__________________________________________________________
The U.S. Department of Energy
Computer Incident Advisory Capability
___ __ __ _ ___
/ | /_\ /
\___ __|__ / \ \___
__________________________________________________________
INFORMATION BULLETIN
Multiple Vulnerabilities in Lotus Notes and Domino
[CERT Advisory CA-2003-11]
March 27, 2003 21:00 GMT Number N-065
______________________________________________________________________________
PROBLEM: There are several vulnerabilites that exist in Lotus Notes,
Lotus iNotes, and Domino Web Server:
* Lotus iNotes vulnerable to buffer overflow via PresetFields
FolderName field
* Lotus Domino Web Server vulnerable to denial-of-service via
incomplete POST request
* Lotus iNotes vulnerable to buffer overflow via PresetFields
s_ViewName field
* Lotus Domino Web Server vulnerable to buffer overflow via
non-existent "h_SetReturnURL" parameter with an overly long
"Host Header" field
* Lotus Notes and Domino COM Object Control Handler contains
buffer overflow
* Lotus Domino Server susceptible to a pre-authentication buffer
overflow during Notes authentication
* Lotus Domino Web Retriever contains a buffer overflow
vulnerability
* Lotus Domino R5 Server Family contains multiple vulnerabilities
in LDAP handling code
PLATFORM: * Lotus Notes and Domino versions prior to 5.0.12 and 6.0 Gold
* Lotus Domino 5.0.12, 6.0.1 and prior versions
DAMAGE: The impact of these vulnerabilities range from denial of
service to data corruption and the potential to execute
arbitrary code.
SOLUTION: Upgrade or apply patches as indicated in CERT's VU notes.
______________________________________________________________________________
VULNERABILITY The risk is MEDIUM. There are several vulnerabilities addressed
ASSESSMENT: in this bulletin, from denial-of-service to potential for
executing arbitrary code, depending on configuration.
______________________________________________________________________________
LINKS:
CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/n-065.shtml
ORIGINAL BULLETIN: http://www.cert.org/advisories/CA-2003-11.html
______________________________________________________________________________
[***** Start CERT Advisory CA-2003-11 *****]
CERT Advisory CA-2003-11 Multiple Vulnerabilities in Lotus Notes and Domino
Original release date: March 26, 2003
Last revised: --
Source: CERT/CC
A complete revision history can be found at the end of this file.
Systems Affected
* Lotus Notes and Domino versions prior to 5.0.12 and 6.0 Gold
* VU#571297 affects 5.0.12, 6.0.1 and prior versions.
Overview
Multiple vulnerabilities have been reported to affect Lotus Notes
clients and Domino servers. Multiple reporters, the close timing, and
some ambiguity caused confusion about what releases are vulnerable. We
are issuing this advisory to help clarify the details of the
vulnerabilities, the versions affected, and the patches that resolve
these issues.
I. Description
In February 2003, NGS Software released several advisories detailing
vulnerabilities affecting Lotus Notes and Domino. The following
vulnerabilities reported by NGS Software affect versions of Lotus
Domino prior to 5.0.12 and 6.0:
VU#206361 - Lotus iNotes vulnerable to buffer overflow via
PresetFields FolderName field
Lotus Technical Documentation: KSPR5HUQ59
NGS Software's Advisory: NISR17022003b
VU#355169 - Lotus Domino Web Server vulnerable to denial of service
via incomplete POST request
Lotus Technical Documentation: KSPR5HTQHS
NGS Software's Advisory: NISR17022003d
VU#542873 - Lotus iNotes vulnerable to buffer overflow via
PresetFields s_ViewName field
Lotus Technical Documentation: KSPR5HUPEK
NGS Software's Advisory: NISR17022003b
VU#772817 - Lotus Domino Web Server vulnerable to buffer overflow
via non-existent "h_SetReturnURL" parameter with an overly long
"Host Header" field
Lotus Technical Documentation: KSPR5HTLW6
NGS Software's Advisory: NISR17022003a
The following vulnerability reported by NGS Software affects versions
of Lotus Domino up to and including 5.0.12 and 6.0.1:
VU#571297 - Lotus Notes and Domino COM Object Control Handler
contains buffer overflow
Lotus Technical Documentation: SWG21104543
NGS Software's Advisory: NISR17022003e
VU#571297 was originally reported as a vulnerability in an iNotes
ActiveX control. The vulnerable code is not specific to iNotes or
ActiveX. The iNotes ActiveX control was an attack vector for the
vulnerability and is not the affected code base. Because this issue is
not specific to ActiveX, Lotus Notes clients and Domino Servers
running on platforms other than Microsoft Windows may be affected.
