CERT VU#963889 - ActiveX Control Buffer Overflow in Lotus Domino Web Access (iNotes)
Will Dormann of the CERT/CC contacted IBM Lotus to report several potential buffer overflow vulnerabilities with the ActiveX control used by Lotus Domino Web Access.
The advisory can be accessed at the following link: http://www.kb.cert.org/vuls/id/963889
Information about this issue has also been published by Secunia: http://secunia.com/advisories/28184/
There is also a CVE identifier of CVE-2007-4474.
It is possible for an attacker to compromise the ActiveX controls used within Lotus Domino Web Access to execute arbitrary code resulting in a buffer overflow situation.
In order for an attacker to successfully exploit this vulnerability in previous releases, the following must be accomplished:
(1) The Lotus Domino Web Access feature needs to be enabled to allow users to access their mail via a browser.
(2) User has used the Domino Web Access client at least once, which installs the ActiveX control.
(3) Attacker must create malicious code that would exploit the ActiveX control and create the buffer overflow. This code can be part of an email, attachment, or web page.
(4) User must be persuaded to view a message, attachment or web site that contains the malicious code via a Microsoft® Internet Explorer (IE) web browser.
Important Note: Domino Web Access does not need to be used after it is installed. The vulnerability attacks the ActiveX controls after they are initialized.
There are two Active X variations that could expose this type of security vulnerability. These issues were reported to Quality Engineering as SPR# KEMG6URKCC and PRAD78ALG5. Refer to the table below for details.
The two issues are similar in that they expose a security vulnerability within the Active X control used by Domino Web Access. However, the property vulnerable and the syntax to exploit the issue are different.
|SPR #||Details||Fixed Versions|
|KEMG6URKCC||Issue is with "mail_maildbpath" property||Fixed in Lotus Domino Web Access version 6.5.6, 7.0.3, and 8.0|
|PRAD78ALG5||Issue is with "General_ServerName" property||Fixed in Lotus Domino Web Access 8.0.1 and 7.0.4.|
Refer to the Upgrade Central site for details on upgrading Domino Web Access to these releases.
Customers should contact IBM Support to request a hotfix, if needed
Properly securing your web browser to limit Active X controls can help avoid this issue. Limiting the Active X controls would (1) notify the user, and (2) force the user to take some action to allow the Active X functionality. The CERT has documented the steps necessary to secure your web browser in their advisory linked above. However, in short, you want to disable the Active X options within your browser's security settings.
|Security Rating using Common Vulnerability Scoring System (CVSS) v2|
|CVSS Base Score: < 9 >
Impact Subscore: < 9.5 >
Exploitability Subscore: < 8.6 >
CVSS Temporal Score: < 7 >
CVSS Environmental Score: < Undefined* >
Overall CVSS Score: < 7 >
|Base Score Metrics:
|Temporal Score Metrics:
*The CVSS Environment Score is customer environment-specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the referenced links.
More support for:
Lotus Domino Web Access
Software version: 6.5, 7.0, 8.0
Operating system(s): Windows
Reference #: 1279071
Modified date: 03 September 2010