CERT Advisory CA-2003-11 Multiple Vulnerabilities in Lotus Notes and Domino

From: CERT Advisory (cert-advisory@cert.org)
Date: 03/26/03

  • Next message: CERT Advisory: "CERT Advisory CA-2003-12 Buffer Overflow in Sendmail"
    Date: Wed, 26 Mar 2003 11:41:02 -0500
    From: CERT Advisory <cert-advisory@cert.org>
    To: cert-advisory@cert.org
    
    

    -----BEGIN PGP SIGNED MESSAGE-----

    CERT Advisory CA-2003-11 Multiple Vulnerabilities in Lotus Notes and Domino

       Original release date: March 26, 2003
       Last revised: --
       Source: CERT/CC

       A complete revision history can be found at the end of this file.

    Systems Affected

         * Lotus Notes and Domino versions prior to 5.0.12 and 6.0 Gold
         * VU#571297 affects 5.0.12, 6.0.1 and prior versions.

    Overview

       Multiple vulnerabilities have been reported to affect Lotus Notes
       clients and Domino servers. Multiple reporters, the close timing, and
       some ambiguity caused confusion about what releases are vulnerable. We
       are issuing this advisory to help clarify the details of the
       vulnerabilities, the versions affected, and the patches that resolve
       these issues.

    I. Description

       In February 2003, NGS Software released several advisories detailing
       vulnerabilities affecting Lotus Notes and Domino. The following
       vulnerabilities reported by NGS Software affect versions of Lotus
       Domino prior to 5.0.12 and 6.0:

         VU#206361 - Lotus iNotes vulnerable to buffer overflow via
         PresetFields FolderName field
         Lotus Technical Documentation: KSPR5HUQ59
         NGS Software's Advisory: NISR17022003b

         VU#355169 - Lotus Domino Web Server vulnerable to denial of service
         via incomplete POST request
         Lotus Technical Documentation: KSPR5HTQHS
         NGS Software's Advisory: NISR17022003d

         VU#542873 - Lotus iNotes vulnerable to buffer overflow via
         PresetFields s_ViewName field
         Lotus Technical Documentation: KSPR5HUPEK
         NGS Software's Advisory: NISR17022003b

         VU#772817 - Lotus Domino Web Server vulnerable to buffer overflow
         via non-existent "h_SetReturnURL" parameter with an overly long
         "Host Header" field
         Lotus Technical Documentation: KSPR5HTLW6
         NGS Software's Advisory: NISR17022003a

       The following vulnerability reported by NGS Software affects versions
       of Lotus Domino up to and including 5.0.12 and 6.0.1:

         VU#571297 - Lotus Notes and Domino COM Object Control Handler
         contains buffer overflow
         Lotus Technical Documentation: SWG21104543
         NGS Software's Advisory: NISR17022003e

       VU#571297 was originally reported as a vulnerability in an iNotes
       ActiveX control. The vulnerable code is not specific to iNotes or
       ActiveX. The iNotes ActiveX control was an attack vector for the
       vulnerability and is not the affected code base. Because this issue is
       not specific to ActiveX, Lotus Notes clients and Domino Servers
       running on platforms other than Microsoft Windows may be affected.

       In March 2003, Rapid7, Inc. released several advisories. The following
       vulnerabilities, reported by Rapid7, Inc., affect versions of Lotus
       Domino prior to 5.0.12:

         VU#433489 - Lotus Domino Server susceptible to a pre-authentication
         buffer overflow during Notes authentication
         Lotus Technical Documentation: DBAR5CJJJS
         Rapid7, Inc.'s Advisory: R7-0010

         VU#411489 - Lotus Domino Web Retriever contains a buffer overflow
         vulnerability
         Lotus Technical Documentation: KSPR5DFJTR
         Rapid7, Inc.'s Advisory: R7-0011

       Rapid7, Inc. also discovered that Lotus Domino pre-release and beta
       versions of 6.0 were also affected by the following vulnerability:

         VU#583184 - Lotus Domino R5 Server Family contains multiple
         vulnerabilities in LDAP handling code
         Lotus Technical Documentation: DWUU4W6NC8
         Rapid7, Inc.'s Advisory: R7-0012

       VU#583184 was a regression of the PROTOS LDAP Test-Suite from
       CA-2001-18 and was originally fixed in 5.0.7a.

    II. Impact

       The impact of these vulnerabilities range from denial of service to
       data corruption and the potential to execute arbitrary code. For
       details about the impact of a specific vulnerability, please see the
       related vulnerability note.

    III. Solution

     Upgrade

       Most of these vulnerabilities are resolved in versions 5.0.12 and
       6.0.1 of Lotus Domino.

       Only VU#571297, "Lotus Notes and Domino COM Object Control Handler
       contains buffer overflow," is not resolved in 5.0.12, or 6.0.1.
       Critical Fix 1 for 6.0.1 was released on March 18, 2003, to resolve
       this issue for both the Notes client and Domino server.

     Apply a patch

       Patches are available for some vulnerabilities. Please view the
       individual vulnerability notes for specific patch information.

     Block access from outside the network perimeter

       Lotus Domino servers listen on port 1352/TCP. Notes may also be
       configured to listen on other ports, such as NETBIOS, SPX, or XPC.
       Blocking access to these ports from machines outside your trusted
       network perimeter may help mitigate successful exploitation of these
       vulnerabilities.

