Original release date: March 26, 2003<br>
Last revised: Apr 02, 2003<br>
Source: CERT/CC<br>

<p>A complete revision history can be found at the end of this file.</p>

<br>
<a name="affected"></a>  
<h3>Systems Affected</h3>

<ul>

<li>Lotus Notes and Domino versions prior to 5.0.12 and 6.0 Gold</li>

<li><a href="http://www.kb.cert.org/vuls/id/571297">VU#571297</a> affects 
5.0.12, 6.0.1 and prior versions.</li>

</ul>

<br>
<a name="overview"></a>
<h2>Overview</h2>
   
<P> 

Multiple vulnerabilities have been reported to affect Lotus Notes clients
and Domino servers. Multiple reporters, the close timing, and some
ambiguity caused confusion about what releases are vulnerable. We are
issuing this advisory to help clarify the details of the vulnerabilities,
the versions affected, and the patches that resolve these issues.

</p>

<br> 
<a name="description"></a> 
<h2>I. Description</h2>
   
<P>
In February 2003, NGS Software released several advisories 
detailing vulnerabilities affecting Lotus Notes and Domino. The 
following vulnerabilities reported by NGS Software affect versions of 
Lotus Domino prior to 5.0.12 and 6.0:

<blockquote>
<a href="http://www.kb.cert.org/vuls/id/206361">VU#206361</a> - Lotus 
iNotes vulnerable to buffer overflow via PresetFields FolderName field
<br>Lotus Technical Documentation: <a
href="http://www.ibm.com/Search?v=11&lang=en&cc=us&q=KSPR5HUQ59">KSPR5HUQ59</a>
<br>NGS Software's Advisory: <a 
href="http://www.nextgenss.com/advisories/lotus-inotesoflow.txt">NISR17022003b</a>
<br>

<br><a href="http://www.kb.cert.org/vuls/id/355169">VU#355169</a> -
Lotus Domino Web Server vulnerable to denial of service via incomplete 
POST request
              <br>Lotus Technical Documentation: <a
href="http://www.ibm.com/Search?v=11&lang=en&cc=us&q=KSPR5HTQHS">KSPR5HTQHS</a>
              <br>NGS Software's Advisory: <a 
href="http://www.nextgenss.com/advisories/lotus-60dos.txt">NISR17022003d</a>
<br>
<br><a href="http://www.kb.cert.org/vuls/id/542873">VU#542873</a> - Lotus 
iNotes vulnerable to buffer overflow via PresetFields s_ViewName field
              <br>Lotus Technical Documentation: <a
href="http://www.ibm.com/Search?v=11&lang=en&cc=us&q=KSPR5HUPEK">KSPR5HUPEK</a>
              <br>NGS Software's Advisory: <a 
href="http://www.nextgenss.com/advisories/lotus-inotesoflow.txt">NISR17022003b</a>
<br>

<br><a href="http://www.kb.cert.org/vuls/id/772817">VU#772817</a> - Lotus 
Domino Web Server vulnerable to buffer overflow via non-existent 
&quot;h_SetReturnURL&quot; parameter with an overly long &quot;Host 
Header&quot; field 
<br>              
Lotus Technical Documentation: <a
href="http://www.ibm.com/Search?v=11&lang=en&cc=us&q=KSPR5HTLW6">KSPR5HTLW6</a>
<br>              NGS Software's Advisory: <a 
href="http://www.nextgenss.com/advisories/lotus-hostlocbo.txt">NISR17022003a</a>

</blockquote>

<p>The following vulnerability reported by NGS Software affects versions
of Lotus Domino up to and including 5.0.12 and 6.0.1:

<blockquote>

<a href="http://www.kb.cert.org/vuls/id/571297">VU#571297</a> - Lotus 
Notes and Domino COM Object Control Handler contains buffer overflow
<br>              Lotus Technical Documentation: <a
href="http://www.ibm.com/Search?v=11&lang=en&cc=us&q=swg21104543">SWG21104543</a>
<br>              NGS Software's Advisory: <a 
href="http://www.nextgenss.com/advisories/lotus-inotesclientaxbo.txt">NISR17022003e</a>

</blockquote>

<p>

<a href="http://www.kb.cert.org/vuls/id/571297">VU#571297</a> was
originally reported as a vulnerability in an iNotes ActiveX control. The
vulnerable code is not specific to iNotes or ActiveX. The iNotes ActiveX
control was an attack vector for the vulnerability and is not the affected
code base.  Because this issue is not specific to ActiveX, Lotus Notes
clients and Domino Servers running on platforms other than Microsoft 
Windows may be affected.

</p> 

</p> 

<p> 

In March 2003, Rapid7, Inc. released several advisories.  The following
vulnerabilities, reported by Rapid7, Inc., affect versions of
Lotus Domino prior to 5.0.12:

<blockquote>

<a href="http://www.kb.cert.org/vuls/id/433489">VU#433489</a> - Lotus
Domino Server susceptible to a pre-authentication buffer overflow during 
Notes authentication
<br>              Lotus Technical Documentation: <a
href="http://www.ibm.com/Search?v=11&lang=en&cc=us&q=DBAR5CJJJS">DBAR5CJJJS</a>
<br>              Rapid7, Inc.'s Advisory: <a 
href="http://www.rapid7.com/advisories/R7-0010.html">R7-0010</a>
<br>              

<br><a href="http://www.kb.cert.org/vuls/id/411489">VU#411489</a> - Lotus
Domino Web Retriever contains a buffer overflow vulnerability
<br>              Lotus Technical Documentation: <a
href="http://www.ibm.com/Search?v=11&lang=en&cc=us&q=KSPR5DFJTR">KSPR5DFJTR</a>
<br>              Rapid7, Inc.'s Advisory: <a 
href="http://www.rapid7.com/advisories/R7-0011.html">R7-0011</a>
<br>
</blockquote>
</p>
<p> 
Rapid7, Inc. also discovered that Lotus Domino pre-release and 
beta versions of 6.0 were also affected by the following vulnerability:
<blockquote>              
<a href="http://www.kb.cert.org/vuls/id/583184">VU#583184</a> - Lotus
Domino R5 Server Family contains multiple vulnerabilities in LDAP handling
code
<br>              Lotus Technical Documentation: <a
href="http://www.ibm.com/Search?v=11&lang=en&cc=us&q=DWUU4W6NC8">DWUU4W6NC8</a>
<br>              Rapid7, Inc.'s Advisory: <a 
href="http://www.rapid7.com/advisories/R7-0012.html">R7-0012</a>
</blockquote>

The release version of Lotus Domino 6.0 is not affected. Only pre-release
and beta versions of 6.0 are affected. <a
href="http://www.kb.cert.org/vuls/id/583184">VU#583184</a> was a
regression of the <a
href="http://www.ee.oulu.fi/research/ouspg/protos/testing/c06/ldapv3/">PROTOS
LDAP Test-Suite</a> from <a
href="http://www.cert.org/advisories/CA-2001-18.html">CA-2001-18</a> and
was originally fixed in 5.0.7a. </p>



<br>
<a name="impact"></a> <h2>II. Impact</h2>
   
<p>
The impact of these vulnerabilities range from denial of service to data 
corruption and the potential to execute arbitrary code. For details about 
the impact of a specific vulnerability, please see the 
related <a 
href="http://www.kb.cert.org/vuls/byid?searchview&query=VU%23542873+or+VU%23206361+or+VU%23772817+or+VU%23571297+or+VU%23355169+or+VU%23433489+or+VU%23411489+or+VU%23583184">vulnerability 
note</a>. </p>

<br>
<a name="solution"></a>
<h2>III. Solution</h2>

<h4>Upgrade</h4>
   
<p>Most of these vulnerabilities are resolved in versions 5.0.12 and 
6.0.1 of Lotus Domino. 
</p>
<p>

Only <a href="http://www.kb.cert.org/vuls/id/571297">VU#571297</a>,
&quot;Lotus Notes and Domino COM Object Control Handler contains buffer
overflow,&quot;  is not resolved in 5.0.12, or 6.0.1. <a
href="http://www-10.lotus.com/ldd/r5fixlist.nsf/80bff5d07b4be477052569ce00710588/8bc951d3ff1e578385256ce10052a78a?OpenDocument">Critical
Fix 1</a> for 6.0.1 was released on March 18, 2003, to resolve this issue
for both the Notes client and Domino server.

</p>

<h4>Apply a patch</h4>
<p>
Patches are available for some vulnerabilities. Please view the individual 
<a 
href="http://www.kb.cert.org/vuls/byid?searchview&query=VU%23542873+or+VU%23206361+or+VU%23772817+or+VU%23571297+or+VU%23355169+or+VU%23433489+or+VU%23411489+or+VU%23583184">vulnerability 
notes</a> for specific patch information.
</p>

<h4>Block access from outside the network perimeter</h4> 

<p> 

Lotus Domino servers listen on port 1352/TCP. Notes may also be configured
to listen on other ports, such as NETBIOS, SPX, or XPC. Blocking access to
these ports from machines outside your trusted network perimeter may help
mitigate successful exploitation of these vulnerabilities.

</p>

<p></p>

<a name="references"></a>
<h2>Appendix A - References</h2>

<blockquote>
   1. <a href="http://www.kb.cert.org/vuls/id/571297">http://www.kb.cert.org/vuls/id/571297</a><br>
   2. <a href="http://www.kb.cert.org/vuls/id/206361">http://www.kb.cert.org/vuls/id/206361</a><br>
   3. <a href="http://www.ibm.com/Search?v=11&lang=en&cc=us&q=KSPR5HUQ59">http://www.ibm.com/Search?v=11&lang=en&cc=us&q=KSPR5HUQ59</a><br>
   4. <a href="http://www.nextgenss.com/advisories/lotus-inotesoflow.txt">http://www.nextgenss.com/advisories/lotus-inotesoflow.txt</a><br>
   5. <a href="http://www.kb.cert.org/vuls/id/355169">http://www.kb.cert.org/vuls/id/355169</a><br>
   6. <a href="http://www.ibm.com/Search?v=11&lang=en&cc=us&q=KSPR5HTQHS">http://www.ibm.com/Search?v=11&lang=en&cc=us&q=KSPR5HTQHS</a><br>
   7. <a href="http://www.nextgenss.com/advisories/lotus-60dos.txt">http://www.nextgenss.com/advisories/lotus-60dos.txt</a><br>
   8. <a href="http://www.kb.cert.org/vuls/id/542873">http://www.kb.cert.org/vuls/id/542873</a><br>
   9. <a href="http://www.ibm.com/Search?v=11&lang=en&cc=us&q=KSPR5HUPEK">http://www.ibm.com/Search?v=11&lang=en&cc=us&q=KSPR5HUPEK</a><br>
  10. <a href="http://www.nextgenss.com/advisories/lotus-inotesoflow.txt">http://www.nextgenss.com/advisories/lotus-inotesoflow.txt</a><br>
  11. <a href="http://www.kb.cert.org/vuls/id/772817">http://www.kb.cert.org/vuls/id/772817</a><br>
  12. <a href="http://www.ibm.com/Search?v=11&lang=en&cc=us&q=KSPR5HTLW6">http://www.ibm.com/Search?v=11&lang=en&cc=us&q=KSPR5HTLW6</a><br>
  13. <a href="http://www.nextgenss.com/advisories/lotus-hostlocbo.txt">http://www.nextgenss.com/advisories/lotus-hostlocbo.txt</a><br>
  14. <a href="http://www.kb.cert.org/vuls/id/571297">http://www.kb.cert.org/vuls/id/571297</a><br>
  15. <a href="http://www.ibm.com/Search?v=11&lang=en&cc=us&q=swg21104543">http://www.ibm.com/Search?v=11&lang=en&cc=us&q=swg21104543</a><br>
  16. <a href="http://www.nextgenss.com/advisories/lotus-inotesclientaxbo.txt">http://www.nextgenss.com/advisories/lotus-inotesclientaxbo.txt</a><br>
  17. <a href="http://www.kb.cert.org/vuls/id/433489">http://www.kb.cert.org/vuls/id/433489</a><br>
  18. <a href="http://www.ibm.com/Search?v=11&lang=en&cc=us&q=DBAR5CJJJS">http://www.ibm.com/Search?v=11&lang=en&cc=us&q=DBAR5CJJJS</a><br>
  19. <a href="http://www.rapid7.com/advisories/R7-0010.html">http://www.rapid7.com/advisories/R7-0010.html</a><br>
  20. <a href="http://www.kb.cert.org/vuls/id/411489">http://www.kb.cert.org/vuls/id/411489</a><br>
  21. <a href="http://www.ibm.com/Search?v=11&lang=en&cc=us&q=KSPR5DFJTR">http://www.ibm.com/Search?v=11&lang=en&cc=us&q=KSPR5DFJTR</a><br>
  22. <a href="http://www.rapid7.com/advisories/R7-0011.html">http://www.rapid7.com/advisories/R7-0011.html</a><br>
  23. <a href="http://www.kb.cert.org/vuls/id/583184">http://www.kb.cert.org/vuls/id/583184</a><br>
  24. <a href="http://www.ibm.com/Search?v=11&lang=en&cc=us&q=DWUU4W6NC8">http://www.ibm.com/Search?v=11&lang=en&cc=us&q=DWUU4W6NC8</a><br>
  25. <a href="http://www.rapid7.com/advisories/R7-0012.html">http://www.rapid7.com/advisories/R7-0012.html</a><br>
  26. <a href="http://www.kb.cert.org/vuls/id/583184">http://www.kb.cert.org/vuls/id/583184</a><br>
  27. <a href="http://www.ee.oulu.fi/research/ouspg/protos/testing/c06/ldapv3/">http://www.ee.oulu.fi/research/ouspg/protos/testing/c06/ldapv3/</a><br>
  28. <a href="http://www.cert.org/advisories/CA-2001-18.html">http://www.cert.org/advisories/CA-2001-18.html</a><br>
  29. <a 
href="http://www.kb.cert.org/vuls/id/571297">http://www.kb.cert.org/vuls/id/571297</a><br>
  30. <a 
href="http://www-10.lotus.com/ldd/r5fixlist.nsf/80bff5d07b4be477052569ce00710588/8bc951d3ff1e578385256ce10052a78a?OpenDocument">http://www-10.lotus.com/ldd/r5fixlist.nsf/80bff5d07b4be477052569ce00710588/8bc951d3ff1e578385256ce10052a78a?OpenDocument</a><br>
</blockquote>


<hr noshade>

<p>Our thanks to NGS Software and Rapid7, Inc. for discovering and
reporting on these vulnerabilities. We also thank the Lotus Security Team
for aiding in the resolution and clarification of these issues.</p>

<p></p>

<hr noshade>

<p>Feedback on this document can be directed to the author, <a
href="mailto:cert@cert.org?subject=CA-2003-11%20Feedback%20VU%23433489">Jason 
A. Rafail</a>.

<p></p>

<!--#include virtual="/include/footer_nocopyright2.html" -->

<p>Copyright 2003 Carnegie Mellon University.</p>

<p>Revision History
<tt><pre>
Mar 26, 2003:  Initial release
Apr 02, 2003:  Added Clarification that VU#583184 does not affect the 
release version of Lotus Domino 6.0, only pre-release and beta versions.
</pre></tt>
</p>