A customer contacted IBM Lotus to report a potential vulnerability in agent signature verification which may result in elevation of the user's rights to Full Access Administrator.
To successfully exploit this vulnerability, an attacker must accomplish the following:
- Have designer or manager access to a database located on the Domino server (example namagent.nsf)
- Replace the design of the database with a template that has a scheduled agent which is set to "enabled" and which has been signed with a trusted and valid ID. The agent must have been run at least once with the original signature.
- Modify the scheduled agent and sign it with an ID with the same hierarchical name as the original agent signer
When an agent is modified, the previously validated agent signature is removed from the NSF signature cache. Prior to running the agent after modification, the signature should be revalidated and added to the cache. This problem was caused by an error that allowed some flags to be reused, effectively using the previously validated signature instead of the current invalid signature on the agent.
This issue was reported to IBM Lotus Quality Engineering as SPR# KHON72EHWT and has been addressed in the following releases of Lotus® Domino®:
Domino 6.5.6 Fix Pack 2 (FP2)
Domino 7.0.2 Fix Pack 2 (FP2)
Note: When the server is rebooted, Agent Manager (AMgr) will detect the invalid signature and prevent the agent from running in the future. For example, the following error message will display on the server console and in the notes.log (with the actual agent, database, signer and certifier names):
"AMgr: Error executing agent 'AgentName' in ' database.nsf'. Agent signer 'Signer/OU/O': The version of the Notes you are running does not recognize the 'certifier' key that signed this document."
Tips for protecting against this vulnerability in prior releases:
- Change Access Control List (ACL) for the Server.Load Setup Agents (namagent.nsf). 'Default' and 'Anonymous' should be set to "No Access". Grant manager access to appropriate administrator(s), as needed.
- Ensure appropriate administration of Manager and Designer access to Notes databases
- Consider restricting users access to Editor for their mail files
Attack vector: Local network
Impact: Escalation of privileges, security bypass
Assessing this vulnerability using the Common Vulnerability Scoring System (CVSS):
CVSS Base Score: 3.6
CVSS Temporal Score: 3
CVSS Environmental Score: Undefined*
Overall CVSS Score: 3
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the referenced links below.
Base Score Metrics:
Related exploit range/Attack Vector: Remote
Attack Complexity: High
Level of Authentication Needed: Required
Confidentiality Impact: Complete
Integrity Impact: Complete
Availability Impact: None
Impact Value Weighting: Weight Confidentiality
Temporal Score Metrics:
Availability of Exploit: Functional exploit exists
Type of Fix available: Official fix
Level of verification that vulnerability exists: Confirmed
Complete CVSS Guide: