Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2011.0121 (Feb 2011) Potential security vulnerabilities in Lotus Notes & Domino Flash (Alert) 7 February 2011 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Lotus Notes & Domino 8.0 Lotus Notes & Domino 8.5 Publisher: IBM Operating System: Windows Impact/Access: Denial of Service -- Remote/Unauthenticated Execute Arbitrary Code/Commands -- Remote/Unauthenticated Resolution: Patch/Upgrade Original Bulletin: http://www-01.ibm.com/support/docview.wss?uid=swg21461514&myns=swglotus&mynp=OCSSKTMJ&mync=E - --------------------------BEGIN INCLUDED TEXT-------------------- (Feb 2011) Potential security vulnerabilities in Lotus Notes & Domino Flash (Alert) Abstract TippingPoint's Zero Day Initiative (ZDI) contacted IBM Lotus to report nine potential buffer overflow vulnerabilities in Lotus Notes and Domino; for four of which IBM Lotus has fixes, two of which IBM Lotus continues to investigate a fix, and three of which IBM Lotus cannot reproduce and is pursuing additional information. Content Most of these attacks represent denial of service attacks by buffer overflow. To exploit these vulnerabilities, an attacker would need to send maliciously malformed messages to the Lotus Domino server over a variety of protocols as indicated below. However, in specific situations, there exists the possibility to execute arbitrary code. In the case of ZDI-CAN-647 (SPR# PRAD82YJW2), malicious users could supply damaged cai::URIs to facilitate execution of arbitrary code in Notes. Refer to the table for more information on each, including the SPR number for tracking purposes and, where applicable, fix availability. For four of these nine, namely ZDI-CAN-373, ZDI-CAN-647, ZDI-CAN-758, ZDI-CAN-759, IBM Lotus has fixes. For two of these, ZDI-CAN-375 and ZDI-CAN-927, IBM has confirmed the issue and continues to pursue appropriate fixes. IBM Lotus is currently unable to reproduce the remaining three exploits based on the information provided by TippingPoint's ZDI. TippingPoint Reference # Description IBM Lotus SPR # Status ZDI-CAN-375 Domino MIME stack overflow KLYH889M8H Confirmed. Investigating fix. ZDI-CAN-647 Notes cai URI Handler remote code execution vulnerability PRAD82YJW2 Confirmed. Fixed in 8.0.2 FP6, 8.5.1 FP5, 8.5.2 and later releases ZDI-CAN-373 Notes iCal stack overflow KLYH87LL23 Confirmed. Fixed in 8.5.3 ZDI-CAN-758 Domino DIIOP remote code execution vulnerability KLYH87LML7 Confirmed. Fixed in 8.5.3 ZDI-CAN-759 Domino DIIOP remote code execution vulnerability KLYH87LM4S Confirmed. Fixed in 8.5.3 ZDI-CAN-927 Domino Remote Console authentication bypass remote code execution vulnerability PRAD89WGRS Confirmed. Unsuppported configuration with workaround available. ZDI-CAN-372 Domino Router stack overflow KLYH87LKRE Unconfirmed. Unable to reproduce. Need more information. ZDI-CAN-374 Domino IMAP and POP3 stack overflow KLYH87LLVJ Unconfirmed. Unable to reproduce. Need more information. ZDI-CAN-779 Domino LDAP bind request remote code execution vulnerability KLYH87LMVX Unconfirmed. Unable to reproduce. Need more information. IBM targets 2Q2011 for release of Lotus Notes and Domino 8.5.3. You can track progress at the Notes/Domino Update Status page. At time of publication, there currently are no known active exploits of these issues. However, if you encounter any of the unconfirmed issues, contact IBM Support with reproducible steps, referencing the related SPR number. For additional information on these issues, you can access the TippingPoint's ZDI advisories at the following link: http://www.zerodayinitiative.com/advisories Workarounds: For ZDI-CAN-927 (SPR# PRAD89WGRS), Domino does not support use of UNC paths for usage with Remote Console. As a workaround, you should specify absolute