BlackBerry patches buffer overflow vulnerability discovered in BlackBerry OS 10.1

By Bla1ze on 9 Apr 2014 10:14 pm EDT
3
loading...
28
loading...
47
loading...

Back in June of 2013, the BlackBerry Security Incident Response Team was advised by modzero that a buffer overflow vulnerability was discovered in BlackBerry 10 OS versions earlier than version 10.2.0.1055. As part of the process, the modzero team contacted BlackBerry to reveal their findings and laid out what exactly the issue was. In that time, BlackBerry has issued a fix for this vulnerability, which is included in BlackBerry 10 OS version 10.2.0.1055 and later.

A stack-based buffer overflow vulnerability exists in the qconnDoor service supplied with affected versions of BlackBerry 10 OS. The qconnDoor service is used by BlackBerry 10 OS to provide developer access, such as shell and remote debugging capabilities, to the smartphone.

Successful exploitation of this vulnerability could potentially result in an attacker terminating the qconnDoor service running on a user's BlackBerry smartphone. In addition, the attacker could potentially execute code on the user’s BlackBerry smartphone with the privileges of the root user (superuser).

An attacker can exploit this vulnerability in the following ways:

  • Over Wi-Fi - In order to exploit this vulnerability, an attacker must send a specially crafted message to the qconnDoor service on a smartphone located on the same Wi-Fi network. The smartphone user must have also enabled development mode on the smartphone before an attack.

  • Over USB - In order to exploit this vulnerability, an attacker must gain physical access to a smartphone and then send a specially crafted message to the qconnDoor service over USB.

This vulnerability has a Common Vulnerability Scoring System (CVSS) score of 7.9. View the linked Common Vulnerabilities and Exposures (CVE) identifier for a description of the security issue that this security advisory addresses. - CVE-2014-1468

If you're running BlackBerry OS 10.2.0.1055 and later, you're no longer affected by this issue and no known attacks using this exploit have been reported. If you're still running an earlier version of BlackBerry 10 then it is suggested that you update your OS as soon as possible. If you do not have any software updates available to you, customers should contact their wireless service provider to request BlackBerry 10 OS version 10.2.0.1055 or later.

Thanks, Ronen!

78 comments

Reader comments

BlackBerry patches buffer overflow vulnerability discovered in BlackBerry OS 10.1

78 Comments
Sort by Rating

I believe that's the intent. If no one is told about it, you can't very well exploit it unless you find it on your own. :)

Funny, all BlackBerry "hacks" need you to have physical acces to the device.
Unlike iOS and Android where mallware is used without having any physical acces to the device.
Or in this case somebody must be on the same wifi network while you have your device in developer mode AND send you some kind of message.
Worried? Hell no!

True, and some may not even know about "Development mode" let alone having it on at the time of an attack. It usually turns itself "off" even after legitimate uses.
Still...better safe than sorry. :)

Blaize.....on a "different topic"....

"Thanks" for recommending Snap as a way to port Android apps....I used DDPB, or whatever the acronym is, and now - for the first time in owning about 8 BlackBerry devices - I have HBO Go on my Z30...

Watched the finale of "True Detective" again....awesome.

As the Founding Member of "Club Z30", I am declaring the App Gap "Dead"....long live the app gap...

Thanks, again, Blaize - I thought you might be interested in some very good news....

Founding Member of "Club Z30 "..... the most exclusive club in mobile

I was just looking out the window, and down my street, I saw an old man. He was staring straight at the sky. Of course anyone would wonder, what was the man staring at? At that time I turned straight to the sky to see. Was it a bird? A duck? A cow? A ufo? God?? No. All I saw was the moon. Then as I was looking at it, I realized something was different about it. It made me think. I remembered the time, the time I was going to eat moon cake. I asked myself the question, why was this particular moon cake square? Circle was the standard shape. What made me remember this is... todays moon is square.... it is the time at&t comes out with 10.2.1 after today, take my word for it, and all should go out fine.
-thedustytaco

I've had quite a bit to drink this evening but you my friend sound like you're on something a lot more lethal (aka fun) than alcohol....

LMAO!!!!!!!!! ROGLMAO, my thoughts exactly - but what a trip reading that tho!

By that both your posts are the best of this month!!

