Potential denial of service in Lotus Notes due to malformed SMTP message

Technote (FAQ)


Question

Dan Ritter & the VCC contacted IBM Lotus to report a potential security vulnerability that could result in both a denial of service, as well as, remote execution of code. In specific situations, the exploit would cause the Lotus Notes client to crash.

Cause

This issue, which is caused by a specially crafted SMTP message, could result in one of the following known stack traces in the NSD, depending on the Notes client version deployed.

Fatal Thread #1: nlnotes
nnotesws.CEdDocMark::DeleteMark+5

Fatal Thread #2: nlnotes
nnotesws.CEdDocMark::DeleteMark+20

Fatal Thread #3: nlnotes
nnotesws.CEdHotSpotRun::Load+3


Answer

There are two variations that could expose this type of security vulnerability. These issues were reported to Quality Engineering as SPR# SNES6NMVG7 and ABUI76AJAM . Refer to the table below for details.


The issues are similar in that they expose a security vulnerability that is exploited by a specific SMTP message.

SPR # Exploit Specifics Fixed Versions
SNES6NMVG7 Specific text must be included in the SMTP message Fixed in Lotus Notes versions 7.0.2 CCH, 7.0.3, and 8.0
ABUI76AJAM A specific attachment must be included in the SMTP message Fixed in Lotus Notes versions 7.0.2 CCH, 7.0.3 CCH, and 8.0.1

Refer to the Upgrade Central site for details on upgrading Notes/Domino.

Note: These issues impact the Lotus Notes client only; it does not impact the Domino server.


Security Rating using Common Vulnerability Scoring System (CVSS) v2
CVSS Base Score: < 9.3 >
---- Impact Subscore: < 10 >
---- Exploitability Subscore: < 8.6 >
CVSS Temporal Score: < 7.3 >
CVSS Environmental Score: < Undefined* >
Overall CVSS Score: < 7.3 >
Base Score Metrics:
    • Related exploit range/Attack Vector: < Network >
    • Access Complexity: < Medium >
    • Authentication < None >
    • Confidentiality Impact: < Complete >
    • Integrity Impact: < Complete >
    • Availability Impact: < Complete >
Temporal Score Metrics:
    • Exploitability: < Proof of Concept Code >
    • Remediation Level: < Official Fix >
    • Report Confidence: < Confirmed >
References:
*The CVSS Environment Score is customer-environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the referenced links.




Change History
23 October 2007 Initial publication.
20 February 2008 Added SPR #ABUI76AJAM


Rate this page:

(0 users)Average rating

Document information


More support for:

IBM Notes
Performance

Software version:

6.5, 7.0, 8.0

Operating system(s):

Windows

Reference #:

1271957

Modified date:

2011-05-22

Translate my page

Machine Translation

Content navigation