Last revised: Apr 02, 2003
Source: CERT/CC
A complete revision history can be found at the end of this file.
Systems Affected
- Lotus Notes and Domino versions prior to 5.0.12 and 6.0 Gold
- VU#571297 affects 5.0.12, 6.0.1 and prior versions.
Overview
Multiple vulnerabilities have been reported to affect Lotus Notes clients and Domino servers. Multiple reporters, the close timing, and some ambiguity caused confusion about what releases are vulnerable. We are issuing this advisory to help clarify the details of the vulnerabilities, the versions affected, and the patches that resolve these issues.
I. Description
In February 2003, NGS Software released several advisories detailing vulnerabilities affecting Lotus Notes and Domino. The following vulnerabilities reported by NGS Software affect versions of Lotus Domino prior to 5.0.12 and 6.0:
VU#206361 - Lotus iNotes vulnerable to buffer overflow via PresetFields FolderName field
Lotus Technical Documentation: KSPR5HUQ59
NGS Software's Advisory: NISR17022003b
VU#355169 - Lotus Domino Web Server vulnerable to denial of service via incomplete POST request
Lotus Technical Documentation: KSPR5HTQHS
NGS Software's Advisory: NISR17022003d
VU#542873 - Lotus iNotes vulnerable to buffer overflow via PresetFields s_ViewName field
Lotus Technical Documentation: KSPR5HUPEK
NGS Software's Advisory: NISR17022003b
VU#772817 - Lotus Domino Web Server vulnerable to buffer overflow via non-existent "h_SetReturnURL" parameter with an overly long "Host Header" field
Lotus Technical Documentation: KSPR5HTLW6
NGS Software's Advisory: NISR17022003a
The following vulnerability reported by NGS Software affects versions of Lotus Domino up to and including 5.0.12 and 6.0.1:
VU#571297 - Lotus Notes and Domino COM Object Control Handler contains buffer overflow
Lotus Technical Documentation: SWG21104543
NGS Software's Advisory: NISR17022003e
VU#571297 was originally reported as a vulnerability in an iNotes ActiveX control. The vulnerable code is not specific to iNotes or ActiveX. The iNotes ActiveX control was an attack vector for the vulnerability and is not the affected code base. Because this issue is not specific to ActiveX, Lotus Notes clients and Domino Servers running on platforms other than Microsoft Windows may be affected.
In March 2003, Rapid7, Inc. released several advisories. The following vulnerabilities, reported by Rapid7, Inc., affect versions of Lotus Domino prior to 5.0.12:
VU#433489 - Lotus Domino Server susceptible to a pre-authentication buffer overflow during Notes authentication
Lotus Technical Documentation: DBAR5CJJJS
Rapid7, Inc.'s Advisory: R7-0010
VU#411489 - Lotus Domino Web Retriever contains a buffer overflow vulnerability
Lotus Technical Documentation: KSPR5DFJTR
Rapid7, Inc.'s Advisory: R7-0011
Rapid7, Inc. also discovered that Lotus Domino pre-release and beta versions of 6.0 were also affected by the following vulnerability:
VU#583184 - Lotus Domino R5 Server Family contains multiple vulnerabilities in LDAP handling codeThe release version of Lotus Domino 6.0 is not affected. Only pre-release and beta versions of 6.0 are affected. VU#583184 was a regression of the PROTOS LDAP Test-Suite from CA-2001-18 and was originally fixed in 5.0.7a.
Lotus Technical Documentation: DWUU4W6NC8
Rapid7, Inc.'s Advisory: R7-0012
II. Impact
The impact of these vulnerabilities range from denial of service to data corruption and the potential to execute arbitrary code. For details about the impact of a specific vulnerability, please see the related vulnerability note.
III. Solution
Upgrade
Most of these vulnerabilities are resolved in versions 5.0.12 and 6.0.1 of Lotus Domino.
Only VU#571297, "Lotus Notes and Domino COM Object Control Handler contains buffer overflow," is not resolved in 5.0.12, or 6.0.1. Critical Fix 1 for 6.0.1 was released on March 18, 2003, to resolve this issue for both the Notes client and Domino server.
Apply a patch
Patches are available for some vulnerabilities. Please view the individual vulnerability notes for specific patch information.
Block access from outside the network perimeter
Lotus Domino servers listen on port 1352/TCP. Notes may also be configured to listen on other ports, such as NETBIOS, SPX, or XPC. Blocking access to these ports from machines outside your trusted network perimeter may help mitigate successful exploitation of these vulnerabilities.
Appendix A - References
1. http://www.kb.cert.org/vuls/id/571297
2. http://www.kb.cert.org/vuls/id/206361
3. http://www.ibm.com/Search?v=11&lang=en&cc=us&q=KSPR5HUQ59
4. http://www.nextgenss.com/advisories/lotus-inotesoflow.txt
5. http://www.kb.cert.org/vuls/id/355169
6. http://www.ibm.com/Search?v=11&lang=en&cc=us&q=KSPR5HTQHS
7. http://www.nextgenss.com/advisories/lotus-60dos.txt
8. http://www.kb.cert.org/vuls/id/542873
9. http://www.ibm.com/Search?v=11&lang=en&cc=us&q=KSPR5HUPEK
10. http://www.nextgenss.com/advisories/lotus-inotesoflow.txt
11. http://www.kb.cert.org/vuls/id/772817
12. http://www.ibm.com/Search?v=11&lang=en&cc=us&q=KSPR5HTLW6
13. http://www.nextgenss.com/advisories/lotus-hostlocbo.txt
14. http://www.kb.cert.org/vuls/id/571297
15. http://www.ibm.com/Search?v=11&lang=en&cc=us&q=swg21104543
16. http://www.nextgenss.com/advisories/lotus-inotesclientaxbo.txt
17. http://www.kb.cert.org/vuls/id/433489
18. http://www.ibm.com/Search?v=11&lang=en&cc=us&q=DBAR5CJJJS
19. http://www.rapid7.com/advisories/R7-0010.html
20. http://www.kb.cert.org/vuls/id/411489
21. http://www.ibm.com/Search?v=11&lang=en&cc=us&q=KSPR5DFJTR
22. http://www.rapid7.com/advisories/R7-0011.html
23. http://www.kb.cert.org/vuls/id/583184
24. http://www.ibm.com/Search?v=11&lang=en&cc=us&q=DWUU4W6NC8
25. http://www.rapid7.com/advisories/R7-0012.html
26. http://www.kb.cert.org/vuls/id/583184
27. http://www.ee.oulu.fi/research/ouspg/protos/testing/c06/ldapv3/
28. http://www.cert.org/advisories/CA-2001-18.html
29. http://www.kb.cert.org/vuls/id/571297
30. http://www-10.lotus.com/ldd/r5fixlist.nsf/80bff5d07b4be477052569ce00710588/8bc951d3ff1e578385256ce10052a78a?OpenDocument
Our thanks to NGS Software and Rapid7, Inc. for discovering and reporting on these vulnerabilities. We also thank the Lotus Security Team for aiding in the resolution and clarification of these issues.
Feedback on this document can be directed to the author, Jason A. Rafail.
Copyright 2003 Carnegie Mellon University.
Revision History
Mar 26, 2003: Initial release
Apr 02, 2003: Added Clarification that VU#583184 does not affect the
release version of Lotus Domino 6.0, only pre-release and beta versions.