TUCoPS :: Windows Apps :: n-065.txt

Multiple Vulnerabilities in Lotus Notes and Domino (CIAC N-065)

             __________________________________________________________

                       The U.S. Department of Energy
                   Computer Incident Advisory Capability
                           ___  __ __    _     ___
                          /       |     /_\   /
                          \___  __|__  /   \  \___
             __________________________________________________________

                             INFORMATION BULLETIN

               Multiple Vulnerabilities in Lotus Notes and Domino
                           [CERT Advisory CA-2003-11]

March 27, 2003 21:00 GMT                                          Number N-065
______________________________________________________________________________
PROBLEM:       There are several vulnerabilites that exist in Lotus Notes, 
               Lotus iNotes, and Domino Web Server: 
	       * Lotus iNotes vulnerable to buffer overflow via PresetFields 
                 FolderName field 
	       * Lotus Domino Web Server vulnerable to denial-of-service via 
                 incomplete POST request 
	       * Lotus iNotes vulnerable to buffer overflow via PresetFields 
                 s_ViewName field 
	       * Lotus Domino Web Server vulnerable to buffer overflow via 
	         non-existent "h_SetReturnURL" parameter with an overly long 
		 "Host Header" field 
	       * Lotus Notes and Domino COM Object Control Handler contains 
		 buffer overflow 
	       * Lotus Domino Server susceptible to a pre-authentication buffer 
	         overflow during Notes authentication 
	       * Lotus Domino Web Retriever contains a buffer overflow 
		 vulnerability 
	       * Lotus Domino R5 Server Family contains multiple vulnerabilities 
		 in LDAP handling code 
PLATFORM:      * Lotus Notes and Domino versions prior to 5.0.12 and 6.0 Gold 
               * Lotus Domino 5.0.12, 6.0.1 and prior versions 
DAMAGE:        The impact of these vulnerabilities range from denial of 
               service to data corruption and the potential to execute 
               arbitrary code. 
SOLUTION:      Upgrade or apply patches as indicated in CERT's VU notes. 
______________________________________________________________________________
VULNERABILITY  The risk is MEDIUM. There are several vulnerabilities addressed 
ASSESSMENT:    in this bulletin, from denial-of-service to potential for 
               executing arbitrary code, depending on configuration. 
______________________________________________________________________________
LINKS: 
 CIAC BULLETIN:      http://www.ciac.org/ciac/bulletins/n-065.shtml 
 ORIGINAL BULLETIN:  http://www.cert.org/advisories/CA-2003-11.html 
______________________________________________________________________________

[***** Start CERT Advisory CA-2003-11 *****]

CERT Advisory CA-2003-11 Multiple Vulnerabilities in Lotus Notes and Domino

   Original release date: March 26, 2003
   Last revised: --
   Source: CERT/CC

   A complete revision history can be found at the end of this file.

Systems Affected

     * Lotus Notes and Domino versions prior to 5.0.12 and 6.0 Gold
     * VU#571297 affects 5.0.12, 6.0.1 and prior versions.

Overview

   Multiple  vulnerabilities  have  been  reported  to affect Lotus Notes
   clients  and Domino servers. Multiple reporters, the close timing, and
   some ambiguity caused confusion about what releases are vulnerable. We
   are  issuing  this  advisory  to  help  clarify  the  details  of  the
   vulnerabilities,  the  versions affected, and the patches that resolve
   these issues.

I. Description

   In  February  2003, NGS Software released several advisories detailing
   vulnerabilities  affecting  Lotus  Notes  and  Domino.  The  following
   vulnerabilities  reported  by  NGS  Software  affect versions of Lotus
   Domino prior to 5.0.12 and 6.0:

     VU#206361   -  Lotus  iNotes  vulnerable  to  buffer  overflow  via
     PresetFields FolderName field
     Lotus Technical Documentation: KSPR5HUQ59
     NGS Software's Advisory: NISR17022003b

     VU#355169 - Lotus Domino Web Server vulnerable to denial of service
     via incomplete POST request
     Lotus Technical Documentation: KSPR5HTQHS
     NGS Software's Advisory: NISR17022003d

     VU#542873   -  Lotus  iNotes  vulnerable  to  buffer  overflow  via
     PresetFields s_ViewName field
     Lotus Technical Documentation: KSPR5HUPEK
     NGS Software's Advisory: NISR17022003b

     VU#772817  -  Lotus Domino Web Server vulnerable to buffer overflow
     via  non-existent  "h_SetReturnURL"  parameter  with an overly long
     "Host Header" field
     Lotus Technical Documentation: KSPR5HTLW6
     NGS Software's Advisory: NISR17022003a

   The  following vulnerability reported by NGS Software affects versions
   of Lotus Domino up to and including 5.0.12 and 6.0.1:

     VU#571297  -  Lotus  Notes  and  Domino  COM Object Control Handler
     contains buffer overflow
     Lotus Technical Documentation: SWG21104543
     NGS Software's Advisory: NISR17022003e

   VU#571297  was  originally  reported  as  a vulnerability in an iNotes
   ActiveX  control.  The  vulnerable  code  is not specific to iNotes or
   ActiveX.  The  iNotes  ActiveX  control  was  an attack vector for the
   vulnerability and is not the affected code base. Because this issue is
   not  specific  to  ActiveX,  Lotus  Notes  clients  and Domino Servers
   running on platforms other than Microsoft Windows may be affected.

   In March 2003, Rapid7, Inc. released several advisories. The following
   vulnerabilities,  reported  by  Rapid7, Inc., affect versions of Lotus
   Domino prior to 5.0.12:

     VU#433489 - Lotus Domino Server susceptible to a pre-authentication
     buffer overflow during Notes authentication
     Lotus Technical Documentation: DBAR5CJJJS
     Rapid7, Inc.'s Advisory: R7-0010

     VU#411489  -  Lotus Domino Web Retriever contains a buffer overflow
     vulnerability
     Lotus Technical Documentation: KSPR5DFJTR
     Rapid7, Inc.'s Advisory: R7-0011

   Rapid7,  Inc.  also  discovered that Lotus Domino pre-release and beta
   versions of 6.0 were also affected by the following vulnerability:

     VU#583184  -  Lotus  Domino  R5  Server  Family  contains  multiple
     vulnerabilities in LDAP handling code
     Lotus Technical Documentation: DWUU4W6NC8
     Rapid7, Inc.'s Advisory: R7-0012

   VU#583184  was  a  regression  of  the  PROTOS  LDAP  Test-Suite  from
   CA-2001-18 and was originally fixed in 5.0.7a.

II. Impact

   The  impact  of  these vulnerabilities range from denial of service to
   data  corruption  and  the  potential  to  execute arbitrary code. For
   details  about  the impact of a specific vulnerability, please see the
   related vulnerability note.

III. Solution

 Upgrade

   Most  of  these  vulnerabilities  are  resolved in versions 5.0.12 and
   6.0.1 of Lotus Domino.

   Only  VU#571297,  "Lotus  Notes  and Domino COM Object Control Handler
   contains  buffer  overflow,"  is  not  resolved  in  5.0.12, or 6.0.1.
   Critical  Fix  1  for 6.0.1 was released on March 18, 2003, to resolve
   this issue for both the Notes client and Domino server.

 Apply a patch

   Patches  are  available  for  some  vulnerabilities.  Please  view the
   individual vulnerability notes for specific patch information.

 Block access from outside the network perimeter

   Lotus  Domino  servers  listen  on  port  1352/TCP.  Notes may also be
   configured  to  listen  on  other ports, such as NETBIOS, SPX, or XPC.
   Blocking  access  to  these  ports  from machines outside your trusted
   network  perimeter  may help mitigate successful exploitation of these
   vulnerabilities.

Appendix A - References

     1. http://www.kb.cert.org/vuls/id/571297
     2. http://www.kb.cert.org/vuls/id/206361
     3. http://www.ibm.com/Search?v=11</=en&cc=us&q=KSPR5HUQ59
     4. http://www.nextgenss.com/advisories/lotus-inotesoflow.txt
     5. http://www.kb.cert.org/vuls/id/355169
     6. http://www.ibm.com/Search?v=11</=en&cc=us&q=KSPR5HTQHS
     7. http://www.nextgenss.com/advisories/lotus-60dos.txt
     8. http://www.kb.cert.org/vuls/id/542873
     9. http://www.ibm.com/Search?v=11</=en&cc=us&q=KSPR5HUPEK
     10. http://www.nextgenss.com/advisories/lotus-inotesoflow.txt
     11. http://www.kb.cert.org/vuls/id/772817
     12. http://www.ibm.com/Search?v=11</=en&cc=us&q=KSPR5HTLW6
     13. http://www.nextgenss.com/advisories/lotus-hostlocbo.txt
     14. http://www.kb.cert.org/vuls/id/571297
     15. http://www.ibm.com/Search?v=11</=en&cc=us&q=swg21104543
     16. http://www.nextgenss.com/advisories/lotus-inotesclientaxbo.txt
     17. http://www.kb.cert.org/vuls/id/433489
     18. http://www.ibm.com/Search?v=11</=en&cc=us&q=DBAR5CJJJS
     19. http://www.rapid7.com/advisories/R7-0010.html
     20. http://www.kb.cert.org/vuls/id/411489
     21. http://www.ibm.com/Search?v=11</=en&cc=us&q=KSPR5DFJTR
     22. http://www.rapid7.com/advisories/R7-0011.html
     23. http://www.kb.cert.org/vuls/id/583184
     24. http://www.ibm.com/Search?v=11</=en&cc=us&q=DWUU4W6NC8
     25. http://www.rapid7.com/advisories/R7-0012.html
     26. http://www.kb.cert.org/vuls/id/583184
     27. http://www.ee.oulu.fi/research/ouspg/protos/testing/c06/ldapv3/
     28. http://www.cert.org/advisories/CA-2001-18.html
     29. http://www.kb.cert.org/vuls/id/571297
     30. http://www-10.lotus.com/ldd/r5fixlist.nsf/80bff5d07b4be477052569ce0
         0710588/8bc951d3ff1e578385256ce10052a78a?OpenDocument
   _________________________________________________________________

