BlackBerry has issued a patch for its BlackBerry Enterprise Service 10 MDM software, which fixes a remote code vulnerability.
As ThreatPost describes, “The problem lies in the Universal Device Service (UDS) that’s installed by default in BlackBerry Enterprise Service (BES) versions 10.0 to 10.1.2. If an attacker has access to the corporate network that’s hosting the UDS and can determine its address, they can execute code as the BES10 admin service account without authentication.
This is because JBoss, BES10’s open source hosting environment, is misconfigured. In its current incarnation, JBoss allows non-admin users to upload packages and make them available to clients. If successfully exploited, the vulnerability also lets attackers execute arbitrary code.”
Although, it’s not as easy as it sounds to accomplish. BlackBerry says, “in order to exploit this vulnerability, an attacker must use the Remote Method Invocation (RMI) interface to serve a malicious package to JBoss from a second server on the network that is not blocked by a firewall.”
If BES 10 users face issues trying to update right away, customers can use a series of workarounds. Utilizing such “temporary measures” include tweaking the RMI interface, blocking certain ports and updating Java.
BlackBerry Enterprise Service 10 administrators can learn more of the patch on the BlackBerry’s Knowledge Base site.