Earlier this month, Blackberry released an advisory stating that it had discovered cross site vulnerability in its enterprise products, Unified Endpoint Manager (UEM) and Blackberry Enterprise Service version 12. Both these products are a part of the Enterprise Mobility Suite developed by Blackberry to provide end-to-end support and security for multiple devices connected to a network.

Blackberry however considers the vulnerability low on the risk scale as the attacker must possess basic administrative access to the management console in order to execute further attacks. The Management Console is built around a web interface that allows users with admin access to control the various functionalities of the UEM and BES. So the point that BlackBerry wants to put across through this advisory is that it is fairly difficult for an external attacker to exploit the vulnerability as admin access is one of the requirements.

For the exploit to be successfully executed the attacker would have to upload a malicious script and prompt someone with admin access to view the specific location where the malicious script is uploaded.  Once these requirements are met, the attacker can make any modifications in the Management Console of UEM and BES12. Apart from the execution of arbitrary attacker-supplied HTML and script code other types of attacks are also possible.

The following versions of UEM and BES are affected from the afore said cross site vulnerability:

BlackBerry Unified Endpoint Manager 12.6.1
BlackBerry Unified Endpoint Manager 12.6
BlackBerry Enterprise Service 12.5.1
BlackBerry Enterprise Service 12.2.1
BlackBerry Enterprise Service 12.2
BlackBerry Enterprise Service 12.1
BlackBerry Enterprise Service 12.0.1
BlackBerry Enterprise Service 12.1
BlackBerry Enterprise Service 12.0

The UEM and BES are models developed by Blackberry for enterprises so that they can ensure that all devices that are connected to their network are made to comply with the set organizational security policies. Both these enterprise level products are built to levy security policies of the organization without hindering productivity and intruding privacy.

In order to mitigate any threats, Blackberry has advised all the enterprises using the UEM and BES to upgrade their systems with latest security patches.

The Security Patch Can be Downloaded Here:

Take a security awareness training today!

Date Published
May 30, 2017