paths. For all others, there are currently no known workarounds to avoid these issues. CVSS scoring for fixed & confirmed issues The following CVSS scores are based on testing results observed by IBM*. SPR KLYH87LL23 - Lotus Notes ICAL Stack Overflow Security Rating using Common Vulnerability Scoring System (CVSS) v2 CVSS Base Score: < 7.1> - ---- Impact Subscore: < 6.9> - ---- Exploitability Subscore: < 8.6> CVSS Temporal Score: < 5.6 > CVSS Environmental Score: < Undefined* > Overall CVSS Score: < 5.6> Base Score Metrics: * Related exploit range/Attack Vector: < Network > * Access Complexity: < Medium > * Authentication < None > * Confidentiality Impact: < None > * Integrity Impact: < None > * Availability Impact: < Complete > Temporal Score Metrics: * Exploitability: < Proof of Concept Code > * Remediation Level: < Official Fix > * Report Confidence: < Confirmed > References: * CVSS v2 Complete Documentation * CVSS v2 Online Calculator SPR PRAD82YJW2 - Lotus Notes cai URI Handler Remote Code Execution Security Rating using Common Vulnerability Scoring System (CVSS) v2 CVSS Base Score: < 7.1> - ---- Impact Subscore: < 6.9> - ---- Exploitability Subscore: < 8.6> CVSS Temporal Score: < 5.6 > CVSS Environmental Score: < Undefined* > Overall CVSS Score: < 5.6> Base Score Metrics: * Related exploit range/Attack Vector: < Network > * Access Complexity: < Medium > * Authentication < None > * Confidentiality Impact: < None > * Integrity Impact: < None > * Availability Impact: < Complete > Temporal Score Metrics: * Exploitability: < Proof of Concept Code > * Remediation Level: < Official Fix > * Report Confidence: < Confirmed > References: * CVSS v2 Complete Documentation * CVSS v2 Online Calculator SPR KLYH87LML7 - Lotus Domino DIIOP Remote Code Execution Security Rating using Common Vulnerability Scoring System (CVSS) v2 CVSS Base Score: < 6.9> - ---- Impact Subscore: < 10> CVSS Temporal Score: < 3.4 > CVSS Environmental Score: < Undefined* > Overall CVSS Score: < 5.4> Base Score Metrics: * Related exploit range/Attack Vector: < Local > * Access Complexity: < Medium > * Authentication < None > * Confidentiality Impact: < Complete> * Integrity Impact: < Complete > * Availability Impact: < Complete > Temporal Score Metrics: * Exploitability: < Proof of Concept Code > * Remediation Level: < Official Fix > * Report Confidence: < Confirmed > References: * CVSS v2 Complete Documentation * CVSS v2 Online Calculator SPR KLYH889MH8 - Lotus Domino MIME Stack Overflow Security Rating using Common Vulnerability Scoring System (CVSS) v2 CVSS Base Score: < 7.1> - ---- Impact Subscore: < 6.9> CVSS Temporal Score: < 6.1> CVSS Environmental Score: < Undefined* > Overall CVSS Score: < 6.1> Base Score Metrics: * Related exploit range/Attack Vector: < Network > * Access Complexity: < Medium > * Authentication < None > * Confidentiality Impact: < None> * Integrity Impact: < None > * Availability Impact: < Complete > Temporal Score Metrics: * Exploitability: < Proof of Concept Code > * Remediation Level: < Unavailable> * Report Confidence: < Confirmed > References: * CVSS v2 Complete Documentation * CVSS v2 Online Calculator *The CVSS Environment Score is customer environment-specific and will ultimately impact the Overall CVSS score. Customers can evaluate the impact of this vulnerability in their environments by accessing the referenced links. Related information 8.0.2 Fix Pack 6 Release Notice 8.5.1 Fix Pack 5 Release Notice 8.5.2 Release Notice Cross Reference information Segment Product Component Messaging Applications Lotus Notes Windows IBM, the IBM logo and ibm.com are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iD8DBQFNT4Cm/iFOrG6YcBERArp/AKDMSyqS6u5fhW5MUFD03FUGN61SkACg14Hm JuauSbGMGg38tf4j/VbUN14= =ztfh -----END PGP SIGNATURE-----