries and affiliates (“BlackBerry”) be liable to any party for any direct, indirect, special, punitive, consequential, or incidental damages in connection with any reliance on or use of the Information, including without limitation, loss of business revenue or earnings, lost data, damages caused by delays, lost profits or a failure to realize expected savings or revenues, even if BlackBerry was expressly advised of the possibility of such damages. 
 

Change Log

May 28, 2021
Added fixed release version numbers to top of non-affected products list for clarity on which released versions address the vulnerabilities.

May 11, 2021

Initial publication