DominoSecurity
Hot List
(Brought to you by Chuck Connell at
CHC-3 Consulting
.)
Preface -- 1) I post information in descending date order, so you can easily see new entries. 2) Here is Lotus's list of
security advisories
, which overlaps mine.
Potential cross-site scripting (XSS) vulnerability
in the servlet engine in Domino servers. This vulnerability could be exposed by a malformed HTTP request. May 2008.
Potential buffer overflow vulnerabilities with the ActiveX control used by Domino iNotes web access. Here is the
IBM information
and
CERT discussion
. January 2008.
Lotus has posted five security advisories this month. Several have potentially serious consequences. I suggest reading all of them
here
and upgrading your installed Notes/Domino software as Lotus recommends. March 2007.
There is a potential exploit called
HTTPPassword dump
.
Lotus
responded
. February 2007.
Sites using DOLS and 7.0.2 need to
replace the executable
on the server. November 2006.
Some versions of Domino 6.x and 7.x for Linux contain a security weakness that could allow an attacker to attain root privileges. The exploit relates to the tunekrnl file within Linux. Lotus says that the problem is fixed in 6.5.5-FP2 and 7.0.2. Here is the
Lotus advisory
about this problem, and the
original report
from iDefense.
Notes client flooding Sametime server
-- Under some circumstances the Sametime server can receive incoming requests at an extremely high rate from the Notes client, and these requests effectively created a Denial of Service attack. (September 2006)
Notes file viewer overflow (dunzip32.dll)
-- An attacker may be able to send a specially crafted zip file attachment to users via email, and the users would have to double-click and "View" the attachment. If successfully exploited, this vulnerability will cause the Notes client to crash and may allow execution of arbitrary code. This problem was addressed in Notes 6.5.5 and Notes 7.0. (September 2006)
There are two tech notes from IBM about the expiration of signing certificates for Domino applets. This is not really a security issue, per se, but can cause confusion for users and may appear to users to be a security concern. See
here
and
here
. (July 2006)
Domino SMTP denial of service
-- Under particular circumstances, an attacker may be able to craft a malicious message that will cause the Router to hang while trying to deliver it. Stopping and restarting the server will not resolve the problem as the message will still be in the queue. Fixed in Domino 6.5.4 Fix Pack 1 (FP1), Domino 6.5.5 and Domino 7.0. (June 2006)
Releases 7.0.1 and 6.5.5 fix several problems with Notes client security. Details are
here
. But, see this follow-up about calendar problems in the 6.5.5 client...
, and a follow-up to that
. (March 2006)
There are miscellaneous low-vulnerability security fixes in 6.5.4 Fix Pack 2. Here is the
US CERT discussion
.
(November 2005)
Buffer Overruns in Certain Date Fields Cause Domino Server Crash
-- An attacker can cause a Domino server crash by submitting bad data to an editable date field in a web application. I suggest upgrading to 6.0.5 or 6.5.4 to fix the problem. (April 2005)
Domino Server Crashes on Malicious Email from iNotes
-- This exploit allows an attacker to send a malicious email to Domino, which then crashes the server when the mail is read via the browser. Appears to be fixed in 6.5.3 and 6.0.5. Prior to these releases, you can stop the exploit by limiting message size to 11MB. (October 2004)
Web Authentication Using Soundex Values May Increase the Risk of a Brute Force Attack
(July 2004)
Potential DOS Vulnerability SSL with IBM Lotus Instant Messaging and Web Conferencing (Sametime) 3.x and 6.5.1
(July 2004)
Cross-site Scripting Vulnerability Addressed in 6.0.4 and 6.5.2
(June 2004)
Lotus Notes URL Handler Argument Injection Vulnerability
(June 2004)
Details of vulnerabilities found by Rapid7
-- The full details of the security issues that were vaguely described below. (March 13, 2003)
Serious vulnerability for 4.*, 5.0 -- 5.11 and 6.0 found by Rapid7.com
-- There are several vulnerabilities, one of which may be quite serious. (March 3, 2003)
Four security alerts found by NGSSoftware and published by CERT
-- These relate to Domino, Notes and iNotes. (February 24, 2003)
Internet passwords may be exposed
-- This vulnerability occurs when an administrator does not take steps to hide the Internet passwords in the Domino Directory. Full details are included in this writeup.
SunRPC NULL to port 443
-- This denial-of-service attack is very simple and is now well-publicized, so it is worth paying attention to. The fix is to make sure you have upgraded to 5.0.9 or later. (But 5.0.9 has its own set of problems, so you should use 5.0.9a.)
Solving the $DefaultNav problem
-- In all Domino server installations, for 4.x and 5.x, it is possible for a clever user to obtain a list of all non-hidden views in a database. Someone can do this from a browser by constructing a URL that contains the $DefaultNav option. This link is an excellent posting on Notes.Net that explains how to prevent the problem for R5. The posting references an article that originally appeared in The View magazine.
Another Denial of Service (DoS) vulnerability
has been found in Domino. This one relates to attacks that use maliciously formatted LDAP requests. Release 5.0.7a of Domino fixes the problem.
Suppressing the default SMTP greeting (from reader Claes) -- This tip is similar to DominoNoBanner, which is already posted here. This time the NOTES.INI parameter is SMTPGreeting. By setting this variable, you control the information passed from the Domino SMTP server to SMTP clients. If you do not set this parameter, the Domino SMTP server passes the platform name to SMTP clients. This information could give hackers a better chance at breaking in, since they would know the operating system being used. By setting the parameter, you control what is passed. An example is SMTPGreeting="mail.acme.org SMTP service ready at %s". (The SMTP server fills in the date/time in place of %s.)
Denial of Service (DoS) vulnerabilities
-- Lotus addressed these problems in the 5.0.7, released on March 23, 2001. Note that 5.0.7 contains 8 fixes for
SPRs
related to DoS issues, so this is an important release if you are concerned about a DoS attack. Thanks to reader Alistair for sending this in.
Suppressing the Domino page banner (from reader KeithC) -- When you right click on a Domino web site and select ViewSource, you see something like
Lotus-Domino (Release 5.0.6a - January 17, 2001 on Solaris x86).
This information gives hackers a better chance at breaking in, since they now know the operating system being used. On R5.0.2 (and later) you can prevent this problem by adding DominoNoBanner=1 to the server's NOTES.INI file. (I have forwarded this information to the ISP who is hosting DominoSecurity.org.)
Notes Stored Form Vulnerability
-- Apparently there is a security vulnerability in the Notes "store form in document" feature. This technote from Lotus Support explains how to disable this feature to prevent the problem. Unfortunately, the technote does not describe just what the problem is. Here is some
additional information
from reader Hellerr. And some
more information
about when this may be a threat over the Interner, from reader JohnG.
R5 Server / Router Crashes With Malformed HTML Code
-- An HTML message containing malformed HTML code can cause the router or server process to crash when a Domino R5 server converts the message. This link is a response from Lotus about this vulnerability. (Lotus/IBM have removed this posting from their web site. I am leaving this note here as a placeholder, in case I find the link again.)
DominoSecurity.org Home
This site is maintained by Chuck Connell of
CHC-3 Consulting
, which provides consulting services related to Domino/Notes security.