TUCoPS :: Windows Apps :: ciack062.htm

Vulnerabilities in Lotus Notes Domino Aired at DefCon 8
Vulnerabilities in Lotus Notes Domino Aired at DefCon 8 Privacy and Legal Notice

CIAC INFORMATION BULLETIN

K-062: Vulnerabilities in Lotus Notes Domino Aired at DefCon 8

 August 2, 2000 01:00 GMT 
PROBLEM:       At the DefCon 8 convention in Las Vegas, NV (July 28-30, 2000)
               some consultants described and demonstrated vulnerabilities in
               Lotus Notes Domino. The vulnerabilities involve poor encryption
               on the http password, cached passwords, and a vulnerability to
               malicious code when Internet Explorer is used as the reader.
               The first two vulnerabilities require physical access to the
               machine being attacked while the last concerns problems generic
               to Internet Explorer.
PLATFORM:      Lotus Notes Domino Servers and Clients.
DAMAGE:        Intruders can gain access to a user’s account.
SOLUTION:      Upgrade the encryption of the Notes http passwords, do not
               leave a system unattended while it is logged into Notes, and do
               not run applications that are unexpectedly attached to web
               pages or mail documents. See the note below and the Lotus
               security pages (www.lotus.com/security) for more details.

VULNERABILITY  Low - These vulnerabilities require physical access to the
ASSESSMENT:    machine being attacked or they require that you allow malicious
               applets and attachments to run.
[Response from Lotus to the assertions made at the DefCon 8 conference.]

Comments on DefCon 8.0 Presentation on Domino Security Vulnerability

Lotus is aware that DefCon 8.0 in Las Vegas featured a presentation by consultants describing security attacks against Lotus Notes and Domino. Several of the scenarios focus on poor security administration and some involve new exploits. At Lotus, we are committed to security and encourage administrators to thoroughly examine possible risks and implement precautions to keep their Domino environment secure. For further information on Domino security guidelines and preventative measures, please consult the on line documentation and visit the ITCentral security zone at www.lotus.com/security.

The scenarios raised in the DefCon presentation can be categorized into four main areas:

Assertion 1: The encryption key used to unlock a user's Notes ID can be derived from the default format used to store the HTTP password in the person document.

    Preconditions: This vulnerability does not affect all Notes/Domino installations and can be easily prevented. In order for this type of exploit to be successful, all of the following conditions must be met:

    1. a user has access to a Domino server from both Notes client and web client

    2. their Notes ID password and http password are identical

    3. the http password is stored in the default format

    4. a malicious user has access to the users workstation

    5. and access to sophisticated programming tools........ THEN the malicious user can impersonate a user.

    Solution: System administrators can easily upgrade to a stronger http password format using a tool introduced in R4.6. To do so, select all person documents in the Domino Directory (names.nsf), and then from the menu, select Actions\Upgrade to More Secure Internet Password Format.

Assertion 2: Using F5 to lock the Notes ID (or specifying a timeout for the Notes ID) does not completely clear the password in all situations. In certain circumstances, Notes API programs running on the local workstation can access files using the cached credentials. These credentials allow background replication and agent execution to take place unattended.

    Preconditions: This problem affects any program, not just Notes, running on an operating system that does not support protected memory segments. A malicious user must have physical access to the workstation and sophisticated programming tools must be used.

    Solution: When workstation is left unattended, either exit the Notes client or lock the workstation using the operating system.


Assertion 3: Notes does not provide additional security when a) using Notes with Internet Explorer as your browser and/or b) when launching attachments with Internet Explorer configured as the default browser in Windows beyond the Internet Explorer ActiveX warnings.

    Preconditions: When the default browser in Notes is configured to use "Notes with Internet Explorer", it is subject to the types of attacks that can affect Internet Explorer as a stand-alone product. If the user ignores ActiveX warnings generated by Internet Explorer (example shown below), the user may be vulnerable to malicious active content.




    If executable attachments are sent via email, use caution in executing them. Once an attachment has been detached or launched, it is no longer subject to ECL controls and is dependent on the operating system.

    Solution: Do not launch or run executable code or any kind from unknown/untrusted sources. Do not ignore security warnings from the Notes ECL or from Internet Explorer ActiveX controls. In Notes, attachments can be Viewed instead of Launched or Detached.


The remainder of the presentation focused on recommendations for securing Notes and Domino environments, and reiterated many best practices as documented by Lotus. Notes and Domino provide a range of security options to allow systems administrators to configure their environment according to their needs. Information on how best to configure security options for a particular environment or situation are described in the Lotus Notes and Domino documentation, articles on Notes.net, white papers, Lotusphere presentations, redbooks and in Knowledge Base technotes.

Lotus recommends that administrators review these resources and make appropriate configuration decisions based on their environment and security policies. For reference, visit the Technical Library on Security at www.lotus.com/security

In particular, the following links are excellent starting points:

[End of Lotus Response]
CIAC wishes to acknowledge the contributions of Lotus Development for the information contained in this bulletin.
CIAC services are available to DOE, DOE Contractors, and the NIH. CIAC can be contacted at: 
    Voice:          +1 925-422-8193 (7 x 24)
    FAX:            +1 925-423-8002
    STU-III:        +1 925-423-2604
    E-mail:          ciac@llnl.gov
    World Wide Web:  http://www.ciac.org/
                     http://ciac.llnl.gov
                     (same machine -- either one will work)
    Anonymous FTP:   ftp.ciac.org
                     ciac.llnl.gov
                     (same machine -- either one will work)
This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes.
UCRL-MI-119788
[Privacy and Legal Notice]

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH