Security Flaw & IBM Response
Posted on 2003-02-20
Has anyone seen this? My manager sent it to me. We're running 5.08. Anyone know if the R5 issues are release specific? Bottom line is...I can't find info on the IBM site, so does anyone know if we should be concerned?
Update: IBM fixes reported Domino 6.0 security flaw
By Paul Roberts, IDG News Service, and Todd Weiss FEBRUARY 19, 2003
IBM has posted patches for three buffer overflow problems reported earlier in Lotus Domino Server 6.0 by a U.K.-based security consulting company. Unrepaired, the security flaws could allow attackers to run malicious code on machines running IBM's Lotus Domino or iNotes software.
The flaws were disclosed Feb. 17 in three advisories published by Next Generation Security Software Ltd. (NGS), a software security consulting company in Sutton, England.
Using a vulnerability in the Lotus iNotes messaging software, a remote attacker could gain control of a Domino server by providing an overly long value in a request for Web-based mail services. The long value would create a buffer overrun on the server, allowing attackers to execute their own software code using the privileged account that runs the Domino Web Services, according to NGS, which rated the vulnerability a "critical risk."
Katherine Spambauer, IBM development manager for the Domino security team, today confirmed that NGS reported the problems to IBM in mid-January and that IBM researchers investigated and created patches to fix the problems. IBM then sent the patches to NGS so the patches could be tested to be sure they fixed the reported problems, she said.
"We weren't able to re-create the exact problems they reported," but the fixes resolved the issues found by NGS, she said. IBM also tested Domino Server 5.0 and created patches to prevent similar problems.
No reports of the flaws were received from customers before or after the NGS reports, Spambauer said. "They have never experienced these issues," which were apparently only seen in lab tests by NGS.
The IBM patches, which were released Feb. 13, are available on the Lotus Developer Domain Web site.
A buffer overrun occurs when too much data is sent to a buffer in a computer's memory. When the buffer overflows, critical information that controls a program's execution is overwritten, allowing attackers to fill the buffer with their own code and causing the program to start executing the code.
The second vulnerability, also rated "critical risk," affects the Lotus Domino 6 application server software. Using the vulnerability, an attacker could create a buffer overrun by supplying false and excessively long host names in a request for a document or view stored in a Lotus database.
After triggering the overrun, attackers could execute their own code under the account running the Domino Web Service process, gaining control of the Domino server.
The third vulnerability, found in an ActiveX client control used by the iNotes software, allows an attacker to execute malicious code on a remote machine that's attempting to use iNotes Web-based messaging features.
An attacker could use an e-mail or a Web page to send a value that's too long to the ActiveX control, creating a buffer overrun on the target machine that allows the attacker to execute code using the privileges of the current user.
NGS rated the ActiveX vulnerability "medium risk."
The three vulnerabilities, which were found in Release 6.0 of Lotus Notes and Domino, have been patched by IBM in the 6.0.1 maintenance release. Although it didn't mention the NGS vulnerabilities, information posted on IBM's Web page said that the 6.0.1 release "includes fixes to enhance the quality and reliability of the Notes and Domino 6 products," and recommended that customers who haven't already done so upgrade to Version 6.0.1.