BlackBerry has issued an advisory addressing multiple vulnerabilities that are not currently being exploited but affect BES12 version 12.3.1 and earlier versions.
Successful exploitation requires an attacker craft a malicious link and requires that a user with Management Console access click on the malicious link. If the requirements are met for exploitation, an attacker could potentially monitor, modify or exfiltrate data.
Vulnerabilities exist in the BES12 Management Console of affected versions of BES12. The Management Console is a web interface that allows administrators and users to manage enterprise-activated devices.
There are two potential vulnerability scenarios:
SQL Injection – CVE-2016-1914
Successful exploitation of this vulnerability could result in an attacker invoking actions within the BES UI or modifying or exfiltrating data from the SQL database.
In order to exploit this vulnerability, an attacker must first know the URL of the BES12 Management Console on the internal network and then craft a malicious link. An external attacker must then persuade a user with legitimate access to the Management Console to click on the link. An internal attacker with legitimate access could also click on the malicious link themselves.
Reflected Cross-Site Scripting – CVE-2016-1915
Successful exploitation of this vulnerability could result in an attacker logging keystrokes, obtaining the user’s credentials for BES12 or invoking actions within the BES UI.
In order to exploit this vulnerability, an attacker must first know the URL of the BES12 Management Console on the internal network and then craft a malicious link. An attacker must then persuade a user with legitimate access to the Management Console to click on the link.
BlackBerry has issued a fix for these vulnerabilities, which is included in BES12 version 12.4 and later. This software update resolves these vulnerabilities on affected versions. To be fully protected from this issue, Administrators should update to BES12 version 12.4 or later as soon as possible.
Administrators can download upgrades or maintenance releases here.
