IBM Support

Folder permission issues result from installer program for Notes 8 client for Linux

Technote (troubleshooting)


Problem

There are two potential security issues with the installer program for Lotus Notes 8 for Linux. Refer to the content section below for details on the issues, the current fix status and possible workarounds.

Resolving the problem


Both issues described below have been reported to Quality Engineering as SPR# MLAT796SEH. The issues are targeted to be fixed in the Notes 8.0.1 client for Linux.

Issue #1

Description:
The first potential security vulnerability has to do with the file permissions set on extracted Notes 8 for Linux files.

In order for an attacker to successfully exploit this vulnerability, the following must be accomplished:
  • Root user must download the Notes 8 for Linux software from the Lotus Web site.
  • Root user must extract the tar file to a file-system folder which allows read and execute access privileges to non-root users.
  • Attacker, with non-root access, must modify the installation kit such that subsequent installs performed by the root user would deploy malicious content or code to end user systems.
  • Root user performs additional client install.

Workaround:
The root user should extract the tar file to a temporary directory and run the below command in the temporary directory :
    chmod -R 700 ./*

This will make the extracted tar file content only write- and executable for the root user.


Issue #2

Description
The second potential security vulnerability involves the setup.sh script and the fact that it sets 777 permission (everyone can read, write, and execute) on the installdata file.

When the root user runs the setup.sh script the installdata file gets write permission set, so a non-root user could potentially modify that binary file with malicious code for a later install. The assumption here is that the root user actually runs the installer again without knowledge that it has been tampered by a non-root user.

In order for an attacker to successfully exploit this vulnerability, the following must be accomplished:
  • Root user must download the Notes 8 for Linux software from the Lotus Web site.
  • Root user must extract the tar file to a folder and execute a client install via setup.sh
  • This results in the installdata file, which is the Notes binary installer, to have write permission by any user having access to the machine,
  • Attacker, with non-root access, must compromise the workstation where the install has been performed
  • Attacker must modify the installdata binaries such that subsequent installs performed by the root user could deploy malicious content or code to end user systems.
  • Root user must be persuaded to reinstall the Lotus Notes 8 client using setup.sh


Workaround
Edit the setup.sh file and change the line

chmod 777 "${0%setup.sh}/installdata"
    to

chmod 700 "${0%setup.sh}/installdata"

Additional Information:
The issues described above pertain only to Lotus Notes 8 clients running on Linux. The Domino 8 server install on Linux is not impacted nor are previous versions of the Notes client,


Security Rating using Common Vulnerability Scoring System (CVSS) v2
CVSS Base Score: < 7.2 >
---- Impact Subscore: < 10 >
---- Exploitability Subscore: < 3.9 >
CVSS Temporal Score: < 6.2 >
CVSS Environmental Score: < Undefined* >
Overall CVSS Score: < 6.2 >
Base Score Metrics:
  • Related exploit range/Attack Vector: < Local >
  • Access Complexity: < Low >
  • Authentication < None >
  • Confidentiality Impact: < Complete >
  • Integrity Impact: < Complete >
  • Availability Impact: < Complete >
Temporal Score Metrics:
  • Exploitability: < Proof of Concept Code>
  • Remediation Level: < Workaround >
  • Report Confidence: < Confirmed >
References:

*The CVSS Environment Score is customer environment-specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the referenced links.

Document information

More support for: IBM Notes
Install/Setup

Software version: 8.0

Operating system(s): Linux

Reference #: 1289273

Modified date: 02 June 2011