CVE-2017-9367
📋 TL;DR
This directory traversal vulnerability in BlackBerry Workspaces Server allows attackers to access, upload, or execute arbitrary files on the web server by manipulating POST requests. It affects organizations running vulnerable versions of BlackBerry Workspaces Server. The high CVSS score indicates critical severity requiring immediate attention.
💻 Affected Systems
- BlackBerry Workspaces Server
📦 What is this software?
Workspaces Vapp by Blackberry
Workspaces Vapp by Blackberry
Workspaces Vapp by Blackberry
Workspaces Vapp by Blackberry
Workspaces Vapp by Blackberry
Workspaces Vapp by Blackberry
Workspaces Vapp by Blackberry
Workspaces Vapp by Blackberry
Workspaces Vapp by Blackberry
Workspaces Vapp by Blackberry
Workspaces Vapp by Blackberry
Workspaces Vapp by Blackberry
Workspaces Vapp by Blackberry
Workspaces Vapp by Blackberry
Workspaces Vapp by Blackberry
Workspaces Vapp by Blackberry
Workspaces Vapp by Blackberry
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise including remote code execution, data exfiltration, and persistent backdoor installation
Likely Case
Unauthorized file access leading to sensitive data disclosure and potential file upload for further exploitation
If Mitigated
Limited impact if proper network segmentation and file system permissions restrict access to critical files
🎯 Exploit Status
Directory traversal vulnerabilities are commonly exploited and require minimal technical skill
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.6.0.28 and later
Vendor Advisory: http://support.blackberry.com/kb/articleDetail?language=en_US&articleNumber=000045696
Restart Required: Yes
Instructions:
1. Download BlackBerry Workspaces Server version 2.6.0.28 or later from BlackBerry support portal. 2. Backup current configuration and data. 3. Install the update following vendor documentation. 4. Restart the Workspaces Server service.
🔧 Temporary Workarounds
Input Validation Filter
allImplement web application firewall rules to block directory traversal patterns in URLs
WAF specific - configure rules to block ../, ..\, and absolute path patterns
Network Segmentation
allRestrict network access to Workspaces Server to trusted IP ranges only
firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="TRUSTED_IP_RANGE" port protocol="tcp" port="443" accept'
netsh advfirewall firewall add rule name="Restrict Workspaces" dir=in action=allow protocol=TCP localport=443 remoteip=TRUSTED_IP_RANGE
🧯 If You Can't Patch
- Implement strict file system permissions to limit web server account access to only necessary directories
- Deploy network-based intrusion detection to monitor for directory traversal attempts and block malicious IPs
🔍 How to Verify
Check if Vulnerable:
Check BlackBerry Workspaces Server version in administration console or via version file in installation directoryCheck Version:
On Windows: Check registry at HKLM\SOFTWARE\BlackBerry\Workspaces\Version. On Linux: Check /opt/blackberry/workspaces/version.txtVerify Fix Applied:
Confirm version is 2.6.0.28 or later and test with controlled directory traversal attempts📡 Detection & Monitoring
Log Indicators:
- HTTP POST requests containing ../, ..\, or absolute path patterns
- Unusual file access patterns from web server account
- Failed authentication attempts followed by file access
Network Indicators:
- HTTP requests with encoded directory traversal sequences (%2e%2e%2f)
- Multiple POST requests to unusual file paths
SIEM Query:
source="workspaces_logs" AND (http_method="POST" AND (url="*../*" OR url="*..\\*" OR url="*/etc/*" OR url="*/windows/*"))