[ISN] Confusion over serious Notes, Domino vulns

From: InfoSec News (isnat_private)
Date: Tue Mar 11 2003 - 22:59:57 PST

  • Next message: InfoSec News: "[ISN] Code Red II Variant on the Prowl"

    By John Leyden
    Posted: 11/03/2003
    Lotus Notes and Domino are subject to an unholy trio of serious 
    security vulnerabilities which could exploited in denial of service or 
    privilege elevation attacks on the vulnerable system. 
    That's the stark warning from security outfit Rapid 7 (via a posting 
    to BugTraq), which advises that a successful denial of service attack 
    could result in corruption of Notes databases. Also, crackers may be 
    able to take over vulnerable servers, Rapid 7 warns. 
    Rapid 7 is delaying release of details of the vulnerabilities until 
    Wednesday; in the mean time it strongly urges admins to "upgrade 
    immediately to R5.0.12 or R6.0.1 to protect their servers". Lotus R4, 
    unsupported but widely used, is also vulnerable to the undocumented 
    But R5.0.12 is still at risk to a separate set of security 
    vulnerabilities, discovered by NGSSoftware last month. 
    The only safe option seems to be to upgrade to R6.0.1, a major version 
    upgrades for Notes 5 users. Most Lotus Notes users - more than 85 per 
    cent, according to Rapid 7 - are still on version 5. 
    From Rapid 7's warning we learn only that it has discovered three 
    vulnerabilities in the Lotus Notes and Domino server platforms, two of 
    which also affect the Lotus Notes client. The vulnerability is generic 
    to Notes and not particular to the platform (Linux, window, Unix etc.) 
    a Notes database runs on. 
    The lack of additional information is unhelpful, because Rapid 7's 
    advice conflicts with earlier advisories from NGSSoftware, warning of 
    potential problems with R5.0.12. 
    Quite apart from the security issues that might still apply, Domino 
    add-ons (such as Quickplace) are not supported on 5.0.12 (see Forum 
    here and Lotus statement here). 
    So can we find a way through this mess? Only partially. 
    Both Chad Loder, of Rapid 7, and Mark Litchfield, of NGSSoftware agree 
    that "their" vulns are different. Litchfield told us that Lotus is yet 
    to issue a fix for all the R5.0.12 problems discovered by him. R5.0.12 
    isn't mentioned by name in Litchfield's advisories but it is 
    vulnerable, he tells us. 
    According to Litchfield, the only available fix for the (separate) 
    problems NGSSoftware documents is to upgrade to R6.0.1. In particular 
    he refers to an incomplete post request DoS vulnerability affecting 
    Pending definitive advice from IBM/Lotus itself, the situation is 
    deeply confusing, particularly for R5 users. Lotus Web site states all 
    the NGS vulnerabilities bar an ActiveX issue (which is still under 
    investigation) are fixed in 5.0.12. 
    Last night we asked Lotus' security manager for clarification on its 
    advice to users. We've yet to receive a response. 
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Wed Mar 12 2003 - 01:28:48 PST