Stack buffer overflow vulnerability in Lotus Domino iCalendar functionality

Technote (troubleshooting)


Problem

MWR InfoSecurity and TippingPoint's Zero Day Initiative (ZDI) contacted IBM Lotus to report a potential buffer overflow vulnerability with the Lotus Domino iCalendar functionality.

It is possible to cause a buffer overflow situation based on the iCalendar content included in a calendar invitation.

To exploit this vulnerability, an attacker would have to send an iCalendar invitation with specific parameters. The vulnerability is exposed when the Domino server goes to process that content which could result in remote execution of code.


(Original publish date September 14, 2010. See "Change History" below.)


Resolving the problem

For related information, see the following advisories:



Recommended Fix

This issue was reported to Quality Engineering as SPR# NRBY7ZPJ9V. To address the issue, customers are encouraged to upgrade to the following releases:



Workarounds

There are no known workarounds.


Security Rating using Common Vulnerability Scoring System (CVSS) v2
CVSS Base Score: < 9.3 >
---- Impact Subscore: < 10 >
---- Exploitability Subscore: < 8.6 >
CVSS Temporal Score: < 7.3 >
CVSS Environmental Score: < Undefined* >
Overall CVSS Score: < 7.3 >
Base Score Metrics:
  • Related exploit range/Attack Vector: < Network >
  • Access Complexity: < Medium >
  • Authentication < None >
  • Confidentiality Impact: < Complete >
  • Integrity Impact: < Complete >
  • Availability Impact: < Complete >
Temporal Score Metrics:
  • Exploitability: < Proof of Concept Code >
  • Remediation Level: < Official Fix >
  • Report Confidence: < Confirmed >
References:

*The CVSS Environment Score is customer environment-specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the referenced links.


Change History
10 October 2010 Updated product versions list.
14 September 2010 Initial publication.


    Cross reference information
    Segment Product Component Platform Version Edition
    Messaging Applications IBM Notes Calendaring and Scheduling

Rate this page:

(0 users)Average rating

Add comments

Document information


More support for:

IBM Domino
Security

Software version:

6.5, 7.0, 8.0, 8.5, 8.5.1

Operating system(s):

AIX, AIX 64bit, Linux, Linux iSeries, Linux zSeries, Solaris, Windows, Windows 64bit, z/OS

Reference #:

1446515

Modified date:

2010-10-13

Translate my page

Machine Translation

Content navigation