Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2011.0121
(Feb 2011) Potential security vulnerabilities in Lotus Notes
& Domino Flash (Alert)
7 February 2011
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Lotus Notes & Domino 8.0
Lotus Notes & Domino 8.5
Publisher: IBM
Operating System: Windows
Impact/Access: Denial of Service -- Remote/Unauthenticated
Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Resolution: Patch/Upgrade
Original Bulletin:
http://www-01.ibm.com/support/docview.wss?uid=swg21461514&myns=swglotus&mynp=OCSSKTMJ&mync=E
- --------------------------BEGIN INCLUDED TEXT--------------------
(Feb 2011) Potential security vulnerabilities in Lotus Notes & Domino
Flash (Alert)
Abstract
TippingPoint's Zero Day Initiative (ZDI) contacted IBM Lotus to report nine
potential buffer overflow vulnerabilities in Lotus Notes and Domino; for four
of which IBM Lotus has fixes, two of which IBM Lotus continues to investigate
a fix, and three of which IBM Lotus cannot reproduce and is pursuing additional
information.
Content
Most of these attacks represent denial of service attacks by buffer overflow.
To exploit these vulnerabilities, an attacker would need to send maliciously
malformed messages to the Lotus Domino server over a variety of protocols as
indicated below. However, in specific situations, there exists the possibility
to execute arbitrary code. In the case of ZDI-CAN-647 (SPR# PRAD82YJW2),
malicious users could supply damaged cai::URIs to facilitate execution of
arbitrary code in Notes. Refer to the table for more information on each,
including the SPR number for tracking purposes and, where applicable, fix
availability.
For four of these nine, namely ZDI-CAN-373, ZDI-CAN-647, ZDI-CAN-758,
ZDI-CAN-759, IBM Lotus has fixes. For two of these, ZDI-CAN-375 and
ZDI-CAN-927, IBM has confirmed the issue and continues to pursue appropriate
fixes. IBM Lotus is currently unable to reproduce the remaining three exploits
based on the information provided by TippingPoint's ZDI.
TippingPoint Reference #
Description
IBM Lotus SPR #
Status
ZDI-CAN-375
Domino MIME stack overflow
KLYH889M8H
Confirmed.
Investigating fix.
ZDI-CAN-647
Notes cai URI Handler remote code execution vulnerability
PRAD82YJW2
Confirmed.
Fixed in 8.0.2 FP6, 8.5.1 FP5, 8.5.2 and later releases
ZDI-CAN-373
Notes iCal stack overflow
KLYH87LL23
Confirmed.
Fixed in 8.5.3
ZDI-CAN-758
Domino DIIOP remote code execution vulnerability
KLYH87LML7
Confirmed.
Fixed in 8.5.3
ZDI-CAN-759
Domino DIIOP remote code execution vulnerability
KLYH87LM4S
Confirmed.
Fixed in 8.5.3
ZDI-CAN-927
Domino Remote Console authentication bypass remote code execution vulnerability
PRAD89WGRS
Confirmed.
Unsuppported configuration with workaround available.
ZDI-CAN-372
Domino Router stack overflow
KLYH87LKRE
Unconfirmed. Unable to reproduce. Need more information.
ZDI-CAN-374
Domino IMAP and POP3 stack overflow
KLYH87LLVJ
Unconfirmed. Unable to reproduce. Need more information.
ZDI-CAN-779
Domino LDAP bind request remote code execution vulnerability
KLYH87LMVX
Unconfirmed. Unable to reproduce. Need more information.
IBM targets 2Q2011 for release of Lotus Notes and Domino 8.5.3. You can track
progress at the Notes/Domino Update Status page.
At time of publication, there currently are no known active exploits of these
issues. However, if you encounter any of the unconfirmed issues, contact IBM
Support with reproducible steps, referencing the related SPR number.
For additional information on these issues, you can access the TippingPoint's
ZDI advisories at the following link:
http://www.zerodayinitiative.com/advisories
Workarounds:
For ZDI-CAN-927 (SPR# PRAD89WGRS), Domino does not support use of UNC paths for
usage with Remote Console. As a workaround, you should specify absolute paths.
For all others, there are currently no known workarounds to avoid these issues.
CVSS scoring for fixed & confirmed issues
The following CVSS scores are based on testing results observed by IBM*.
