Title |
BlackBerry UEM Advisory |
Product |
BlackBerry UEM |
Vulnerable Version |
< BlackBerry UEM 12.11 |
Fixed Version(s) |
BlackBerry UEM version 12.11 and above, Dynamics SDK version 6.0 and above |
Homepage |
https://docs.blackberry.com/en/endpoint-management/blackberry-uem/ |
Credits |
Octav Opaschi (Detack GmbH) |
BlackBerry UEM is missing security features which allow it to verify the integrity and authenticity of a work application, allowing attackers with operating system access on the Android and Apple iOS platforms to spoof the work application(s), and therefore access protected enterprise resources.
BlackBerry UEM is a multiplatform EMM solution that provides device, app, and content management with integrated security and connectivity, and helps manage iOS, macOS, Android, Windows 10, and BlackBerry 10 devices. BlackBerry UEM is included in the Management, Enterprise, Collaboration, Application, and Content Editions of the BlackBerry Enterprise Mobility Suites.
Source: https://docs.blackberry.com/en/endpoint-management/blackberry-uem/
It was determined that, on the Apple iOS and Android operating systems, arbitrary applications could be installed which presented themselves, by impersonating the parametrization of the installed application, as valid work enabled applications to BlackBerry UEM.
BlackBerry UEM failed to identify the rogue applications and therefore granted access to enterprise resources otherwise available only to trusted work applications, such as tunneled network resources, files or other EMM resources.
Available on request.
Additional functionality which allows app attestation for the mobile devices is implemented in UEM version 12.11 and above, and Dynamics SDK versions 6.0 and above. It is recommended to upgrade to this or any later version and enable app attestation where applicable.
For a successful exploitation, the attacker would require access to the device or would need to convince the user via social engineering or other means to remove software from their phone and side-load the malicious application.