IBM Lotus Domino IMAP server buffer overflow vulnerability

Technote (troubleshooting)


Problem

ZDI (The Zero Day Initiative, associated with TippingPoint) contacted IBM® Lotus® to report a potential denial of service vulnerability with the IBM Lotus Domino IMAP server task.

The advisory can be accessed at the following link:
http://www.zerodayinitiative.com/advisories/ZDI-07-011.html



Cause

If the IMAP server task is enabled on the Domino server, and an attacker is able to telnet to the server, it is possible for an attacker to cause a buffer overflow resulting in a denial of service attack.

The NSD shows the following Call Function Stack from a crash:

Thread 3 (Thread -1614976080 (LWP 25316)):

#0 0x00ab87a2 in _dl_sysinfo_int80 () from /lib/ld-linux.so.2
#1 0x00b96a41 in ___newselect_nocancel () from /lib/tls/libc.so.6
#2 0xb6975f34 in FRDoSleep ()
from /opt/ibm/lotus/notes/latest/linux/libnotes.so
#3 0xb69780a2 in OSRunExternalScript ()
from /opt/ibm/lotus/notes/latest/linux/libnotes.so
#4 0xb697637f in OSFaultCleanupExt ()
from /opt/ibm/lotus/notes/latest/linux/libnotes.so
#5 0xb6975f76 in OSFaultCleanup ()
from /opt/ibm/lotus/notes/latest/linux/libnotes.so
#6 0xb695155e in fatal_error ()
from /opt/ibm/lotus/notes/latest/linux/libnotes.so
#7 <signal handler called>
#8 0xb6a32754 in CStream::ToBase64 ()
from /opt/ibm/lotus/notes/latest/linux/libnotes.so
#9 0x0806986d in CIMAPCommandAuthenticate::CRAM_MD5_Response ()
#10 0x08068cd3 in CIMAPCommandAuthenticate::Process ()
#11 0x08072238 in CIMAPProtocol::CommandDispatch ()
#12 0x080717d1 in CIMAPProtocol::StateNonAuthenticated ()
#13 0x0807138e in CIMAPProtocol::Run ()
#14 0x08088bf4 in CBaseTask::StateMachine ()
#15 0x0805acef in CIMAPSrv::OnConnect ()
#16 0x08085ff0 in CIServ::ServerTaskProtocolMachine ()
#17 0x080856f2 in CIServ::ServerTaskIOCP ()
#18 0x080847a0 in ServerThread ()
#19 0xb6972869 in ThreadWrapper ()
from /opt/ibm/lotus/notes/latest/linux/libnotes.so
#20 0x00c45371 in start_thread () from /lib/tls/libpthread.so.0
#21 0x00b9dffe in clone () from /lib/tls/libc.so.6


Resolving the problem

This issue was reported to Quality Engineering as SPR# KEMG6T7HEX, and has been fixed in Lotus Domino 6.5.5 Fix Pack 3 (FP3), Domino 6.5.6, Domino 7.0.2 Fix Pack 1 (FP1), and Domino 7.0.3. Refer to the Upgrade Central site for details on upgrading Notes/Domino.

Assessing this vulnerability using the Common Vulnerability Scoring System (CVSS):

CVSS Base Score: 5
CVSS Temporal Score: 3.9
CVSS Environmental Score: Undefined*
Overall CVSS Score: 3.9

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the referenced links below.

Base Score Metrics:
Related exploit range/Attack Vector: Remote
Attack Complexity: Low
Level of Authentication Needed: Not Required
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: Complete
Impact Value Weighting: Weight Availability

Temporal Score Metrics:
Availability of Exploit: Proof of concept code
Type of Fix available: Official fix
Level of verification that vulnerability exists: Confirmed

References:
Complete CVSS Guide:
http://www.first.org/cvss/cvss-guide.html

Online Calculator:
http://nvd.nist.gov/cvss.cfm?calculator



Rate this page:

(0 users)Average rating

Document information


More support for:

Lotus End of Support Products
Lotus Domino

Software version:

6.5, 7.0

Operating system(s):

AIX, Linux, Solaris, Windows, i5/OS, z/OS

Reference #:

1257028

Modified date:

2007-10-12

Translate my page

Machine Translation

Content navigation