BSRT-2021-003 Vulnerabilities Impact BlackBerry Protect for Windows

Knowledge Base

BSRT-2021-003 Vulnerabilities Impact BlackBerry Protect for Windows

Article Number: 000088685 First Published:  Last Modified: November 10, 2021 Type: Security Advisory

Overview

This advisory addresses vulnerabilities in affected versions of BlackBerry® Protect for Windows. The vulnerabilities could potentially allow a successful attacker to execute code in the context of a Cylance service that has admin rights on the system, delete data from the local system, or gain access to the security context of the Cylance service within a less privileged application. BlackBerry is not aware of any exploitation of these vulnerabilities. 

BlackBerry investigates all reports of security vulnerabilities affecting supported products and services. A security advisory is issued once the investigation is complete and the software update is released. Installing the recommended update(s) in this advisory will help maintain the security of your BlackBerry product(s).




 

Vulnerability Information

Vulnerability Categories CVE-2021-32021 DetailsCVE-2021-32022 DetailsCVE-2021-32023 Details
CVE IdentifierCVE-2021-32021CVE-2021-32022CVE-2021-32023
Vulnerability TypeDenial of service in message brokerLow privileged delete using CEF RPC serverElevation of privilege in message broker
CVSS Score7.85.57.8
Affected Product(s)BlackBerry Protect for Windows version 1574 and all previous agents.
 
Affected Component(s)Message Broker – The message broker is used for communication between UES components
CEF RPC Server – The CEF RPC Server receives remote procedure calls for the UES Common Endpoint Framework
Non-Affected Product(s)
  • BlackBerry Protect for Windows versions 1578 and higher
  • BlackBerry Protect for Linux
  • BlackBerry Protect for MacOS
  • BlackBerry Optics
  • BlackBerry Persona
Who Should Read This Advisory/Apply Software Fixes
  • Administrators who deploy affected BlackBerry Protect for Windows in an enterprise
  • Administrators who support BlackBerry Protect for Windows
Requirements for Attacker to be SuccessfulTo exploit this vulnerability, an authenticated local attacker must send a specially crafted RPC call to a specific port.
 
To exploit this vulnerability, an authenticated local attacker must send a specially crafted RPC call to a specific port. To exploit this vulnerability, an authenticated local attacker must broadcast an arbitrary message to a specific port.
Impact if Requirements are met (exploitation results)A successful attacker could potentially execute code in the context of a Cylance service that has admin rights on the system.A successful attacker could potentially gain the ability to delete data from the local system.A successful attacker could potentially gain access to the security context of the Cylance service.
Mitigation(s)This issue is mitigated by the requirement that a local authenticated attacker is able to execute malware on the system. 
This vulnerability is further mitigated by the requirement that an attacker must initiate the attack within a window of opportunity. 
This issue is mitigated by the requirement that a local authenticated attacker is able to execute targeted malware on the system. 
This vulnerability is further mitigated by the requirement that an attacker must initiate the attack within a window of opportunity. 
This issue is mitigated by the requirement that a local authenticated attacker is able to execute targeted malware on the system. 






 
Workaround(s)/
Recommendation(s)
All workarounds should be considered temporary measures. BlackBerry recommends that customers install the latest update(s) to protect their systems.
There are no workarounds for these vulnerabilities.


 
Software Update(s)Customers can obtain the latest versions of BlackBerry Protect for Windows via their BlackBerry Protect Console.
 

More information

Where can I read more about the security of BlackBerry products and services?
For more information on BlackBerry security visit  http://www.blackberry.com/psirt.

 

Definitions

CVE
Common Vulnerabilities and Exposures is a dictionary of common names (CVE Identifiers) for publicly known information security vulnerabilities maintained by the MITRE Corporation.


CVSS
Common Vulnerability Scoring System is a vendor-agnostic, industry open standard designed to convey the severity of a vulnerability. CVSS scores may be used to determine the urgency for update deployment within an organization and can range from 0.0 (no vulnerability) to 10.0 (critical). BlackBerry uses CVSSv3 in vulnerability assessments to present an immutable characterization of security vulnerabilities. BlackBerry assigns all relevant security vulnerabilities a non-zero score. Customers performing their own risk assessments of vulnerabilities that may impact them can benefit from using the same industry-recognized CVSS metrics.


Mitigations
Mitigations are existing conditions that a potential attacker would need to overcome to mount a successful attack or that would limit the severity of an attack. Examples of such conditions include default settings, common configurations, and general best practices.

Workarounds
Workarounds are settings or configuration changes that a user or administrator can apply to help protect against an attack.
 

Acknowledgements

BlackBerry would like to thank Ceri Coburn, Pen Test Partners, for their involvement in helping protect our customers.
 

Legal Disclaimer

All data and information provided in this advisory (“Information”) are provided for informational purposes only and are provided “as is” without any warranties or guarantees, express or implied, including without limitation, any warranties or guarantees relating to the accuracy or reliability of the contents of the Information. In no event shall BlackBerry Limited and/or its subsidiaries and affiliates (“BlackBerry”) be liable to any party for any direct, indirect, special, punitive, consequential, or incidental damages in connection with any reliance on or use of the Information, including without limitation, loss of business revenue or earnings, lost data, damages caused by delays, lost profits or a failure to realize expected savings or revenues, even if BlackBerry was expressly advised of the possibility of such damages. 
 

Change Log

11-10-2021
Adjust formatting

11-09-2021
Initial publication