Archive of CERT general posting, CERT Advisory CA-2003-11 Multiple Vulnerabilities in Lotus Notes and Domino

27/03/03, CERT Advisory CA-2003-11 Multiple Vulnerabilities in Lotus Notes and Domino
From: CERT Advisory <>

Generated by MHonArc

CSIM Logo WelcomeCourses
Faculty, Student, Staff
Projects and reports
Conferences, workshop and seminars
Laboratories and reasearch facilities
Information related to CSIM
Information non-related to CSIM
Address, map, phone, etc.

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Subject: CERT Advisory CA-2003-11 Multiple Vulnerabilities in Lotus Notes and Domino
From: CERT Advisory <>
Date: Wed, 26 Mar 2003 11:41:11 -0500
List-archive: <>
List-help: <>, <>
List-owner: <>
List-post: NO (posting not allowed on this list)
List-subscribe: <>
List-unsubscribe: <>
Mail-from: From Thu Mar 27 01:34:24 2003
Organization: CERT(R) Coordination Center - +1 412-268-7090


CERT Advisory CA-2003-11 Multiple Vulnerabilities in Lotus Notes and Domino

   Original release date: March 26, 2003
   Last revised: --
   Source: CERT/CC

   A complete revision history can be found at the end of this file.

Systems Affected

     * Lotus Notes and Domino versions prior to 5.0.12 and 6.0 Gold
     * VU#571297 affects 5.0.12, 6.0.1 and prior versions.


   Multiple  vulnerabilities  have  been  reported  to affect Lotus Notes
   clients  and Domino servers. Multiple reporters, the close timing, and
   some ambiguity caused confusion about what releases are vulnerable. We
   are  issuing  this  advisory  to  help  clarify  the  details  of  the
   vulnerabilities,  the  versions affected, and the patches that resolve
   these issues.

I. Description

   In  February  2003, NGS Software released several advisories detailing
   vulnerabilities  affecting  Lotus  Notes  and  Domino.  The  following
   vulnerabilities  reported  by  NGS  Software  affect versions of Lotus
   Domino prior to 5.0.12 and 6.0:

     VU#206361   -  Lotus  iNotes  vulnerable  to  buffer  overflow  via
     PresetFields FolderName field
     Lotus Technical Documentation: KSPR5HUQ59
     NGS Software's Advisory: NISR17022003b

     VU#355169 - Lotus Domino Web Server vulnerable to denial of service
     via incomplete POST request
     Lotus Technical Documentation: KSPR5HTQHS
     NGS Software's Advisory: NISR17022003d

     VU#542873   -  Lotus  iNotes  vulnerable  to  buffer  overflow  via
     PresetFields s_ViewName field
     Lotus Technical Documentation: KSPR5HUPEK
     NGS Software's Advisory: NISR17022003b

     VU#772817  -  Lotus Domino Web Server vulnerable to buffer overflow
     via  non-existent  "h_SetReturnURL"  parameter  with an overly long
     "Host Header" field
     Lotus Technical Documentation: KSPR5HTLW6
     NGS Software's Advisory: NISR17022003a

   The  following vulnerability reported by NGS Software affects versions
   of Lotus Domino up to and including 5.0.12 and 6.0.1:

     VU#571297  -  Lotus  Notes  and  Domino  COM Object Control Handler
     contains buffer overflow
     Lotus Technical Documentation: SWG21104543
     NGS Software's Advisory: NISR17022003e

   VU#571297  was  originally  reported  as  a vulnerability in an iNotes
   ActiveX  control.  The  vulnerable  code  is not specific to iNotes or
   ActiveX.  The  iNotes  ActiveX  control  was  an attack vector for the
   vulnerability and is not the affected code base. Because this issue is
   not  specific  to  ActiveX,  Lotus  Notes  clients  and Domino Servers
   running on platforms other than Microsoft Windows may be affected.

   In March 2003, Rapid7, Inc. released several advisories. The following
   vulnerabilities,  reported  by  Rapid7, Inc., affect versions of Lotus
   Domino prior to 5.0.12:

     VU#433489 - Lotus Domino Server susceptible to a pre-authentication
     buffer overflow during Notes authentication
     Lotus Technical Documentation: DBAR5CJJJS
     Rapid7, Inc.'s Advisory: R7-0010

     VU#411489  -  Lotus Domino Web Retriever contains a buffer overflow
     Lotus Technical Documentation: KSPR5DFJTR
     Rapid7, Inc.'s Advisory: R7-0011

   Rapid7,  Inc.  also  discovered that Lotus Domino pre-release and beta
   versions of 6.0 were also affected by the following vulnerability:

     VU#583184  -  Lotus  Domino  R5  Server  Family  contains  multiple
     vulnerabilities in LDAP handling code
     Lotus Technical Documentation: DWUU4W6NC8
     Rapid7, Inc.'s Advisory: R7-0012

   VU#583184  was  a  regression  of  the  PROTOS  LDAP  Test-Suite  from
   CA-2001-18 and was originally fixed in 5.0.7a.

