Vulnerability CVE-2013-3693

Vulnerability CVE-2013-3693

Published: 2013-10-11 Modified: 2013-10-12

Description:

The BlackBerry Universal Device Service in BlackBerry Enterprise Service (BES) 10.0 through 10.1.2 does not properly restrict access to the JBoss Remote Method Invocation (RMI) interface, which allows remote attackers to upload and execute arbitrary packages via a request to port 1098.

Type:

CWE-264

(Permissions, Privileges, and Access Controls)

CVSS2 => (AV:A/AC:M/Au:N/C:C/I:C/A:C)

CVSS Base Score	Impact Subscore	Exploitability Subscore
7.9/10	10/10	5.5/10

Exploit range	Attack complexity	Authentication
Adjacent network	Medium	No required
Confidentiality impact	Integrity impact	Availability impact
Complete	Complete	Complete

Affected software
Blackberry -> Blackberry enterprise service

References:

http://secunia.com/advisories/55187

http://btsc.webapps.blackberry.com/btsc/viewdocument.do;jsessionid=1C7CE6911426BCFAF2A80C3834F4DF0F?externalId=KB35139&sliceId=1&cmd=displayKC&docType=kc&noCount=true&ViewedDocsListHelper=com.kanisa.apps.common.BaseViewedDocsListHelperImpl

Vulnerability CVE-2013-3693

The BlackBerry Universal Device Service in BlackBerry Enterprise Service (BES) 10.0 through 10.1.2 does not properly restrict access to the JBoss Remote Method Invocation (RMI) interface, which allows remote attackers to upload and execute arbitrary packages via a request to port 1098.

CWE-264

CVSS2 => (AV:A/AC:M/Au:N/C:C/I:C/A:C)

7.9/10

10/10

5.5/10

Adjacent network

Medium

No required

Complete

Complete

Complete

Affected software

References: