Response to 'Password exposure in Lotus Notes'

Technote (FAQ)


Question

Your operating system and Lotus Notes® leverage several layers of security that must be compromised to be vulnerable to gain access to a user's password. Is there a way an attacher could discover and use an unpublished notes.ini file debug variable to learn a notes.id password?

Answer

This issue was reported to Quality Engineering as SPR# KLYH759K46. Notes and Domino versions 7.0.3, 8.0, and all future versions will contain a hotfix that will remove the use of an undocumented debug variable. If you encounter this situation, contact Product Support to see if the hotfix is available for your particular configuration.
Background:
An attacker could find and use an unwanted notes.ini parameter to search for and log a user password. However, in order to do this, the following circumstances must be true:

1. The attacker must compromise the workstation in order to implement this parameter or have administrative rights to push out a notes.ini change with a policy.

2. The user must restart the Notes client.

3. The user must be persuaded to change his/her notes.id password.

4. The attacker must gather the information from the debug outfile.

*************************************************
Need for security:
Users are strongly urged to use caution when opening or viewing unsolicited file attachments or scripts that could potentially introduce an unwanted notes.ini parameter.

In order to limit who can access your system, you can implement standard workstation security which includes both Notes Execution Control Lists and operating system security.

Review the access control list (ACL) settings in your Domino Directory to ensure that the ability to change and use policies is given only to trusted administrators.

If you utilize a multi-user workstation environment, make sure to properly implement operating system security and user accounts to control access to personal directories.

Security rating using the Common Vulnerability Scoring System (CVSS):

    CVSS Base Score: 1
    CVSS Temporal Score: 0.9
    CVSS Environmental Score: Undefined*
    Overall CVSS Score: 0.9

    *The CVSS Environment Score is customer environment-specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the referenced links below.

Base Score Metrics:
    Related exploit range/Attack Vector: Local
    Attack Complexity: Low
    Level of Authentication Needed: Required
    Confidentiality Impact: Partial
    Integrity Impact: None
    Availability Impact: None
    Impact Value Weighting: Normal

Temporal Score Metrics:
    Availability of Exploit: Functional exploit exists
    Type of Fix available: Workaround
    Level of verification that vulnerability exists: Confirmed
References:
Online Calculator: http://nvd.nist.gov/cvss.cfm?calculator

Cross reference information
Segment Product Component Platform Version Edition
Messaging Applications IBM Domino 8.5, 8.0, 7.0, 6.5, 6.0

Rate this page:

(0 users)Average rating

Add comments

Document information


More support for:

IBM Notes

Software version:

6.0, 6.5, 7.0, 8.0, 8.5

Operating system(s):

Linux, Mac OS, Windows

Reference #:

1266085

Modified date:

2008-08-01

Translate my page

Machine Translation

Content navigation