[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Subject: CERT Advisory CA-2003-11 Multiple Vulnerabilities in Lotus Notes and Domino
From: CERT Advisory <This email address is being protected from spambots. You need JavaScript enabled to view it.>
Date: Wed, 26 Mar 2003 11:41:11 -0500


-----BEGIN PGP SIGNED MESSAGE-----

CERT Advisory CA-2003-11 Multiple Vulnerabilities in Lotus Notes and Domino

   Original release date: March 26, 2003
   Last revised: --
   Source: CERT/CC

   A complete revision history can be found at the end of this file.

Systems Affected

     * Lotus Notes and Domino versions prior to 5.0.12 and 6.0 Gold
     * VU#571297 affects 5.0.12, 6.0.1 and prior versions.

Overview

   Multiple  vulnerabilities  have  been  reported  to affect Lotus Notes
   clients  and Domino servers. Multiple reporters, the close timing, and
   some ambiguity caused confusion about what releases are vulnerable. We
   are  issuing  this  advisory  to  help  clarify  the  details  of  the
   vulnerabilities,  the  versions affected, and the patches that resolve
   these issues.

I. Description

   In  February  2003, NGS Software released several advisories detailing
   vulnerabilities  affecting  Lotus  Notes  and  Domino.  The  following
   vulnerabilities  reported  by  NGS  Software  affect versions of Lotus
   Domino prior to 5.0.12 and 6.0:

     VU#206361   -  Lotus  iNotes  vulnerable  to  buffer  overflow  via
     PresetFields FolderName field
     Lotus Technical Documentation: KSPR5HUQ59
     NGS Software's Advisory: NISR17022003b

     VU#355169 - Lotus Domino Web Server vulnerable to denial of service
     via incomplete POST request
     Lotus Technical Documentation: KSPR5HTQHS
     NGS Software's Advisory: NISR17022003d

     VU#542873   -  Lotus  iNotes  vulnerable  to  buffer  overflow  via
     PresetFields s_ViewName field
     Lotus Technical Documentation: KSPR5HUPEK
     NGS Software's Advisory: NISR17022003b

     VU#772817  -  Lotus Domino Web Server vulnerable to buffer overflow
     via  non-existent  "h_SetReturnURL"  parameter  with an overly long
     "Host Header" field
     Lotus Technical Documentation: KSPR5HTLW6
     NGS Software's Advisory: NISR17022003a

   The  following vulnerability reported by NGS Software affects versions
   of Lotus Domino up to and including 5.0.12 and 6.0.1:

     VU#571297  -  Lotus  Notes  and  Domino  COM Object Control Handler
     contains buffer overflow
     Lotus Technical Documentation: SWG21104543
     NGS Software's Advisory: NISR17022003e

   VU#571297  was  originally  reported  as  a vulnerability in an iNotes
   ActiveX  control.  The  vulnerable  code  is not specific to iNotes or
   ActiveX.  The  iNotes  ActiveX  control  was  an attack vector for the
   vulnerability and is not the affected code base. Because this issue is
   not  specific  to  ActiveX,  Lotus  Notes  clients  and Domino Servers
   running on platforms other than Microsoft Windows may be affected.

   In March 2003, Rapid7, Inc. released several advisories. The following
   vulnerabilities,  reported  by  Rapid7, Inc., affect versions of Lotus
   Domino prior to 5.0.12:

     VU#433489 - Lotus Domino Server susceptible to a pre-authentication
     buffer overflow during Notes authentication
     Lotus Technical Documentation: DBAR5CJJJS
     Rapid7, Inc.'s Advisory: R7-0010

     VU#411489  -  Lotus Domino Web Retriever contains a buffer overflow
     vulnerability
     Lotus Technical Documentation: KSPR5DFJTR
     Rapid7, Inc.'s Advisory: R7-0011

   Rapid7,  Inc.  also  discovered that Lotus Domino pre-release and beta
   versions of 6.0 were also affected by the following vulnerability:

     VU#583184  -  Lotus  Domino  R5  Server  Family  contains  multiple
     vulnerabilities in LDAP handling code
     Lotus Technical Documentation: DWUU4W6NC8
     Rapid7, Inc.'s Advisory: R7-0012

   VU#583184  was  a  regression  of  the  PROTOS  LDAP  Test-Suite  from
   CA-2001-18 and was originally fixed in 5.0.7a.

II. Impact

   The  impact  of  these vulnerabilities range from denial of service to
   data  corruption  and  the  potential  to  execute arbitrary code. For
   details  about  the impact of a specific vulnerability, please see the
   related vulnerability note.

III. Solution

 Upgrade

   Most  of  these  vulnerabilities  are  resolved in versions 5.0.12 and
   6.0.1 of Lotus Domino.

   Only  VU#571297,  "Lotus  Notes  and Domino COM Object Control Handler
   contains  buffer  overflow,"  is  not  resolved  in  5.0.12, or 6.0.1.
   Critical  Fix  1  for 6.0.1 was released on March 18, 2003, to resolve
   this issue for both the Notes client and Domino server.

 Apply a patch

   Patches  are  available  for  some  vulnerabilities.  Please  view the
   individual vulnerability notes for specific patch information.

 Block access from outside the network perimeter

   Lotus  Domino  servers  listen  on  port  1352/TCP.  Notes may also be
   configured  to  listen  on  other ports, such as NETBIOS, SPX, or XPC.
   Blocking  access  to  these  ports  from machines outside your trusted
   network  perimeter  may help mitigate successful exploitation of these
   vulnerabilities.

Appendix A - References

     1. http://www.kb.cert.org/vuls/id/571297
     2. http://www.kb.cert.org/vuls/id/206361
     3. http://www.ibm.com/Search?v=11</=en&cc=us&q=KSPR5HUQ59
     4. http://www.nextgenss.com/advisories/lotus-inotesoflow.txt
     5. http://www.kb.cert.org/vuls/id/355169
     6. http://www.ibm.com/Search?v=11</=en&cc=us&q=KSPR5HTQHS
     7. http://www.nextgenss.com/advisories/lotus-60dos.txt
     8. http://www.kb.cert.org/vuls/id/542873
     9. http://www.ibm.com/Search?v=11</=en&cc=us&q=KSPR5HUPEK
     10. http://www.nextgenss.com/advisories/lotus-inotesoflow.txt
     11. http://www.kb.cert.org/vuls/id/772817
     12. http://www.ibm.com/Search?v=11</=en&cc=us&q=KSPR5HTLW6
     13. http://www.nextgenss.com/advisories/lotus-hostlocbo.txt
     14. http://www.kb.cert.org/vuls/id/571297
     15. http://www.ibm.com/Search?v=11</=en&cc=us&q=swg21104543
     16. http://www.nextgenss.com/advisories/lotus-inotesclientaxbo.txt
     17. http://www.kb.cert.org/vuls/id/433489
     18. http://www.ibm.com/Search?v=11</=en&cc=us&q=DBAR5CJJJS
     19. http://www.rapid7.com/advisories/R7-0010.html
     20. http://www.kb.cert.org/vuls/id/411489
     21. http://www.ibm.com/Search?v=11</=en&cc=us&q=KSPR5DFJTR
     22. http://www.rapid7.com/advisories/R7-0011.html
     23. http://www.kb.cert.org/vuls/id/583184
     24. http://www.ibm.com/Search?v=11</=en&cc=us&q=DWUU4W6NC8
     25. http://www.rapid7.com/advisories/R7-0012.html
     26. http://www.kb.cert.org/vuls/id/583184
     27. http://www.ee.oulu.fi/research/ouspg/protos/testing/c06/ldapv3/
     28. http://www.cert.org/advisories/CA-2001-18.html
     29. http://www.kb.cert.org/vuls/id/571297
     30. http://www-10.lotus.com/ldd/r5fixlist.nsf/80bff5d07b4be477052569ce0
         0710588/8bc951d3ff1e578385256ce10052a78a?OpenDocument
   _________________________________________________________________

   Our  thanks  to  NGS  Software  and  Rapid7,  Inc. for discovering and
   reporting  on  these vulnerabilities. We also thank the Lotus Security
   Team for aiding in the resolution and clarification of these issues.
   _________________________________________________________________

   Feedback  on  this  document  can  be directed to the author, 
   Jason A. Rafail.
   ______________________________________________________________________

   This document is available from:
   http://www.cert.org/advisories/CA-2003-11.html
   ______________________________________________________________________

CERT/CC Contact Information

   Email: This email address is being protected from spambots. You need JavaScript enabled to view it.
          Phone: +1 412-268-7090 (24-hour hotline)
          Fax: +1 412-268-6989
          Postal address:
          CERT Coordination Center
          Software Engineering Institute
          Carnegie Mellon University
          Pittsburgh PA 15213-3890
          U.S.A.

   CERT/CC   personnel   answer  the  hotline  08:00-17:00  EST(GMT-5)  /
   EDT(GMT-4)  Monday  through  Friday;  they are on call for emergencies
   during other hours, on U.S. holidays, and on weekends.

Using encryption

   We  strongly  urge you to encrypt sensitive information sent by email.
   Our public PGP key is available from
   http://www.cert.org/CERT_PGP.key

   If  you  prefer  to  use  DES,  please  call the CERT hotline for more
   information.

Getting security information

   CERT  publications  and  other security information are available from
   our web site
   http://www.cert.org/

   To  subscribe  to  the CERT mailing list for advisories and bulletins,
   send  email  to This email address is being protected from spambots. You need JavaScript enabled to view it.. Please include in the body of your
   message

   subscribe cert-advisory

   *  "CERT"  and  "CERT  Coordination Center" are registered in the U.S.
   Patent and Trademark Office.
   ______________________________________________________________________

   NO WARRANTY
   Any  material furnished by Carnegie Mellon University and the Software
   Engineering  Institute  is  furnished  on  an  "as is" basis. Carnegie
   Mellon University makes no warranties of any kind, either expressed or
   implied  as  to  any matter including, but not limited to, warranty of
   fitness  for  a  particular purpose or merchantability, exclusivity or
   results  obtained from use of the material. Carnegie Mellon University
   does  not  make  any warranty of any kind with respect to freedom from
   patent, trademark, or copyright infringement.
     _________________________________________________________________

   Conditions for use, disclaimers, and sponsorship information

   Copyright 2003 Carnegie Mellon University.

   Revision History
         Mar 26, 2003:  Initial release

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8

iQCVAwUBPoHV6GjtSoHZUTs5AQHRowQAqTsPoDgziMnlUsSw5IpRjK64Zzwjid6c
e6DsWsBo3LhzPTd7jMTHHVhEBYeqf9uqrX7OEvYbeH81wCHAf/U7WK/nEw0godrj
HBPVXV3V0WyiX39u3dH+E0xjuT/9Ij9dRmgKh/nTkSu4a2HeNOJJgUmReG72H7xg
dBncDSyQ62M=
=zLwf
-----END PGP SIGNATURE-----


Powered by: MHonArc