BlackBerry Q10  & Full Metal CB10!

Or when the moon turns "red"....which BTW will be happening next week....coincedence?

Founding Member of "Club Z30 "..... the most exclusive club in mobile

Wow. Can't belive ATT is still on 10.1. It's just unbelievable.

It's been almost half a year since 10.2.0 was released around most of the world.

Posted via CB10

I've complained so many times, with only varying and vague responses. Their current line is, "We're still testing." I finally decided I'd hang up the Z10 for an unlocked Z30 from ShopBlackBerry. At least that way, I won't have to wait on AT&T for upgrades.

Posted via CB10

You application for "Club Z30" membership is in the mail....Congrats

Founding Member of "Club Z30 "..... the most exclusive club in mobile

Do you actually think no one has complained to Latet&t regarding software updates? At this time I believe most if not all at&t customers know they don't care about BlackBerry, updates and BlackBerry customers.

Posted via CB10

Agreed. I'm bailing from ATT the minute my contract expires. If any of you are considering switching to them, think again. BlackBerrys are basically unsupported at this point.

Loving my Q10

I have also complained to AT&T but I got the same answers: "It's in testing" and "We'll let you know when it's ready". I got sick of waiting and went with Sachesi to the land of 10.2.1.

Posted via CB10

Security flaw or not, the odds of getting hit with this are pretty low.........the attacker must either have physical access to the phone or be on the same wifi network while the victim has dev mode on.....I only turn on Dev Mode if i need to side-load and that is rare....then i turn it right back off.....the iPhone SMS hack from 2009 was much more of a security threat than this......

Yeah, can't believe they rated that a 7.9. Of course I don't know what that means or what it is out of, but may as well be out of 100. Who walks around with Dev mode on all the time?

I do appreciate that BlackBerry patched it rather "quickly".

Posted via CB10

  • BlackBerry responded accordingly and fixed what was broke.
  • 99.99% of people were never affected by this and now, never will be.
  • If you're on 10.2.0.1055 or later you can skip reading.
  • We totally missed out on having 'root' access to BB10 devices. Though it's usefulness in the real world and average users is questionable anyway even if it was obtained. See: PlayBook root.
  • AT&T sucks.

That about sums it up.

AT&T Customers, now would be a good time to unite and speak up to them - to freakin' release an official update, aka long awaited 10.2.1

Posted via CB10

NOW would be a good time ??? LOL A year ago would have been a good time. Now it's just pathetic, AT&T so pathetic. I will never get a phone form them again.

I think the only carrier in the world still running 10.1 is AT&T. So glad I switched to Verizon.

Posted via CB10

Nothing to worry about, BBRY rectified this minor issue quite fast with 10.2 update. Its too bad lazy carriers are taking there deer time with the updates.

Great to hear this level of security is being tested and fixed.

This would only affect a very low instance of people...same network, with dev mode enabled, not very likely, but great to see these being plugged.

Considering the scope of holes being plugged by Apple / Android on a regular basis, this level of security detail is great to see.

Well this sucks for AT&T customers. One thing for sure is that they wouldn't have to worry much. An attacker would have to have physical interactions with their device. I guess they shouldn't use WiFi or use Dev Mode.

Powered by my BlackBerry (Z10). Join my #BBM Channels C001227CF, C00476C37, C003829C9, C002454C9,C002190AC, C00120CE3

You can't really jailbreak BBOS/BB10. This is a vulnerability with WiFi and within Dev Mode. It has nothing to do with rooting the device because it's near impossible to root BBOS/BB10.

Powered by my BlackBerry (Z10). Join my #BBM Channels C001227CF, C00476C37, C003829C9, C002454C9,C002190AC, C00120CE3

According to vulnerability description: "attacker could potentially execute code on the user’s BlackBerry smartphone with the privileges of the root user (superuser)". I.e. rooting, isn't it?

Well I guess you proved me wrong but whatever. All I know nothing has been exploited and we got updates so I'm good. Nothing is 100 % but I'm still pretty content with my phones security. My device never falls into the wrong hands.

Powered by my BlackBerry (Z10). Join my #BBM Channels C001227CF, C00476C37, C003829C9, C002454C9,C002190AC, C00120CE3

I love BB OS 10's security, it's really great. Thanks to Blackberry team that no one was remotely compromised. But ability to root BB 10 device could give us more options to customize our devices.

