(Feb 2011) Potential security vulnerabilities in Lotus Notes & Domino

News


Abstract

TippingPoint Zero Day Initiative (ZDI) contacted IBM to report nine potential buffer overflow vulnerabilities in Lotus Notes and Domino for seven of which IBM has fixes and two of which IBM cannot reproduce and is pursuing additional information.

(Originally published February 4, 2011. See Change History table below)

Content


Most of these attacks represent denial of service attacks by buffer overflow. To exploit these vulnerabilities, an attacker would need to send maliciously malformed messages to the Lotus Domino server over a variety of protocols as indicated below. However, in specific situations, there exists the possibility to execute arbitrary code. In the case of ZDI-11-051 (SPR# PRAD82YJW2), malicious users could supply damaged cai::URIs to facilitate execution of arbitrary code in Notes. Refer to the table for more information on each, including the SPR number for tracking purposes and, where applicable, fix availability.


Tipping
Point
Ref #
CVE ZDI Disclosure
Published Date
Description
IBM Lotus
SPR #
First Fix
Availability
Date
Fixed
Version
CVSS
Score
CVSS Vector
ZDI-11-045 CVE-2011-0919 2011-02-07 (0day) IBM Lotus Domino IMAP/POP3 Non-Printable Character Expansion Remote Code Execution Vulnerability KLYH87LLVJ Unconfirmed. Unable to reproduce. N/A
10
(AV:N/AC:L/Au:N/C:C/I:C/A:C)
ZDI-11-046 CVE-2011-0918 2011-02-07 (0day) IBM Lotus Domino Calendar Request Attachment Name Parsing Remote Code Execution Vulnerability KLYH87LKRE Unconfirmed. Unable to reproduce. N/A
10
(AV:N/AC:L/Au:N/C:C/I:C/A:C)
ZDI-11-047 CVE-2011-0917 2011-02-07 (0day) IBM Lotus Domino LDAP Bind Request Remote Code Execution Vulnerability KLYH87LMVX 2011-10-04 8.5.3
10
(AV:N/AC:L/Au:N/C:C/I:C/A:C)
ZDI-11-048 CVE-2011-0915 2011-02-07 (0day) IBM Lotus Domino iCalendar Meeting Request Parsing Remote Code Execution Vulnerability KLYH87LL23 2011-10-04 8.5.3
10
(AV:N/AC:L/Au:N/C:C/I:C/A:C)
ZDI-11-049 CVE-2011-0916 2011-02-07 (0day) IBM Lotus Domino SMTP Multiple Filename Arguments Remote Code Execution Vulnerability KLYH889M8H 2011-07-19 8.5.2 FP3
8.5.3
10
(AV:N/AC:L/Au:N/C:C/I:C/A:C)
ZDI-11-051 CVE-2011-0912 2011-02-07 (0day) IBM Lots Notes cai URI Handler remote code execution vulnerability PRAD82YJW2 2010-07-27 8.0.2 FP6
8.5.1 FP5
8.5.2 and later
9.3
(AV:N/AC:M/Au:N/C:C/I:C/A:C)
ZDI-11-052 CVE-2011-0914 2011-02-07 (0day) Lotus Domino Server diiop Client Request Operation Remote Code Execution Vulnerability KLYH87LM4S 2011-03-29 8.5.2 FP2
8.5.3
10
(AV:N/AC:L/Au:N/C:C/I:C/A:C)
ZDI-11-053 CVE-2011-0913 2011-02-07 (0day) Lotus Domino Server diiop getEnvironmentString Remote Code Execution Vulnerability KLYH87LML7 2009-10-12 8.5.1
10
(AV:N/AC:L/Au:N/C:C/I:C/A:C)
ZDI-11-110 CVE-2011-0920 2011-03-22 (0day) IBM Lotus Domino Server Controller Authentication Bypass Remote Code Execution Vulnerability PRAD89WGRS 2011-07-19 8.5.2 FP3
8.5.3
4.3
(AV:N/AC:M/Au:N/NC/I:P/A:N)


For unconfirmed problems, you can track progress at the Notes/Domino Update Status page.

At time of publication, there currently are no known active exploits of these issues. However, if you encounter any of the unconfirmed issues, contact IBM Support with reproducible steps, referencing the related SPR number.

For additional information on these issues, you can access the TippingPoint ZDI advisories at the following link: http://www.zerodayinitiative.com/advisories

Remediation:

Users can download and upgrade to the appropriate release of Notes or Domino as indicated in the table above.
Workarounds:

For SPR# PRAD89WGRS, Domino does not support use of UNC paths for usage with Remote Console. As a workaround, you should specify absolute paths.

For all others, there are currently no known workarounds to avoid these issues.

References :

· Complete CVSS Guide
· On-line Calculator V2
· X-Force Vulnerability Database – SSL/TLS information disclosure
· CVE-2011-3389

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash.


Note: According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.


Change History
03 Feb 2012 Updated fix status, added fix availability, fix version, CVSS, CVE, Vector
17 Feb 2011 Marked SPR KLYH87LML7 fixed in 8.5.1.
09 & 10 Feb 2011 Updated reference numbers listed for TippingPoint ZDI.
04 Feb 2011 Initial publication.

Related information

8.0.2 Fix Pack 6 Release Notice
8.5.1 Fix Pack 5 Release Notice
8.5.2 Release Notice
8.5.1 Release Notice & Top 20 Fix List

Cross reference information
Segment Product Component Platform Version Edition
Messaging Applications IBM Notes Windows

Rate this page:

(0 users)Average rating

Add comments

Document information


More support for:

IBM Domino

Software version:

7.0, 8.0, 8.5

Operating system(s):

AIX, AIX 64bit, IBM i, Linux, Linux iSeries, Linux zSeries, Solaris, Windows, Windows 64bit, i5/OS, z/OS

Software edition:

All Editions

Reference #:

1461514

Modified date:

2011-05-06

Translate my page

Machine Translation

Content navigation