Potential Denial of Service vulnerability in Domino LDAP server task

A specially crafted bind request sent to the LDAP server port can result in a Lotus Domino server crash. If successfully exploited, this vulnerability allows an unauthenticated remote attacker to crash the LDAP service preventing legitimate usage.

This issue was reported to IBM Lotus by iDEFENSE. The advisory address is as follows:

IDEF 1173: Lotus Domino LDAP Server Bind Command DoS
http://www.idefense.com/intelligence/vulnerabilities/display.php?id=389

This issue results in the following stack trace in the NSD:

##################################################
### FATAL THREAD 9/11 [ nLDAP:2b74:1738]
### FP=0x054efc2c, PC=0x0040cbaf, SP=0x054ef7c8, stksize=1124
### EAX=0x00000000, EBX=0x055f20f4, ECX=0x00000000, EDX=0x04b814f4
### ESI=0x04b814a1, EDI=0x054efbc9, CS=0x0000001b, SS=0x00000023
### DS=0x00000023, ES=0x00000023, FS=0x0000003b, GS=0x00000000 Flags=0x00010246
Exception code: c0000005 (ACCESS_VIOLATION)
##################################################
@[ 1] 0x0040cbaf nLDAP.CLDAPProtocol::StateBind+463 (0,8f56e0,8f56d8,8f0000)
@[ 2] 0x00404581 nLDAP.CLDAPProtocol::Run+1121 (4ccfcf4,0,447e48,3a889bc)
@[ 3] 0x0042a755 nLDAP.CBaseTask::StateMachine+373 (8f56d8,3a889a0,447e48,3a889bc)
@[ 4] 0x004033b2 nLDAP.CLDAPSrv::OnConnect+194 (447e48,3a889bc,8400001,3a889a0)
@[ 5] 0x00426f1c nLDAP.CIServ::ServerTaskProtocolMachine+268 (447e48,3a889a0,3,0)
@[ 6] 0x0042677c nLDAP.CIServ::ServerTaskIOCP+1052 (0,0,60115334,0)
@[ 7] 0x00425bed nLDAP._ServerThread@4+29 (0,0,0,0)
[ 8] 0x77e66063 KERNEL32.GetModuleFileNameA+235

This issue was reported to IBM Lotus Quality Engineering as SPR# JBUD6FMQST and fixed in Domino 6.5.4 FP2, Domino 6.5.5, and Domino 7.0.1.

Refer to the Upgrade Central site for details on upgrading Notes/Domino.

A workaround for previous releases is to limit access to TCP port 389 on the LDAP server to only allow trusted hosts to connect.

NOTE: This issue does not affect Domino servers that are not running the LDAP server task.