(Feb 2011) Potential security vulnerabilities in Lotus Notes & Domino

Most of these attacks represent denial of service attacks by buffer overflow. To exploit these vulnerabilities, an attacker would need to send maliciously malformed messages to the Lotus Domino server over a variety of protocols as indicated below. However, in specific situations, there exists the possibility to execute arbitrary code. In the case of ZDI-11-051 (SPR# PRAD82YJW2), malicious users could supply damaged cai::URIs to facilitate execution of arbitrary code in Notes. Refer to the table for more information on each, including the SPR number for tracking purposes and, where applicable, fix availability.

Tipping Point Ref #	CVE	ZDI Disclosure Published Date	Description	IBM Lotus SPR #	First Fix Availability Date	Fixed Version	CVSS Score	CVSS Vector
ZDI-11-045	CVE-2011-0919	2011-02-07	(0day) IBM Lotus Domino IMAP/POP3 Non-Printable Character Expansion Remote Code Execution Vulnerability	KLYH87LLVJ	Unconfirmed. Unable to reproduce.	N/A	10	(AV:N/AC:L/Au:N/C:C/I:C/A:C)
ZDI-11-046	CVE-2011-0918	2011-02-07	(0day) IBM Lotus Domino Calendar Request Attachment Name Parsing Remote Code Execution Vulnerability	KLYH87LKRE	Unconfirmed. Unable to reproduce.	N/A	10	(AV:N/AC:L/Au:N/C:C/I:C/A:C)
ZDI-11-047	CVE-2011-0917	2011-02-07	(0day) IBM Lotus Domino LDAP Bind Request Remote Code Execution Vulnerability	KLYH87LMVX	2011-10-04	8.5.3	10	(AV:N/AC:L/Au:N/C:C/I:C/A:C)
ZDI-11-048	CVE-2011-0915	2011-02-07	(0day) IBM Lotus Domino iCalendar Meeting Request Parsing Remote Code Execution Vulnerability	KLYH87LL23	2011-10-04	8.5.3	10	(AV:N/AC:L/Au:N/C:C/I:C/A:C)
ZDI-11-049	CVE-2011-0916	2011-02-07	(0day) IBM Lotus Domino SMTP Multiple Filename Arguments Remote Code Execution Vulnerability	KLYH889M8H	2011-07-19	8.5.2 FP3 8.5.3	10	(AV:N/AC:L/Au:N/C:C/I:C/A:C)
ZDI-11-051	CVE-2011-0912	2011-02-07	(0day) IBM Lotus Domino SMTP Multiple Filename Arguments Remote Code Execution Vulnerability	PRAD82YJW2	2010-07-27	8.0.2 FP6 8.5.1 FP5 8.5.2 and later	9.3	(AV:N/AC:M/Au:N/C:C/I:C/A:C)
ZDI-11-052	CVE-2011-0914	2011-02-07	(0day) Lotus Domino Server diiop Client Request Operation Remote Code Execution Vulnerability	KLYH87LM4S	2011-03-29	8.5.2 FP2 8.5.3	10	(AV:N/AC:L/Au:N/C:C/I:C/A:C)
ZDI-11-053	CVE-2011-0913	2011-02-07	(0day) Lotus Domino Server diiop getEnvironmentString Remote Code Execution Vulnerability	KLYH87LML7	2009-10-12	8.5.1	10	(AV:N/AC:L/Au:N/C:C/I:C/A:C)
ZDI-11-110	CVE-2011-0920	2011-03-22	(0day) IBM Lotus Domino Server Controller Authentication Bypass Remote Code Execution Vulnerability	PRAD89WGRS	2011-07-19	8.5.2 FP3 8.5.3	4.3	(AV:N/AC:M/Au:N/NC/I:P/A:N)

For unconfirmed problems, you can track progress at the Notes/Domino Update Status page.

At time of publication, there currently are no known active exploits of these issues. However, if you encounter any of the unconfirmed issues, contact IBM Support with reproducible steps, referencing the related SPR number.

For additional information on these issues, you can access the TippingPoint ZDI advisories at the following link: http://www.zerodayinitiative.com/advisories

Remediation:

Users can download and upgrade to the appropriate release of Notes or Domino as indicated in the table above.

• Maintenance releases for 8.5.1, 8.5.2 and 8.5.3 can be found at http://www.ibm.com/software/howtobuy/passportadvantage/pao_customers.htm
• 8.0.2 Fixpacks can be found at: http://www.ibm.com/support/docview.wss?uid=swg24026644
• 8.5.1 Fixpacks can be found at http://www.ibm.com/support/docview.wss?uid=swg24025721
• 8.5.2 Fixpacks can be found at http://www.ibm.com/support/docview.wss?uid=swg24028680
  

Workarounds:

For SPR# PRAD89WGRS, Domino does not support use of UNC paths for usage with Remote Console. As a workaround, you should specify absolute paths.

For all others, there are currently no known workarounds to avoid these issues.

References :

· Complete CVSS Guide
· On-line Calculator V2
· X-Force Vulnerability Database – SSL/TLS information disclosure
· CVE-2011-3389

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash.

Note: According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

---

Change History 03 Feb 2012 Updated fix status, added fix availability, fix version, CVSS, CVE, Vector
17 Feb 2011	Marked SPR KLYH87LML7 fixed in 8.5.1.
09 & 10 Feb 2011	Updated reference numbers listed for TippingPoint ZDI.
04 Feb 2011	Initial publication.