   Our  thanks  to  NGS  Software  and  Rapid7,  Inc. for discovering and
   reporting  on  these vulnerabilities. We also thank the Lotus Security
   Team for aiding in the resolution and clarification of these issues.
   _________________________________________________________________

   Feedback  on  this  document  can  be directed to the author, 
   Jason A. Rafail.
   ______________________________________________________________________

   This document is available from:
   http://www.cert.org/advisories/CA-2003-11.html
   ______________________________________________________________________

CERT/CC Contact Information

   Email: cert@cert.org
          Phone: +1 412-268-7090 (24-hour hotline)
          Fax: +1 412-268-6989
          Postal address:
          CERT Coordination Center
          Software Engineering Institute
          Carnegie Mellon University
          Pittsburgh PA 15213-3890
          U.S.A.

   CERT/CC   personnel   answer  the  hotline  08:00-17:00  EST(GMT-5)  /
   EDT(GMT-4)  Monday  through  Friday;  they are on call for emergencies
   during other hours, on U.S. holidays, and on weekends.

Using encryption

   We  strongly  urge you to encrypt sensitive information sent by email.
   Our public PGP key is available from
   http://www.cert.org/CERT_PGP.key

   If  you  prefer  to  use  DES,  please  call the CERT hotline for more
   information.

Getting security information

   CERT  publications  and  other security information are available from
   our web site
   http://www.cert.org/

   To  subscribe  to  the CERT mailing list for advisories and bulletins,
   send  email  to majordomo@cert.org. Please include in the body of your
   message

   subscribe cert-advisory

   *  "CERT"  and  "CERT  Coordination Center" are registered in the U.S.
   Patent and Trademark Office.
   ______________________________________________________________________

   NO WARRANTY
   Any  material furnished by Carnegie Mellon University and the Software
   Engineering  Institute  is  furnished  on  an  "as is" basis. Carnegie
   Mellon University makes no warranties of any kind, either expressed or
   implied  as  to  any matter including, but not limited to, warranty of
   fitness  for  a  particular purpose or merchantability, exclusivity or
   results  obtained from use of the material. Carnegie Mellon University
   does  not  make  any warranty of any kind with respect to freedom from
   patent, trademark, or copyright infringement.
     _________________________________________________________________

   Conditions for use, disclaimers, and sponsorship information

   Copyright 2003 Carnegie Mellon University.

   Revision History
         Mar 26, 2003:  Initial release

[***** End CERT Advisory CA-2003-11 *****]

_______________________________________________________________________________

CIAC wishes to acknowledge the contributions of CERT Coordination Center for the 
information contained in this bulletin.
_______________________________________________________________________________


CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.

CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
    Voice:    +1 925-422-8193 (7x24)
    FAX:      +1 925-423-8002
    STU-III:  +1 925-423-2604
    E-mail:   ciac@ciac.org

Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.

   World Wide Web:      http://www.ciac.org/
   Anonymous FTP:       ftp.ciac.org

PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins.  If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.

This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.

LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)

N-055: Samba smbd Buffer Overrun Vulnerability
N-056: Red Hat Updated 2.4 Kernel Fix for ptrace Vulnerability
N-057: Cryptographic weaknesses in Kerberos v4 protocol
N-058: Vulnerabilities in Webmin/Usermin
N-059: Integer overflow in Sun RPC XDR library routines
N-060: Vulnerabilities in Tomcat 3.3.1
N-061: OpenSSL Timing-based Attacks on RSA Keys
N-062: MIT krb5 Buffer overrun and underrun in Principal Name Handling
N-063: Microsoft Windows Script Engine Vulnerability
N-064: Sun Buffer Overflow in Web Connector Module of Application Server


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH