Date: Thu, 28 Mar 2024 11:31:32 -0400 (EDT) Message-ID: <1019514910.493.1711639892090@windcrest.sei.cmu.edu> Subject: Exported From Confluence MIME-Version: 1.0 Content-Type: multipart/related; boundary="----=_Part_492_1519876538.1711639892088" ------=_Part_492_1519876538.1711639892088 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Content-Location: file:///C:/exported.html
A complete revision history can be found at the end of this file.
Multiple vulnerabilities have been reported to affect Lotus Notes client= s and Domino servers. Multiple reporters, the close timing, and some ambigu= ity caused confusion about what releases are vulnerable. We are issuing thi= s advisory to help clarify the details of the vulnerabilities, the versions= affected, and the patches that resolve these issues.
In February 2003, NGS Software released several advisories detailing vul= nerabilities affecting Lotus Notes and Domino. The following vulnerabilitie= s reported by NGS Software affect versions of Lotus Domino prior to 5.0.12 = and 6.0:
VU#206361 - Lotus iNo= tes vulnerable to buffer overflow via PresetFields FolderName field
Lotus Technical Documentation: KSPR5HUQ59
NGS Software's Advisory: NISR17022003b
VU#355169 - Lotus Domino Web Server vulnerable to= denial of service via incomplete POST request
Lotus Technical Documentation: KSPR5HTQHS
NGS Software's Advisory: NISR17022003d
VU#542873 - Lotus iNotes vulnerable to buffer overflow = via PresetFields s_ViewName field
Lotus Technical Documentation: KSPR5HUPEK
NGS Software's Advisory: NISR17022003b
VU#772817 - Lotus Domino Web Server vulnerable to= buffer overflow via non-existent "h_SetReturnURL" parameter with an overly= long "Host Header" field
Lotus Technical Documentation: KSPR5HTLW6
NGS Software's Advisory: NISR17022003a
The following vulnerability reported by NGS Software affects versions of= Lotus Domino up to and including 5.0.12 and 6.0.1:
VU#571297 - Lotus Not= es and Domino COM Object Control Handler contains buffer overflow
Lotus Technical Documentation: SWG21104543
NGS Software's Advisory: NISR17022003e
VU#571297 was orig= inally reported as a vulnerability in an iNotes ActiveX control. The vulner= able code is not specific to iNotes or ActiveX. The iNotes ActiveX control = was an attack vector for the vulnerability and is not the affected code bas= e. Because this issue is not specific to ActiveX, Lotus Notes clients and D= omino Servers running on platforms other than Microsoft Windows may be affe= cted.
In March 2003, Rapid7, Inc. released several advisories. The following v= ulnerabilities, reported by Rapid7, Inc., affect versions of Lotus Domino p= rior to 5.0.12:
VU#433489 - Lotus Dom= ino Server susceptible to a pre-authentication buffer overflow during Notes= authentication
Lotus Technical Documentation: DBAR5CJJJS
Rapid7, Inc.'s Advisory: R7-0010
VU#411489 - Lotus Domino Web Retriever contains a buffer overflow v= ulnerability
Lotus Technical Documentation: KSPR5DFJTR
Rapid7, Inc.'s Advisory: R7-0011
Rapid7, Inc. also discovered that Lotus Domino pre-release and beta vers= ions of 6.0 were also affected by the following vulnerability:
VU#583184 - Lotus Dom= ino R5 Server Family contains multiple vulnerabilities in LDAP handling cod= eThe release version of Lotus Domino 6.0 is not affected. Only= pre-release and beta versions of 6.0 are affected. VU#583184 was a regression of the PROTOS LD= AP Test-Suite from CA-2001-18 and was originally fixed in 5.0.7a.=20
Lotus Technical Documentation: DWUU4W6NC8
Rapid7, Inc.'s Advisory: R7-0012
The impact of these vulnerabilities range from denial of service to data= corruption and the potential to execute arbitrary code. For details about = the impact of a specific vulnerability, please see the related vulnerability note.
Most of these vulnerabilities are resolved in versions 5.0.12 and 6.0.1 = of Lotus Domino.
Only VU#571297, "L= otus Notes and Domino COM Object Control Handler contains buffer overflow,"= is not resolved in 5.0.12, or 6.0.1. Critical Fix 1 for 6.0.1 was released on March 18,= 2003, to resolve this issue for both the Notes client and Domino server.= p>
Patches are available for some vulnerabilities. Please view the individu= al vulnerability notes for specific = patch information.
Lotus Domino servers listen on port 1352/TCP. Notes may also be configur= ed to listen on other ports, such as NETBIOS, SPX, or XPC. Blocking access = to these ports from machines outside your trusted network perimeter may hel= p mitigate successful exploitation of these vulnerabilities.
1. http://www.kb.cert.org= /vuls/id/571297
2. http://www.kb.cert.or= g/vuls/id/206361
3. http://www.ibm.com/Search?v=3D11&lang=3Den&cc=3D= us&q=3DKSPR5HUQ59
4. h= ttp://www.nextgenss.com/advisories/lotus-inotesoflow.txt
5. http://www.kb.cert.or= g/vuls/id/355169
6. http://www.ibm.com/Search?v=3D11&lang=3Den&cc=3D= us&q=3DKSPR5HTQHS
7. http://= www.nextgenss.com/advisories/lotus-60dos.txt
8. http://www.kb.cert.or= g/vuls/id/542873
9. http://www.ibm.com/Search?v=3D11&lang=3Den&cc=3D= us&q=3DKSPR5HUPEK
10. = http://www.nextgenss.com/advisories/lotus-inotesoflow.txt
11. http://www.kb.cert.o= rg/vuls/id/772817
12. http://www.ibm.com/Search?v=3D11&lang=3Den&cc= =3Dus&q=3DKSPR5HTLW6
13. ht= tp://www.nextgenss.com/advisories/lotus-hostlocbo.txt
14. http://www.kb.cert.o= rg/vuls/id/571297
15. http://www.ibm.com/Search?v=3D11&lang=3Den&cc= =3Dus&q=3Dswg21104543
16. http://www.nextgenss.com/advisories/lotus-inotesclientaxbo.txt
17. http://www.kb.cert.o= rg/vuls/id/433489
18. http://www.ibm.com/Search?v=3D11&lang=3Den&cc= =3Dus&q=3DDBAR5CJJJS
19. http://www.r= apid7.com/advisories/R7-0010.html
20. http://www.kb.cert.o= rg/vuls/id/411489
21. http://www.ibm.com/Search?v=3D11&lang=3Den&cc= =3Dus&q=3DKSPR5DFJTR
22. http://www.r= apid7.com/advisories/R7-0011.html
23. http://www.kb.cert.o= rg/vuls/id/583184
24. http://www.ibm.com/Search?v=3D11&lang=3Den&cc= =3Dus&q=3DDWUU4W6NC8
25. http://www.r= apid7.com/advisories/R7-0012.html
26. http://www.kb.cert.o= rg/vuls/id/583184
27. http://www.ee.oulu.fi/research/ouspg/protos/testing/c06/ldapv3/ 28. http://www.= cert.org/advisories/CA-2001-18.html
29. http://www.kb.cert.o= rg/vuls/id/571297
30. http://www-1= 0.lotus.com/ldd/r5fixlist.nsf/80bff5d07b4be477052569ce00710588/8bc951d3ff1e= 578385256ce10052a78a?OpenDocument
Our thanks to NGS Software and Rapid7, Inc. for discovering and reportin= g on these vulnerabilities. We also thank the Lotus Security Team for aidin= g in the resolution and clarification of these issues.
Feedback on this document can be directed to the author, Jason A. Ra= fail.
Copyright 2003 Carnegie Mellon University.
Revision History
Mar 26, 2003: Initial release Apr 02, 2003: Added Clarification that VU#583184 does not affect the=20 release version of Lotus Domino 6.0, only pre-release and beta versions.