Skip to main content


CERT VU#963889 - ActiveX Control Buffer Overflow in Lotus Domino Web Access (iNotes)

 Technote (FAQ)
 
 
Question
Will Dormann of the CERT/CC contacted IBM Lotus to report several potential buffer overflow vulnerabilities with the ActiveX control used by Lotus® Domino® Web Access (iNotes™ Web Access).

The advisory can be accessed at the following link: http://www.kb.cert.org/vuls/id/963889

Information about this issue has also been published by Secunia: http://secunia.com/advisories/28184/

There is also a CVE identifier of CVE-2007-4474.

 
Cause
It is possible for an attacker to compromise the ActiveX controls used within Lotus Domino Web Access to execute arbitrary code resulting in a buffer overflow situation.
In order for an attacker to successfully exploit this vulnerability in previous releases, the following must be accomplished:

(1) The Lotus Domino Web Access feature needs to be enabled to allow users to access their mail via a browser.

(2) User has used the Domino Web Access client at least once, which installs the ActiveX control.

(3) Attacker must create malicious code that would exploit the ActiveX control and create the buffer overflow. This code can be part of an email, attachment, or web page.

(4) User must be persuaded to view a message, attachment or web site that contains the malicious code via a Microsoft® Internet Explorer (IE) web browser.

Important Note: Domino Web Access does not need to be used after it is installed. The vulnerability attacks the ActiveX controls after they are initialized.
 
Answer
There are two Active X variations that could expose this type of security vulnerability. These issues were reported to Quality Engineering as SPR# KEMG6URKCC and PRAD78ALG5. Refer to the table below for details.
The two issues are similar in that they expose a security vulnerability within the Active X control used by Domino Web Access. However, the property vulnerable and the syntax to exploit the issue are different.

SPR #DetailsFixed Versions
KEMG6URKCCIssue is with "mail_maildbpath" propertyFixed in Lotus Domino Web Access version 6.5.6, 7.0.3, and 8.0
PRAD78ALG5Issue is with "General_ServerName" propertyFixed in Lotus Domino Web Access 8.0.1, and is targeted for 7.0.4.

Refer to the Upgrade Central site for details on upgrading Domino Web Access to these releases.

Customers should contact IBM Technical Support to request a hotfix, if needed


Possible Workaround:

Properly securing your web browser to limit Active X controls can help avoid this issue. Limiting the Active X controls would (1) notify the user, and (2) force the user to take some action to allow the Active X functionality. The CERT has documented the steps necessary to secure your web browser in their advisory linked above. However, in short, you want to disable the Active X options within your browser's security settings.


Security Rating using Common Vulnerability Scoring System (CVSS) v2
CVSS Base Score: < 9 >
Impact Subscore: < 9.5 >
Exploitability Subscore: < 8.6 >
CVSS Temporal Score: < 7 >
CVSS Environmental Score: < Undefined* >
Overall CVSS Score: < 7 >
Base Score Metrics:
  • Related exploit range/Attack Vector: < Network >
  • Access Complexity: < Medium >
  • Authentication < None >
  • Confidentiality Impact: < Complete >
  • Integrity Impact: < Complete >
  • Availability Impact: < Partial >
Temporal Score Metrics:
  • Exploitability: < Proof of Concept Code >
  • Remediation Level: < Official Fix >
  • Report Confidence: < Confirmed >
References:


*The CVSS Environment Score is customer environment-specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the referenced links.
 
 
 

Copyright and trademark information

IBM, the IBM logo and ibm.com are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml.

Rate this page

Please take a moment to complete this form to help us better serve you.

This material provides me with the information I need.






This material is clear and easy to understand.






Did the information help you to achieve your goal?

What updates, improvements, or related information would you like to see in this document?

Your response will be used to improve our document content. Requests for assistance, if applicable, should be submitted through your normal support channel as we cannot respond from this site.

Input the verification number to submit feedback:


Close [x]

Maintenance Window

  • The IBM Technical support pages, including the Downloads and Drivers Finders will be temporarily unavailable for up to 4 hours due to planned maintenance. This will take place between Saturday November 14, 2009 9:00 PM ET and Sunday, November 15, 2009 7:00 AM ET. During the maintenance, you will not be able to search or download from these pages.

Close [x]

Unscheduled Maintenance Window

There is no unscheduled maintenance scheduled at this time.

Document information

Product categories:

Software

Messaging Applications

Advanced Messaging

Lotus Domino Web Access

Browser

Operating system(s):

Windows

Software version:

6.5, 7.0, 8.0

Reference #:

1279071

IBM Group:

Software Group

Modified date:

2008-02-07

Translate my page

Rate this page

Availability Notices