Your operating system and Lotus Notes® leverage several layers of security that must be compromised to be vulnerable to gain access to a user's password. Is there a way an attacher could discover and use an unpublished notes.ini file debug variable to learn a notes.id password?
This issue was reported to Quality Engineering as SPR# KLYH759K46. Notes/Lotus Domino® versions 7.0.3, 8.0, and all future versions will contain a hotfix that will remove the use of an undocumented debug variable. If you encounter this situation, contact Product Support to see if the hotfix is available for your particular configuration.
An attacker could find and use an unwanted notes.ini parameter to search for and log a user password. However, in order to do this, the following circumstances must be true:
1. The attacker must compromise the workstation in order to implement this parameter or have administrative rights to push out a notes.ini change with a policy.
2. The user must restart the Notes client.
3. The user must be persuaded to change his/her notes.id password.
4. The attacker must gather the information from the debug outfile.
Need for security:
Users are strongly urged to use caution when opening or viewing unsolicited file attachments or scripts that could potentially introduce an unwanted notes.ini parameter.
In order to limit who can access your system, you can implement standard workstation security which includes both Notes Execution Control Lists and operating system security. For more information about Notes Execution Control Lists, refer to Document #1087209, "What is the Workstation Execution Control List (ECL)?"
Review the access control list (ACL) settings in your Domino Directory to ensure that the ability to change and use policies is given only to trusted administrators.
If you utilize a multi-user workstation environment, make sure to properly implement operating system security and user accounts to control access to personal directories.
Security rating using the Common Vulnerability Scoring System (CVSS):
CVSS Base Score: 1
CVSS Temporal Score: 0.9
CVSS Environmental Score: Undefined*
Overall CVSS Score: 0.9
*The CVSS Environment Score is customer environment-specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the referenced links below.
Base Score Metrics:
Related exploit range/Attack Vector: Local
Attack Complexity: Low
Level of Authentication Needed: Required
Confidentiality Impact: Partial
Integrity Impact: None
Availability Impact: None
Impact Value Weighting: Normal
Temporal Score Metrics:
Availability of Exploit: Functional exploit exists
Type of Fix available: Workaround
Level of verification that vulnerability exists: Confirmed
Complete CVSS Guide:
Online Calculator: http://nvd.nist.gov/cvss.cfm?calculator
|Messaging Applications||Lotus End of Support Products||Lotus Domino||7.0, 6.5, 6.0, 5.0|