IBM Lotus Sametime JNILoader Vulnerability

Technote (FAQ)


Question

iDefense contacted IBM® Lotus® to report a potential vulnerability with the JNILoader ActiveX control used by the IBM Lotus Sametime® Web Conferencing server.

The iDefense advisory can be accessed from the following link:
http://www.idefense.com/intelligence/vulnerabilities/



Cause

The JNILoader ActiveX control was introduced in early versions of the Sametime web conferencing server in order to prevent crashes caused by the length of time it took to uninitialize the Sametime audio/video DLLs when closing the browser. The JNILoader control was scriptable to allow for DLL version changes between Sametime server releases. The primary function of this ActiveX control was to load/unload native Sametime DLLs, however, the control can be re-used on non-Sametime pages such that the scriptable "loadLibrary()" function has the potential to be exploited to load malicious code on the local workstation. This functionality was replaced in Sametime 7.5 with a 100% Java-based, and non-scriptable solution which could be used with all browsers.

In customer environments, there is no risk with Sametime servers. The risk is when the Sametime related ActiveX control is used on non-Sametime web pages.


Answer

The JNILoader ActiveX control is no longer used in Sametime 7.5.


In order for an attacker to successfully exploit this vulnerability in previous releases, they must accomplish the following:

  • Obtain a pre-Sametime 7.5 version of the ActiveX control.

  • Script the stjniloader.ocx to reference a malicious executable file installed locally on the target user(s) workstation(s);

  • Host a web site that prompts the user to install the "Sametime JNI Meeting Install" ActiveX control;

  • Socially engineer a user to access the malicious web site via email or web link;

  • Separately install the actual exploit code on the user's workstation (while it may be possible to load/unload the local DLL from the JNILoader ActiveX component, it is not possible to install or execute it directly from the JNILoader ActiveX component, therefore, this is a critical component for successfully exploiting this potential vulnerability)



Workaround:

Use a browser which restricts use of ActiveX, such as Mozilla/Firefox.

How to avoid this issue with Internet Explorer:

First, remove the control, making sure you only accept it from controlled Sametime Web Conference servers. When using Internet Explorer, users can control which ActiveX controls are installed and trusted. Even if a user has accepted the ActiveX control in the past, it can be removed and/or no longer "always trust"ed.




In newer versions of IE, if you're in a situation where hitting a server leads to the activeX control, it looks like this:

This site might require the following ActiveX control: 'Sametime JNI Meeting Install' from 'International Business Machines Corporation'. Click here to install ...

The control install looks like this:



Once installed, it can be removed, by going into your C:\WINDOWS\Downloaded Program Files, where you'll see this:




At this point, you can get more info, or you can delete it. For example, if you get more info, you'll see:



Note the GUID: {7261EE42-318E-490A-AE8F-77649DBA1ECA}

This means you can also find, explore and remove the ActiveXControl via the system registry, like this:



Assessing this vulnerability using the Common Vulnerability Scoring System (CVSS):
CVSS Base Score: 3.7
CVSS Temporal Score: 2.7
CVSS Environmental Score: Undefined*
Overall CVSS Score: 2.7

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the referenced links below.

Base Score Metrics:
Related exploit range/Attack Vector: Remote
Attack Complexity: High
Level of Authentication Needed: Not Required
Confidentiality Impact: Partial
Integrity Impact: Partial
Availability Impact: None
Impact Value Weighting: Normal

Temporal Score Metrics:
Availability of Exploit: Unproven that exploit exists
Type of Fix available: Official fix
Level of verification that vulnerability exists: Confirmed

References:
Complete CVSS Guide:
http://www.first.org/cvss/cvss-guide.html

Online Calculator:
http://nvd.nist.gov/cvss.cfm?calculator


Rate this page:

(0 users)Average rating

Document information


More support for:

Lotus End of Support Products
Lotus Sametime

Software version:

3.1, 6.5.1, 7.0

Operating system(s):

Windows

Reference #:

1257029

Modified date:

2007-03-30

Translate my page

Machine Translation

Content navigation