In March 2003, Rapid7, Inc. released several advisories. The following
vulnerabilities, reported by Rapid7, Inc., affect versions of Lotus
Domino prior to 5.0.12:
VU#433489 - Lotus Domino Server susceptible to a pre-authentication
buffer overflow during Notes authentication
Lotus Technical Documentation: DBAR5CJJJS
Rapid7, Inc.'s Advisory: R7-0010
VU#411489 - Lotus Domino Web Retriever contains a buffer overflow
vulnerability
Lotus Technical Documentation: KSPR5DFJTR
Rapid7, Inc.'s Advisory: R7-0011
Rapid7, Inc. also discovered that Lotus Domino pre-release and beta
versions of 6.0 were also affected by the following vulnerability:
VU#583184 - Lotus Domino R5 Server Family contains multiple
vulnerabilities in LDAP handling code
Lotus Technical Documentation: DWUU4W6NC8
Rapid7, Inc.'s Advisory: R7-0012
VU#583184 was a regression of the PROTOS LDAP Test-Suite from
CA-2001-18 and was originally fixed in 5.0.7a.
II. Impact
The impact of these vulnerabilities range from denial of service to
data corruption and the potential to execute arbitrary code. For
details about the impact of a specific vulnerability, please see the
related vulnerability note.
III. Solution
Upgrade
Most of these vulnerabilities are resolved in versions 5.0.12 and
6.0.1 of Lotus Domino.
Only VU#571297, "Lotus Notes and Domino COM Object Control Handler
contains buffer overflow," is not resolved in 5.0.12, or 6.0.1.
Critical Fix 1 for 6.0.1 was released on March 18, 2003, to resolve
this issue for both the Notes client and Domino server.
Apply a patch
Patches are available for some vulnerabilities. Please view the
individual vulnerability notes for specific patch information.
Block access from outside the network perimeter
Lotus Domino servers listen on port 1352/TCP. Notes may also be
configured to listen on other ports, such as NETBIOS, SPX, or XPC.
Blocking access to these ports from machines outside your trusted
network perimeter may help mitigate successful exploitation of these
vulnerabilities.
Appendix A - References
1. http://www.kb.cert.org/vuls/id/571297
2. http://www.kb.cert.org/vuls/id/206361
3. http://www.ibm.com/Search?v=11</=en&cc=us&q=KSPR5HUQ59
4. http://www.nextgenss.com/advisories/lotus-inotesoflow.txt
5. http://www.kb.cert.org/vuls/id/355169
6. http://www.ibm.com/Search?v=11</=en&cc=us&q=KSPR5HTQHS
7. http://www.nextgenss.com/advisories/lotus-60dos.txt
8. http://www.kb.cert.org/vuls/id/542873
9. http://www.ibm.com/Search?v=11</=en&cc=us&q=KSPR5HUPEK
10. http://www.nextgenss.com/advisories/lotus-inotesoflow.txt
11. http://www.kb.cert.org/vuls/id/772817
12. http://www.ibm.com/Search?v=11</=en&cc=us&q=KSPR5HTLW6
13. http://www.nextgenss.com/advisories/lotus-hostlocbo.txt
14. http://www.kb.cert.org/vuls/id/571297
15. http://www.ibm.com/Search?v=11</=en&cc=us&q=swg21104543
16. http://www.nextgenss.com/advisories/lotus-inotesclientaxbo.txt
17. http://www.kb.cert.org/vuls/id/433489
18. http://www.ibm.com/Search?v=11</=en&cc=us&q=DBAR5CJJJS
19. http://www.rapid7.com/advisories/R7-0010.html
20. http://www.kb.cert.org/vuls/id/411489
21. http://www.ibm.com/Search?v=11</=en&cc=us&q=KSPR5DFJTR
22. http://www.rapid7.com/advisories/R7-0011.html
23. http://www.kb.cert.org/vuls/id/583184
24. http://www.ibm.com/Search?v=11</=en&cc=us&q=DWUU4W6NC8
25. http://www.rapid7.com/advisories/R7-0012.html
26. http://www.kb.cert.org/vuls/id/583184
27. http://www.ee.oulu.fi/research/ouspg/protos/testing/c06/ldapv3/
28. http://www.cert.org/advisories/CA-2001-18.html
29. http://www.kb.cert.org/vuls/id/571297
30. http://www-10.lotus.com/ldd/r5fixlist.nsf/80bff5d07b4be477052569ce0
0710588/8bc951d3ff1e578385256ce10052a78a?OpenDocument
_________________________________________________________________
Our thanks to NGS Software and Rapid7, Inc. for discovering and
reporting on these vulnerabilities. We also thank the Lotus Security
Team for aiding in the resolution and clarification of these issues.
