Security Flaw & IBM Response

Posted on 2003-02-20
Medium Priority
Last Modified: 2013-12-18
Has anyone seen this?  My manager sent it to me.  We're running 5.08.  Anyone know if the R5 issues are release specific?  Bottom line is...I can't find info on the IBM site, so does anyone know if we should be concerned?

Update: IBM fixes reported Domino 6.0 security flaw
By Paul Roberts, IDG News Service, and Todd Weiss FEBRUARY 19, 2003
IBM has posted patches for three buffer overflow problems reported earlier in Lotus Domino Server 6.0 by a U.K.-based security consulting company. Unrepaired, the security flaws could allow attackers to run malicious code on machines running IBM's Lotus Domino or iNotes software.

The flaws were disclosed Feb. 17 in three advisories published by Next Generation Security Software Ltd. (NGS), a software security consulting company in Sutton, England.

Using a vulnerability in the Lotus iNotes messaging software, a remote attacker could gain control of a Domino server by providing an overly long value in a request for Web-based mail services. The long value would create a buffer overrun on the server, allowing attackers to execute their own software code using the privileged account that runs the Domino Web Services, according to NGS, which rated the vulnerability a "critical risk."

Katherine Spambauer, IBM development manager for the Domino security team, today confirmed that NGS reported the problems to IBM in mid-January and that IBM researchers investigated and created patches to fix the problems. IBM then sent the patches to NGS so the patches could be tested to be sure they fixed the reported problems, she said.

"We weren't able to re-create the exact problems they reported," but the fixes resolved the issues found by NGS, she said. IBM also tested Domino Server 5.0 and created patches to prevent similar problems.

No reports of the flaws were received from customers before or after the NGS reports, Spambauer said. "They have never experienced these issues," which were apparently only seen in lab tests by NGS.

The IBM patches, which were released Feb. 13, are available on the Lotus Developer Domain Web site.

A buffer overrun occurs when too much data is sent to a buffer in a computer's memory. When the buffer overflows, critical information that controls a program's execution is overwritten, allowing attackers to fill the buffer with their own code and causing the program to start executing the code.

The second vulnerability, also rated "critical risk," affects the Lotus Domino 6 application server software. Using the vulnerability, an attacker could create a buffer overrun by supplying false and excessively long host names in a request for a document or view stored in a Lotus database.

After triggering the overrun, attackers could execute their own code under the account running the Domino Web Service process, gaining control of the Domino server.

The third vulnerability, found in an ActiveX client control used by the iNotes software, allows an attacker to execute malicious code on a remote machine that's attempting to use iNotes Web-based messaging features.

An attacker could use an e-mail or a Web page to send a value that's too long to the ActiveX control, creating a buffer overrun on the target machine that allows the attacker to execute code using the privileges of the current user.

NGS rated the ActiveX vulnerability "medium risk."

The three vulnerabilities, which were found in Release 6.0 of Lotus Notes and Domino, have been patched by IBM in the 6.0.1 maintenance release. Although it didn't mention the NGS vulnerabilities, information posted on IBM's Web page said that the 6.0.1 release "includes fixes to enhance the quality and reliability of the Notes and Domino 6 products," and recommended that customers who haven't already done so upgrade to Version 6.0.1.

Question by:jk9783
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
1 Comment
LVL 63

Accepted Solution

Zvonko earned 200 total points
ID: 7989594
From my point of view are all this buffer overflow attacks just fairy-tales.
The week point is produced by a buffer overflow. At that point not even normal processes run regular, so please why should attacker’s code run better.
This all is more to prove how tricky some guys are, nothing more.


Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

IBM Notes offer Encryption feature using which the user can secure its NSF emails or entire database easily. In this section we will discuss about the process to Encrypt Incoming and Outgoing Mails in depth.
Article by: Rob
Notes 8.5 Archiving Steps and Tips This article covers setting up a Notes archive, and helps understand some of the menu choices making setting up and maintaining a Notes archive file easier.
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…
Add bar graphs to Access queries using Unicode block characters. Graphs appear on every record in the color you want. Give life to numbers. Hopes this gives you ideas on visualizing your data in new ways ~ Create a calculated field in a query: …
Suggested Courses
Course of the Month8 days, 10 hours left to enroll

764 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question