Secunia

Some vulnerabilities have been reported in BlackBerry Enterprise Server, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a vulnerable system.

1) A boundary error exists in the Attachment Service in the handling of malformed TIFF image attachments. This can be exploited to cause a heap-based buffer overflow that causes the service to stop responding to view-attachment requests from BlackBerry users.

The vulnerability has been reported in BlackBerry Enterprise Server version 4.0 and later.

2) An error exists in the handling of Server Routing Protocol (SRP) packets. This can be exploited to disrupt the communication between BlackBerry Enterprise Server and BlackBerry Router, potentially causing a DoS.

Successful exploitation requires that the attacker is able to connect to the BlackBerry Server/Router via port 3101/tcp.

The vulnerability has been reported in BlackBerry Enterprise Server version 4.0 and later.

3) A boundary error exists in the Attachment Service in the handling of malformed Microsoft Word (.doc) file attachments. This can be exploited to cause a buffer overflow and allows arbitrary code execution on the BlackBerry Attachment Service component of the BlackBerry Enterprise Server.

The vulnerability has been reported in following products:
* BlackBerry Enterprise Server 2.2 and later for IBM Lotus Domino
* BlackBerry Enterprise Server 3.6 and later for Microsoft Exchange
* BlackBerry Enterprise Server 4.0 and later for Novell GroupWise

Solution
Apply hotfix.
Further details available in Customer Area

Provided and/or discovered by
1-2) FX, Phenoelit.
3) Reported by vendor.

Changelog
Further details available in Customer Area

Original Advisory
http://www.blackberry.com/knowledgecenterpublic/livelink.exe/fetch/2000/8021/728075/728850/728215/?nodeid=1167898
http://www.blackberry.com/knowledgecenterpublic/livelink.exe/fetch/2000/8021/728075/728850/728215/?nodeid=1167895
http://www.blackberry.com/knowledgecenterpublic/livelink.exe/fetch/2000/8021/728075/728850/728215/?nodeid=1181753
http://www.blackberry.com/knowledgecenterpublic/livelink.exe/fetch/2000/8067/645045/7963/788525/788526/1166533/1180282/?nodeid=1180211
http://www.blackberry.com/knowledgecenterpublic/livelink.exe/fetch/2000/8067/645045/7963/7965/729294/1122673/1145865/?nodeid=1180274
http://www.blackberry.com/knowledgecenterpublic/livelink.exe/fetch/2000/8067/645045/7963/8164/729011/1139744/1145864/?nodeid=1180131

Other references
Further details available in Customer Area

Deep Links
Links available in Customer Area