BSRT-2013-003 Possible remote code execution on BES 5

Security advisory BSRT-2013-003 has been released by BlackBerry.

Vulnerabilities have been found in components that process TIFF images which could allow an attacker to execute code on the BlackBerry Enterprise Server (BES) with the privileges of the service account.

Vulnerabilities exist in how the BlackBerry MDS Connection Service and the BlackBerry Messaging Agent process TIFF images for rendering on the BlackBerry smartphone. Successful exploitation of any of these vulnerabilities might allow an attacker to gain access to and execute code on the BlackBerry Enterprise Server. Depending on the privileges available to the configured BlackBerry Enterprise Server service account, the attacker might also be able to extend access to other non-segmented parts of the network.

You can protect your environment by installing an interim security update or by installing the freshly released BlackBerry Enterprise Server version 5.0.4 MR2.

Refer to  BSRT-2013-003 for all the relevant details.