Confusion over serious Notes, Domino vulns

[InfoSec News <isn () c4i org>]

http://www.theregister.co.uk/content/55/29689.html

By John Leyden
Posted: 11/03/2003

Lotus Notes and Domino are subject to an unholy trio of serious 
security vulnerabilities which could exploited in denial of service or 
privilege elevation attacks on the vulnerable system. 

That's the stark warning from security outfit Rapid 7 (via a posting 
to BugTraq), which advises that a successful denial of service attack 
could result in corruption of Notes databases. Also, crackers may be 
able to take over vulnerable servers, Rapid 7 warns. 

Rapid 7 is delaying release of details of the vulnerabilities until 
Wednesday; in the mean time it strongly urges admins to "upgrade 
immediately to R5.0.12 or R6.0.1 to protect their servers". Lotus R4, 
unsupported but widely used, is also vulnerable to the undocumented 
flaws. 

But R5.0.12 is still at risk to a separate set of security 
vulnerabilities, discovered by NGSSoftware last month. 

The only safe option seems to be to upgrade to R6.0.1, a major version 
upgrades for Notes 5 users. Most Lotus Notes users - more than 85 per 
cent, according to Rapid 7 - are still on version 5. 

> From Rapid 7's warning we learn only that it has discovered three 
vulnerabilities in the Lotus Notes and Domino server platforms, two of 
which also affect the Lotus Notes client. The vulnerability is generic 
to Notes and not particular to the platform (Linux, window, Unix etc.) 
a Notes database runs on. 

The lack of additional information is unhelpful, because Rapid 7's 
advice conflicts with earlier advisories from NGSSoftware, warning of 
potential problems with R5.0.12. 

Quite apart from the security issues that might still apply, Domino 
add-ons (such as Quickplace) are not supported on 5.0.12 (see Forum 
here and Lotus statement here). 

Uggh. 

So can we find a way through this mess? Only partially. 

Both Chad Loder, of Rapid 7, and Mark Litchfield, of NGSSoftware agree 
that "their" vulns are different. Litchfield told us that Lotus is yet 
to issue a fix for all the R5.0.12 problems discovered by him. R5.0.12 
isn't mentioned by name in Litchfield's advisories but it is 
vulnerable, he tells us. 

According to Litchfield, the only available fix for the (separate) 
problems NGSSoftware documents is to upgrade to R6.0.1. In particular 
he refers to an incomplete post request DoS vulnerability affecting 
R5.0.12. 

Pending definitive advice from IBM/Lotus itself, the situation is 
deeply confusing, particularly for R5 users. Lotus Web site states all 
the NGS vulnerabilities bar an ActiveX issue (which is still under 
investigation) are fixed in 5.0.12. 

Last night we asked Lotus' security manager for clarification on its 
advice to users. We've yet to receive a response. 



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.