_________________________________________________________________
Feedback on this document can be directed to the author,
Jason A. Rafail.
______________________________________________________________________
This document is available from:
http://www.cert.org/advisories/CA-2003-11.html
______________________________________________________________________
CERT/CC Contact Information
Email: cert@cert.org
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
Postal address:
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
U.S.A.
CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) /
EDT(GMT-4) Monday through Friday; they are on call for emergencies
during other hours, on U.S. holidays, and on weekends.
Using encryption
We strongly urge you to encrypt sensitive information sent by email.
Our public PGP key is available from
http://www.cert.org/CERT_PGP.key
If you prefer to use DES, please call the CERT hotline for more
information.
Getting security information
CERT publications and other security information are available from
our web site
http://www.cert.org/
To subscribe to the CERT mailing list for advisories and bulletins,
send email to majordomo@cert.org. Please include in the body of your
message
subscribe cert-advisory
* "CERT" and "CERT Coordination Center" are registered in the U.S.
Patent and Trademark Office.
______________________________________________________________________
NO WARRANTY
Any material furnished by Carnegie Mellon University and the Software
Engineering Institute is furnished on an "as is" basis. Carnegie
Mellon University makes no warranties of any kind, either expressed or
implied as to any matter including, but not limited to, warranty of
fitness for a particular purpose or merchantability, exclusivity or
results obtained from use of the material. Carnegie Mellon University
does not make any warranty of any kind with respect to freedom from
patent, trademark, or copyright infringement.
_________________________________________________________________
Conditions for use, disclaimers, and sponsorship information
Copyright 2003 Carnegie Mellon University.
Revision History
Mar 26, 2003: Initial release
[***** End CERT Advisory CA-2003-11 *****]
_______________________________________________________________________________
CIAC wishes to acknowledge the contributions of CERT Coordination Center for the
information contained in this bulletin.
_______________________________________________________________________________
CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.
CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
Voice: +1 925-422-8193 (7x24)
FAX: +1 925-423-8002
STU-III: +1 925-423-2604
E-mail: ciac@ciac.org
Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.
World Wide Web: http://www.ciac.org/
Anonymous FTP: ftp.ciac.org
PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins. If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.
This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.
LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)
N-055: Samba smbd Buffer Overrun Vulnerability
N-056: Red Hat Updated 2.4 Kernel Fix for ptrace Vulnerability
N-057: Cryptographic weaknesses in Kerberos v4 protocol
N-058: Vulnerabilities in Webmin/Usermin
N-059: Integer overflow in Sun RPC XDR library routines
N-060: Vulnerabilities in Tomcat 3.3.1
N-061: OpenSSL Timing-based Attacks on RSA Keys
N-062: MIT krb5 Buffer overrun and underrun in Principal Name Handling
N-063: Microsoft Windows Script Engine Vulnerability
N-064: Sun Buffer Overflow in Web Connector Module of Application Server
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2025 AOH