    Appendix A - References

         1. http://www.kb.cert.org/vuls/id/571297
         2. http://www.kb.cert.org/vuls/id/206361
         3. http://www.ibm.com/Search?v=11
         4.
    http://www.nextgenss.com/advisories/lotus-inotesoflow.txt
         5. http://www.kb.cert.org/vuls/id/355169
         6. http://www.ibm.com/Search?v=11
         7.
    http://www.nextgenss.com/advisories/lotus-60dos.txt
         8. http://www.kb.cert.org/vuls/id/542873
         9. http://www.ibm.com/Search?v=11
         10.
    http://www.nextgenss.com/advisories/lotus-inotesoflow.txt
         11. http://www.kb.cert.org/vuls/id/772817
         12. http://www.ibm.com/Search?v=11
         13.
    http://www.nextgenss.com/advisories/lotus-hostlocbo.txt
         14. http://www.kb.cert.org/vuls/id/571297
         15. http://www.ibm.com/Search?v=11
         16.
    http://www.nextgenss.com/advisories/lotus-inotesclientaxbo.txt
         17. http://www.kb.cert.org/vuls/id/433489
         18. http://www.ibm.com/Search?v=11
         19.
    http://www.rapid7.com/advisories/R7-0010.html
         20. http://www.kb.cert.org/vuls/id/411489
         21. http://www.ibm.com/Search?v=11
         22.
    http://www.rapid7.com/advisories/R7-0011.html
         23. http://www.kb.cert.org/vuls/id/583184
         24. http://www.ibm.com/Search?v=11
         25.
    http://www.rapid7.com/advisories/R7-0012.html
         26. http://www.kb.cert.org/vuls/id/583184
         27. http://www.ee.oulu.fi/research/ouspg/protos/testing/c06/ldapv3/
         28. http://www.cert.org/advisories/CA-2001-18.html
         29. http://www.kb.cert.org/vuls/id/571297
         30. http://www-10.lotus.com/ldd/r5fixlist.nsf/80bff5d07b4be477052569ce0
             0710588/8bc951d3ff1e578385256ce10052a78a?OpenDocument
       _________________________________________________________________

       Our thanks to NGS Software and Rapid7, Inc. for discovering and
       reporting on these vulnerabilities. We also thank the Lotus Security
       Team for aiding in the resolution and clarification of these issues.
       _________________________________________________________________

       Feedback on this document can be directed to the author,
       Jason A. Rafail.
       ______________________________________________________________________

       This document is available from:
       http://www.cert.org/advisories/CA-2003-11.html
       ______________________________________________________________________

    CERT/CC Contact Information

       Email: cert@cert.org
              Phone: +1 412-268-7090 (24-hour hotline)
              Fax: +1 412-268-6989
              Postal address:
              CERT Coordination Center
              Software Engineering Institute
              Carnegie Mellon University
              Pittsburgh PA 15213-3890
              U.S.A.

       CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) /
       EDT(GMT-4) Monday through Friday; they are on call for emergencies
       during other hours, on U.S. holidays, and on weekends.

    Using encryption

       We strongly urge you to encrypt sensitive information sent by email.
       Our public PGP key is available from
       http://www.cert.org/CERT_PGP.key

       If you prefer to use DES, please call the CERT hotline for more
       information.

    Getting security information

       CERT publications and other security information are available from
       our web site
       http://www.cert.org/

       To subscribe to the CERT mailing list for advisories and bulletins,
       send email to majordomo@cert.org. Please include in the body of your
       message

       subscribe cert-advisory

       * "CERT" and "CERT Coordination Center" are registered in the U.S.
       Patent and Trademark Office.
       ______________________________________________________________________

       NO WARRANTY
       Any material furnished by Carnegie Mellon University and the Software
       Engineering Institute is furnished on an "as is" basis. Carnegie
       Mellon University makes no warranties of any kind, either expressed or
       implied as to any matter including, but not limited to, warranty of
       fitness for a particular purpose or merchantability, exclusivity or
       results obtained from use of the material. Carnegie Mellon University
       does not make any warranty of any kind with respect to freedom from
       patent, trademark, or copyright infringement.
         _________________________________________________________________

       Conditions for use, disclaimers, and sponsorship information

       Copyright 2003 Carnegie Mellon University.

       Revision History
             Mar 26, 2003: Initial release

    -----BEGIN PGP SIGNATURE-----
    Version: PGP 6.5.8

    iQCVAwUBPoHV6GjtSoHZUTs5AQHRowQAqTsPoDgziMnlUsSw5IpRjK64Zzwjid6c
    e6DsWsBo3LhzPTd7jMTHHVhEBYeqf9uqrX7OEvYbeH81wCHAf/U7WK/nEw0godrj
    HBPVXV3V0WyiX39u3dH+E0xjuT/9Ij9dRmgKh/nTkSu4a2HeNOJJgUmReG72H7xg
    dBncDSyQ62M=
    =zLwf
    -----END PGP SIGNATURE-----


  • Next message: CERT Advisory: "CERT Advisory CA-2003-12 Buffer Overflow in Sendmail"

    Relevant Pages