SPR KLYH87LL23 - Lotus Notes ICAL Stack Overflow
Security Rating using Common Vulnerability Scoring System (CVSS) v2
CVSS Base Score: < 7.1>
- ---- Impact Subscore: < 6.9>
- ---- Exploitability Subscore: < 8.6>
CVSS Temporal Score: < 5.6 >
CVSS Environmental Score: < Undefined* >
Overall CVSS Score: < 5.6>
Base Score Metrics:
* Related exploit range/Attack Vector: < Network >
* Access Complexity: < Medium >
* Authentication < None >
* Confidentiality Impact: < None >
* Integrity Impact: < None >
* Availability Impact: < Complete >
Temporal Score Metrics:
* Exploitability: < Proof of Concept Code >
* Remediation Level: < Official Fix >
* Report Confidence: < Confirmed >
References:
* CVSS v2 Complete Documentation
* CVSS v2 Online Calculator
SPR PRAD82YJW2 - Lotus Notes cai URI Handler Remote Code Execution
Security Rating using Common Vulnerability Scoring System (CVSS) v2
CVSS Base Score: < 7.1>
- ---- Impact Subscore: < 6.9>
- ---- Exploitability Subscore: < 8.6>
CVSS Temporal Score: < 5.6 >
CVSS Environmental Score: < Undefined* >
Overall CVSS Score: < 5.6>
Base Score Metrics:
* Related exploit range/Attack Vector: < Network >
* Access Complexity: < Medium >
* Authentication < None >
* Confidentiality Impact: < None >
* Integrity Impact: < None >
* Availability Impact: < Complete >
Temporal Score Metrics:
* Exploitability: < Proof of Concept Code >
* Remediation Level: < Official Fix >
* Report Confidence: < Confirmed >
References:
* CVSS v2 Complete Documentation
* CVSS v2 Online Calculator
SPR KLYH87LML7 - Lotus Domino DIIOP Remote Code Execution
Security Rating using Common Vulnerability Scoring System (CVSS) v2
CVSS Base Score: < 6.9>
- ---- Impact Subscore: < 10>
CVSS Temporal Score: < 3.4 >
CVSS Environmental Score: < Undefined* >
Overall CVSS Score: < 5.4>
Base Score Metrics:
* Related exploit range/Attack Vector: < Local >
* Access Complexity: < Medium >
* Authentication < None >
* Confidentiality Impact: < Complete>
* Integrity Impact: < Complete >
* Availability Impact: < Complete >
Temporal Score Metrics:
* Exploitability: < Proof of Concept Code >
* Remediation Level: < Official Fix >
* Report Confidence: < Confirmed >
References:
* CVSS v2 Complete Documentation
* CVSS v2 Online Calculator
SPR KLYH889MH8 - Lotus Domino MIME Stack Overflow
Security Rating using Common Vulnerability Scoring System (CVSS) v2
CVSS Base Score: < 7.1>
- ---- Impact Subscore: < 6.9>
CVSS Temporal Score: < 6.1>
CVSS Environmental Score: < Undefined* >
Overall CVSS Score: < 6.1>
Base Score Metrics:
* Related exploit range/Attack Vector: < Network >
* Access Complexity: < Medium >
* Authentication < None >
* Confidentiality Impact: < None>
* Integrity Impact: < None >
* Availability Impact: < Complete >
Temporal Score Metrics:
* Exploitability: < Proof of Concept Code >
* Remediation Level: < Unavailable>
* Report Confidence: < Confirmed >
References:
* CVSS v2 Complete Documentation
* CVSS v2 Online Calculator
*The CVSS Environment Score is customer environment-specific and will
ultimately impact the Overall CVSS score. Customers can evaluate the impact
of this vulnerability in their environments by accessing the referenced links.
Related information
8.0.2 Fix Pack 6 Release Notice
8.5.1 Fix Pack 5 Release Notice
8.5.2 Release Notice
Cross Reference information
Segment Product Component
Messaging Applications Lotus Notes Windows
IBM, the IBM logo and ibm.com are trademarks of International Business
Machines Corp., registered in many jurisdictions worldwide. Other product and
service names might be trademarks of IBM or other companies. A current list of
IBM trademarks is available on the Web at "Copyright and trademark
information" at www.ibm.com/legal/copytrade.shtml.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iD8DBQFNT4Cm/iFOrG6YcBERArp/AKDMSyqS6u5fhW5MUFD03FUGN61SkACg14Hm
JuauSbGMGg38tf4j/VbUN14=
=ztfh
-----END PGP SIGNATURE-----