Potential Notes workstation Execution Control List (ECL) security vulnerability

Technote (FAQ)


Question

Ed Schaller contacted IBM Lotus to report a potential Execution Control List (ECL) security issue within the IBM Lotus Notes client.

The ECL, introduced in Notes 4.5, enables users to protect their data against the threats of e-mail bombs, viruses, Trojan horses, and unwanted application intrusions. The ECL provides the mechanism for managing whether such programs or code should be allowed to execute. It has been determined that this mechanism, in specific situations, may prevent the Execution Security Alert from being presented when either a Notes database (.nsf) or Notes template (.ntf) attachments are involved.


Cause

The Execution Control List security checking functionality works as expected if a Notes database attachment is opened and buttons are executed manually. However, there is a potential issue if the same code is placed into a Navigator. Under these circumstances the Execution Security Alert (ESA) may not be issued resulting in the auto execution of the attachment.

Answer

This issue was reported to Quality Engineering as SPR# KEMG6WELNR, and is fixed in Lotus Notes releases 7.0.3 and 8.0. Refer to the Upgrade Central site for details on upgrading Notes/Domino.


Workaround
Users are strongly urged to use caution when opening or viewing unsolicited file attachments. Additionally, a proven commercial virus scanning program that filters attachments should be implemented.


Security Rating using Common Vulnerability Scoring System (CVSS) v2
CVSS Base Score: < 9.3 >
---- Impact Subscore: < 10 >
---- Exploitability Subscore: < 8.6 >
CVSS Temporal Score: < 7.3 >
CVSS Environmental Score: < Undefined* >
Overall CVSS Score: < 7.3 >
Base Score Metrics:
    • Related exploit range/Attack Vector: < Network >
    • Access Complexity: < Medium >
    • Authentication < None >
    • Confidentiality Impact: < Complete >
    • Integrity Impact: < Complete >
    • Availability Impact: < Complete >
Temporal Score Metrics:
    • Exploitability: < Proof of Concept Code >
    • Remediation Level: < Official Fix >
    • Report Confidence: < Confirmed >
References:

*The CVSS Environment Score is customer environment-specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the referenced links.


Rate this page:

(0 users)Average rating

Document information


More support for:

IBM Notes
Security

Software version:

6.5, 7.0, 8.0

Operating system(s):

Linux, Mac OS, Windows

Reference #:

1270884

Modified date:

2011-05-22

Translate my page

Machine Translation

Content navigation