CERT VU#963889 - ActiveX Control Buffer Overflow in Lotus Domino Web Access (iNotes)

Technote (FAQ)


Question

Will Dormann of the CERT/CC contacted IBM Lotus to report several potential buffer overflow vulnerabilities with the ActiveX control used by Lotus Domino Web Access.

The advisory can be accessed at the following link: http://www.kb.cert.org/vuls/id/963889

Information about this issue has also been published by Secunia: http://secunia.com/advisories/28184/

There is also a CVE identifier of CVE-2007-4474.



Cause

It is possible for an attacker to compromise the ActiveX controls used within Lotus Domino Web Access to execute arbitrary code resulting in a buffer overflow situation.


In order for an attacker to successfully exploit this vulnerability in previous releases, the following must be accomplished:

(1) The Lotus Domino Web Access feature needs to be enabled to allow users to access their mail via a browser.

(2) User has used the Domino Web Access client at least once, which installs the ActiveX control.

(3) Attacker must create malicious code that would exploit the ActiveX control and create the buffer overflow. This code can be part of an email, attachment, or web page.

(4) User must be persuaded to view a message, attachment or web site that contains the malicious code via a Microsoft® Internet Explorer (IE) web browser.

Important Note: Domino Web Access does not need to be used after it is installed. The vulnerability attacks the ActiveX controls after they are initialized.


Answer

There are two Active X variations that could expose this type of security vulnerability. These issues were reported to Quality Engineering as SPR# KEMG6URKCC and PRAD78ALG5. Refer to the table below for details.


The two issues are similar in that they expose a security vulnerability within the Active X control used by Domino Web Access. However, the property vulnerable and the syntax to exploit the issue are different.

SPR # Details Fixed Versions
KEMG6URKCC Issue is with "mail_maildbpath" property Fixed in Lotus Domino Web Access version 6.5.6, 7.0.3, and 8.0
PRAD78ALG5 Issue is with "General_ServerName" property Fixed in Lotus Domino Web Access 8.0.1 and 7.0.4.

Refer to the Upgrade Central site for details on upgrading Domino Web Access to these releases.

Customers should contact IBM Support to request a hotfix, if needed


Possible Workaround:

Properly securing your web browser to limit Active X controls can help avoid this issue. Limiting the Active X controls would (1) notify the user, and (2) force the user to take some action to allow the Active X functionality. The CERT has documented the steps necessary to secure your web browser in their advisory linked above. However, in short, you want to disable the Active X options within your browser's security settings.


Security Rating using Common Vulnerability Scoring System (CVSS) v2
CVSS Base Score: < 9 >
Impact Subscore: < 9.5 >
Exploitability Subscore: < 8.6 >
CVSS Temporal Score: < 7 >
CVSS Environmental Score: < Undefined* >
Overall CVSS Score: < 7 >
Base Score Metrics:
  • Related exploit range/Attack Vector: < Network >
  • Access Complexity: < Medium >
  • Authentication < None >
  • Confidentiality Impact: < Complete >
  • Integrity Impact: < Complete >
  • Availability Impact: < Partial >
Temporal Score Metrics:
  • Exploitability: < Proof of Concept Code >
  • Remediation Level: < Official Fix >
  • Report Confidence: < Confirmed >
References:


*The CVSS Environment Score is customer environment-specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the referenced links.


Rate this page:

(0 users)Average rating

Add comments

Document information


More support for:

Lotus Domino Web Access
Browser

Software version:

6.5, 7.0, 8.0

Operating system(s):

Windows

Reference #:

1279071

Modified date:

2010-09-03

Translate my page

Machine Translation

Content navigation