BlackBerry Desktop Manager Intellisync ActiveX Control Arbitrary Remote Code Execution

This script is Copyright (C) 2009-2015 Tenable Network Security, Inc.


Synopsis :

The remote Windows host has an ActiveX control that is allows remote
execution of arbitrary code.

Description :

The version of the Lotus Notes Intellisync component
('lnsresobject.dll') included with the BlackBerry Desktop Software
installation on the remote host reportedly contains an unspecified
error that can be exploited to execute arbitrary code.

If an attacker can trick a user on the affected host into viewing a
specially crafted HTML document, he can leverage this issue to execute
arbitrary code on the affected system subject to the user's
privileges.

See also :

http://www.blackberry.com/btsc/viewContent.do?externalId=KB19701

Solution :

Upgrade to BlackBerry Desktop Software version 5.0.1 or later.

Risk factor :

High / CVSS Base Score : 9.3
(CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 6.9
(CVSS2#E:U/RL:OF/RC:C)
Public Exploit Available : false

Family: Windows

Nessus Plugin ID: 42370 (blackberry_intellisync_activex_cmd_exec.nasl)

Bugtraq ID: 36903

CVE ID: CVE-2009-0306

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now