If you don't have it contact your carrier and ask for new OS? WTH kind of security patching is this? This makes Microsoft look like a world class security company.

You got a security flaw? Fix it yourself moron.

Posted via CB10

Sorry, dual language keyboard. It's moto in the other language, motto in English :) but thanks!

Posted via CB10

Ms.B♋™ ‌@german_chick
2d
@ATTCustomerCare why is #TeamBlackBerry Still waiting on the #BlackBerry10 10.2.1 update??? #Sprint #Verizon and #TMobile have released it!

ATTCustomerCare
‌@ATTCustomerCare
@german_chick AT&T is continuing to work on the latest 10.2.1 software update for the Blackberry Q10 and Z10. We will release the update as soon as testing is complete. Thanks for your patience as we ready this software update for our customers. 2/2 ^LloydJ

I tweet them every so often...this was a couple days ago. sigh

 Z10STL100-3/10.2.0.1791 on ATT 

One point is crucial - development mode has to be on.
I.e. Something that should not be on on a daily use device anyway.

Is it a problem stock vulnerability - yes. Is it life threatening? No. Most people have development mode off anyway.
Still, it is bad news for those who cannot get the 10.2.x updates yet.

Posted via CB10

99.999999% of users don't even know what development mode is about ;)
More this dev mode is disabling itself after a number of days (10 by default), so that even if they accidentally turned it on, it will resume to normal mode after this delay .

Only if x,y,z conditions apply. It's not as simple as not having the current OS.

Re-read articles for x,y,z conditions.

Posted via CB10

No, no, noooo lol.

An ATT user already commented earlier that they are currently on ATTS official release .2074, so clearly they are already past. 1055.

Sure they need to step up to 10.2, but this 'security flaw' isn't going to affect ANYBODY using their carrier's current release...at least not in the US.

Who do these ridic news stories come from? "News" like this helps to create a negative image of BBRY, although it is obviously old, relatively irrelevant, and written in such a way that most people don't even understand how pointless the info is.

People gettn all scared lol...the problem was fixed a year ago.

Posted via CB10

Oh wait...10.2 had this problem a year ago? We're all screwed then, especially if ur an ATT user.

Carry on with your fear mongering lol.

Posted via CB10

For those who thought that this bug could have resulted in "rooting" of BB10, please go and read up on the concept of Mandatory Access Control. QNX is *NOT* like a typical UN*X OS in that once you get "root", you have the keys to the kingdom.. In an OS with mandatory access control, it is possible to assign very specific privileges to even the root user, so if you managed an exploit of this bug, you might have gotten "root" user identity (which I suppose is something), but you would still have been constrained by the permissions assigned to the process (ie, if the original process was granted permissions to only able to read/write to one file as root, that's what you'd now have: you could read/write to that one file, and nothing else, it doesn't matter that you have the "root" identity.. BlackBerry has been very diligent in scrubbing their OS so that 1) there are not that many root processes left and 2) those processes that do have to run as root have only the very specific set of permissions needed to do their job and nothing else. Then combine this with the unique message-passing microkernel architecture of QNX and you are not likely to be able to do much..

The direction of most OSes these days has been to go the direction of Mandatory Access Control as it greatly raises the bar: Apple iOS has it (but iOS is still more of a monolithic-looking architecture which is vulnerable to many other attacks, despite Mach branding itself as a "microkernel"); Android 4.3+ has the NSA-developed SELinux kernel, which implements, among other things, mandatory access control (now whether the policies are set to something that is truly secure is another matter, as this tends to break some applications- this is also possibly why we are still stuck with older versions of Android runtime for BlackBerry: it's probably a pretty complex process to map the SELinux controls back to QNX controls; in the previous versions, they addressed Android permissions by creating a "fake root" user specifically for the Android runtime (ie, even if you managed to "root" Android on a BlackBerry device, it does not equate to "root" on the QNX side of things)); full-blown SEAndroid not only has the SELinux kernel, but extends mandatory access control to apps (set at install-time, but that's still better than nothing).

Hey AT&T service provider! That's you!.... yep, failure to upgrade has made your customers vulnerable!... Lets get with the program here!

...crickets.....