RIM BlackBerry up to 10.0.10.85 on Z10 Authentication access control
| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 7.5 | $0-$5k | 0.00 |
Summary
A vulnerability, which was classified as problematic, was found in RIM BlackBerry -/10.0/10.0.10/10.0.10.261/10.0.10.85 on Z10. Affected by this issue is some unknown functionality of the component Authentication Handler. The manipulation results in access control. This vulnerability is identified as CVE-2013-3692. There is not any exploit available. You should upgrade the affected component.
Details
A vulnerability was found in RIM BlackBerry -/10.0/10.0.10/10.0.10.261/10.0.10.85 on Z10. It has been classified as critical. Affected is some unknown functionality of the component Authentication Handler. The manipulation with an unknown input leads to a access control vulnerability. CWE is classifying the issue as CWE-264. This is going to have an impact on confidentiality, integrity, and availability. CVE summarizes:
BlackBerry 10 OS before 10.0.10.648 on BlackBerry Z10 smartphones uses weak permissions for a BlackBerry Protect object, which allows physically proximate attackers to bypass intended access restrictions by leveraging a user s BlackBerry Protect password-reset request and a user s installation of a crafted application.
The weakness was released 06/11/2013 by Peter Hansen as BSRT-2013-006 Vulnerability in BlackBerry Protect impacts BlackBerry Z10 smartphone software as not defined advisory (Website). The advisory is available at btsc.webapps.blackberry.com. The public release was coordinated with the vendor. This vulnerability is traded as CVE-2013-3692 since 05/30/2013. Local access is required to approach this attack. A authentication is required for exploitation. The technical details are unknown and an exploit is not available. This vulnerability is assigned to T1068 by the MITRE ATT&CK project. The advisory points out:
The most severe potential impact of this vulnerability requires a BlackBerry Z10 smartphone user to install a specially crafted malicious app, enable BlackBerry Protect, and reset the device password through BlackBerry Protect.
Upgrading to version 10.0.10.648 eliminates this vulnerability. It is possible to mitigate the problem by applying the configuration setting Computer Access to Work Space = DISALLOW / Apply Workspace Password to Full Smartphone = NO / Password Required for Work Space = YES / Restrict Development Mode = YES. The best possible mitigation is suggested to be upgrading to the latest version. A possible mitigation has been published immediately after the disclosure of the vulnerability. The advisory contains the following remark:
IT administrators who deploy BlackBerry Z10 smartphones in an enterprise can mitigate the impact of this issue on the smartphones in their organization by managing the [following] security rule groups.
The vulnerability is also documented in the databases at X-Force (85878), SecurityFocus (BID 60544†), OSVDB (94426†) and Vulnerability Center (SBV-40648†). Further details are available at threatpost.com. If you want to get best quality of vulnerability data, you may have to visit VulDB.
Product
Vendor
Name
Version
License
Website
- Vendor: http://www.rim.com/
CPE 2.3
CPE 2.2
CVSSv4
VulDB Vector: 🔍VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 7.8VulDB Meta Temp Score: 7.5
VulDB Base Score: 7.8
VulDB Temp Score: 7.5
VulDB Vector: 🔍
VulDB Reliability: 🔍
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
NVD Base Score: 🔍
Exploiting
Class: Access controlCWE: CWE-264
CAPEC: 🔍
ATT&CK: 🔍
Physical: Partially
Local: Yes
Remote: No
Availability: 🔍
Status: Not defined
EPSS Score: 🔍
EPSS Percentile: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
| 0-Day | Unlock | Unlock | Unlock | Unlock |
|---|---|---|---|---|
| Today | Unlock | Unlock | Unlock | Unlock |
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: UpgradeStatus: 🔍
Reaction Time: 🔍
0-Day Time: 🔍
Exposure Time: 🔍
Upgrade: BlackBerry 10.0.10.648
Config: Computer Access to Work Space = DISALLOW / Apply Workspace Password to Full Smartphone = NO / Password Required for Work Space = YES / Restrict Development Mode = YES
Timeline
05/30/2013 🔍06/11/2013 🔍
06/11/2013 🔍
06/11/2013 🔍
06/11/2013 🔍
06/18/2013 🔍
07/13/2013 🔍
07/22/2013 🔍
05/06/2017 🔍
Sources
Vendor: rim.comAdvisory: BSRT-2013-006 Vulnerability in BlackBerry Protect impacts BlackBerry Z10 smartphone software
Researcher: Peter Hansen
Status: Not defined
Confirmation: 🔍
Coordinated: 🔍
CVE: CVE-2013-3692 (🔍)
GCVE (CVE): GCVE-0-2013-3692
GCVE (VulDB): GCVE-100-9186
IAVM: 🔍
X-Force: 85878
SecurityFocus: 60544 - BlackBerry 10 OS Weak Permissions Privilege Escalation Vulnerability
OSVDB: 94426
Vulnerability Center: 40648 - BlackBerry OS Before 10.0.10.648 on Z10 Smartphone Physical Proximate Security Bypass by Installing Crafted Application, Medium
Misc.: 🔍
Entry
Created: 06/18/2013 10:10Updated: 05/06/2017 19:27
Changes: 06/18/2013 10:10 (74), 05/06/2017 19:27 (3)
Complete: 🔍
Cache ID: 216::103
If you want to get best quality of vulnerability data, you may have to visit VulDB.
No comments yet. Languages: en.
Please log in to comment.