Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2008.0376 -- [Win][UNIX/Linux] Potential security vulnerabilities in Lotus Notes file viewers 10 April 2008 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Lotus Notes 8, 7, 6 and 5 Autonomy KeyView Export/Filter/Viewing SDK 10 Verity KeyView Export/Filter/Viewer SDK 9, 8 and 7 Publisher: IBM Operating System: Windows UNIX variants (UNIX, Linux, OSX) Impact: Execute Arbitrary Code/Commands Access: Remote/Unauthenticated CVE Names: CVE-2008-1101 CVE-2008-0066 CVE-2007-6020 CVE-2007-5406 CVE-2007-5405 CVE-2007-5399 Original Bulletin: http://www-1.ibm.com/support/docview.wss?rs=463&uid=swg21298453 Comment: The vulnerabilities affecting Lotus Notes also affect Autonomy KeyView and Verity KeyView products. - --------------------------BEGIN INCLUDED TEXT-------------------- Potential security vulnerabilities in Lotus Notes file viewers for Applix Presents, Folio Flat File, HTML speed reader, KeyView and MIME Technote Secunia contacted IBM Lotus to report several potential buffer overflow vulnerabilities in Lotus Notes. In specific situations, there exists the possibility to execute arbitrary code. To exploit these vulnerabilities, an attacker would have to send a specially crafted file attachment to users, and the users would then have to double-click and "View" the attachment. These issues are relative to the following file attachment types: - Applix Presents (.ag) - Folio Flat File (.fff) - HTML speed reader (.htm) - KeyView document viewing engine - Text mail (MIME) You can access the advisory at the following link: http://secunia.com/advisories/28210 These issues were reported to Lotus Quality Engineering and the technology vendor involved has provided software updates. These vulnerabilities are currently being addressed with a patch and are targeted to be included in the next major release. Refer to the table below for details on the issues and the associated Lotus SPR tracking number. The issues vary depending on the file attachment type, but are all related in how the buffer overflow denial of service could be accomplished. In all cases, the issues involve viewing a malicious attached file. =========================================================================== File Format | Associated | Lotus SPR | Additional | Keyview dll | Tracking # | Details =========================================================================== Applix Presents (.ag) | kpagrdr.dll | PRAD79EMMB | =========================================================================== Folio Flat File (.fff) | foliosr.dll | PRAD7AM3LG | =========================================================================== HTML Speed Reader | htmsr.dll | PRAD7AP563 | Lotus Notes 8.0 (.htm) | | | and higher is | | | not vulnerable =========================================================================== KeyView document | kvdocve.dll | PRAD7AP563 | Lotus Notes 8.0 viewing engine, which | | | and higher is is used for viewing | | | not vulnerable html attachments | | | =========================================================================== Text mail (MIME) | mimesr.dll - | PRAD78SMQM and| | used by Lotus | PRAD78SN3A | | Notes prior | | | to release 8.0| | | | | | emlsr.dll - is| | | used by Lotus | | | Notes 8.0 or | | | higher | | ============================================================================ Note: This issue impacts the Lotus Notes client only; it does not impact the Domino server. Workarounds for Notes 6.x, 7..x, and 8.x client versions: Option 1: Contact IBM Support to obtain the patch for the Notes client. Option 2: Alternately, you can disable the affected file viewers by following one of the options in the "How to disable viewers within Lotus Notes" section of this technote. Workaround for Notes 5.x client versions: If you are interested in protecting yourself from these vulnerabilities, we recommend disabling the viewers as described in the "How to Disable Viewers within Lotus Notes" section of this technote. There is no software fix available for the 5.x Notes client version. How to disable viewers within Notes: Option 1 : Delete the keyview.ini file in the Notes program directory. This disables ALL viewers. When a user clicks View (for any file), a dialog box will display with the message "Unable to locate the viewer configuration file." Option 2 : Delete the problem .dll file. When a user tries to view the specific file type, a dialog box will display with the message "The viewer display window could not be initialized." All other file types work without returning the error message. Option 3 : Comment out specific lines in keyview.ini for any references to the problem file (dll). To comment a line, you precede it with a semi-colon (;). When a user tries to view the specific file type, a dialog box will display with the message "The viewer display window could not be initialized." For example: [KVARCVE] ; 35=lasr.dll Additional Background In general, users are strongly urged to use caution when opening or viewing unsolicited file attachments. The attachments will not auto-execute upon opening or previewing the email message; the file attachment must be opened by the user using one of the mentioned file viewers. In some cases, further user action is also required to trigger the exploit. Security Rating using Common Vulnerability Scoring System (CVSS) v2 CVSS Base Score: < 9.3 > - ---- Impact Subscore: < 10 > - ---- Exploitability Subscore: < 8.6 > CVSS Temporal Score: < 7.3 > CVSS Environmental Score: < Undefined* > Overall CVSS Score: < 7.3 > Base Score Metrics: * Related exploit range/Attack Vector: < Network > * Access Complexity: < Medium > * Authentication < None > * Confidentiality Impact: < Complete > * Integrity Impact: < Complete > * Availability Impact: < Complete > Temporal Score Metrics: * Exploitability: < Proof of Concept Code> * Remediation Level: < Official Fix > * Report Confidence: < Confirmed > References: * CVSS v2 Complete Documentation * CVSS v2 Online Calculator *The CVSS Environment Score is customer environment-specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the referenced links. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 If you believe that your computer system has been compromised or attacked in any way, we encourage you to let us know by completing the secure National IT Incident Reporting Form at: http://www.auscert.org.au/render.html?it=3192 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQCVAwUBR/2blih9+71yA2DNAQJmpAP+PLB8GKWTGzy6KCEjiSqOW/x/W2f8iytO 9W1vxLczebSX8PIpk+dpmxV8vTjTuMOG3R/k4RRX5NNnAhwVgaHPctdCr6EvnJ70 VILKPlWOr2i6slsslYKadrCADZwtKKWW+qPTkR9NEDtTGvqx0bXXBAeZt0TOem2a Oh1cK5ljxGw= =lQlz -----END PGP SIGNATURE-----