BlackBerry Enterprise Server / Unite! PDF Distiller Component Vulnerabilities (KB17118 / KB17119)
High Nessus Plugin ID 35430
The remote Windows host has an application that is affected by several vulnerabilities.
The version of BlackBerry Enterprise Server / BlackBerry Unite! on the remote host reportedly contains several vulnerabilities in the PDF distiller component of the BlackBerry Attachment Service : - A heap-based buffer overflow triggered when parsing a certain stream inside a PDF file. - A heap-based buffer overflow triggered when parsing a data stream inside of a PDF file. - An uninitialized memory vulnerability triggered when when parsing a data stream inside of a PDF file. A remote attacker may be able to leverage these issues to execute arbitrary code on the affected host subject to the privileges under which the application runs, generally 'SYSTEM', by sending an email message with a specially crafted PDF file and having that opened for viewing on a BlackBerry smartphone.
If using BlackBerry Enterprise Server, apply Interim Security Software Update 2 or later or prevent the Attachment Service from processing PDF files. If using BlackBerry Unite!, either upgrade to 1.0.3 bundle 28 or later or prevent the Attachment Service from processing PDF files.