II. Impact

   The  impact  of  these vulnerabilities range from denial of service to
   data  corruption  and  the  potential  to  execute arbitrary code. For
   details  about  the impact of a specific vulnerability, please see the
   related vulnerability note.

III. Solution


   Most  of  these  vulnerabilities  are  resolved in versions 5.0.12 and
   6.0.1 of Lotus Domino.

   Only  VU#571297,  "Lotus  Notes  and Domino COM Object Control Handler
   contains  buffer  overflow,"  is  not  resolved  in  5.0.12, or 6.0.1.
   Critical  Fix  1  for 6.0.1 was released on March 18, 2003, to resolve
   this issue for both the Notes client and Domino server.

 Apply a patch

   Patches  are  available  for  some  vulnerabilities.  Please  view the
   individual vulnerability notes for specific patch information.

 Block access from outside the network perimeter

   Lotus  Domino  servers  listen  on  port  1352/TCP.  Notes may also be
   configured  to  listen  on  other ports, such as NETBIOS, SPX, or XPC.
   Blocking  access  to  these  ports  from machines outside your trusted
   network  perimeter  may help mitigate successful exploitation of these

Appendix A - References


   Our  thanks  to  NGS  Software  and  Rapid7,  Inc. for discovering and
   reporting  on  these vulnerabilities. We also thank the Lotus Security
   Team for aiding in the resolution and clarification of these issues.

   Feedback  on  this  document  can  be directed to the author, 
   Jason A. Rafail.

   This document is available from:

CERT/CC Contact Information

          Phone: +1 412-268-7090 (24-hour hotline)
          Fax: +1 412-268-6989
          Postal address:
          CERT Coordination Center
          Software Engineering Institute
          Carnegie Mellon University
          Pittsburgh PA 15213-3890

   CERT/CC   personnel   answer  the  hotline  08:00-17:00  EST(GMT-5)  /
   EDT(GMT-4)  Monday  through  Friday;  they are on call for emergencies
   during other hours, on U.S. holidays, and on weekends.

Using encryption

   We  strongly  urge you to encrypt sensitive information sent by email.
   Our public PGP key is available from

   If  you  prefer  to  use  DES,  please  call the CERT hotline for more

Getting security information

   CERT  publications  and  other security information are available from
   our web site

   To  subscribe  to  the CERT mailing list for advisories and bulletins,
   send  email  to Please include in the body of your

   subscribe cert-advisory

   *  "CERT"  and  "CERT  Coordination Center" are registered in the U.S.
   Patent and Trademark Office.

   Any  material furnished by Carnegie Mellon University and the Software
   Engineering  Institute  is  furnished  on  an  "as is" basis. Carnegie
   Mellon University makes no warranties of any kind, either expressed or
   implied  as  to  any matter including, but not limited to, warranty of
   fitness  for  a  particular purpose or merchantability, exclusivity or
   results  obtained from use of the material. Carnegie Mellon University
   does  not  make  any warranty of any kind with respect to freedom from
   patent, trademark, or copyright infringement.

   Conditions for use, disclaimers, and sponsorship information

   Copyright 2003 Carnegie Mellon University.

   Revision History
         Mar 26, 2003:  Initial release

Version: PGP 6.5.8


Previous message sorted by date: CERT Advisory CA-2003-10 Integer overflow in Sun RPC XDR library routines
Next message sorted by date: CERT Advisory CA-2003-13 Multiple Vulnerabilities in Snort Preprocessors
Previous message sorted by thread: CERT Advisory CA-2003-10 Integer overflow in Sun RPC XDR library routines
Next message by thread: CERT Advisory CA-2003-13 Multiple Vulnerabilities in Snort Preprocessors
Main Index
Thread Index

CSIM home pageWMailAccount managementCSIM LibraryNetwork test toolsSearch CSIM directories
Contact us: Olivier Nicole CSIM    SET    AIT Last update: Jan 2004