Establishing Digital Trust: Don't Sacrifice Security for Convenience
The CERT/CC advisory was issued primary to clear up confusion surrounding several security holes detected last month by research firms NGSS and Rapid7.
Systems affected by the bugs include Lotus Notes and Domino versions prior to 5.0.12 and 6.0 Gold. Download locations for vendor patches can be found within the CERT advisory.
The Center confirmed buffer overflow vulnerabilities in Lotus iNotes and Lotus Domino Web Server which leaves unpatched systems open to DoS attacks. One of those Lotus iNotes flaws, described as "critical" by NGSS, can be exploited by an attacker to run code in the security context of the account running the Domino Web Services.https://o1.qnsr.com/log/p.gif?;n=203;c=204650394;s=9477;x=7936;f=201801171506010;u=j;z=TIMESTAMP;a=20392931;e=iThe Center also issued a clarification for another vulnerability originally reported in an iNotes ActiveX control. "The vulnerable code is not specific to iNotes or ActiveX," CERT/CC said, noting that the iNotes ActiveX control was an attack vector for the vulnerability and is not the affected code base.
"Because this issue is not specific to ActiveX, Lotus Notes clients and Domino Servers running on platforms other than Microsoft Windows may be affected," it warned.
Security research firm Rapid7 also found several holes in Lotus Domino prior to version 5.0.12. It said the Lotus Domino Server was susceptible to a pre-authentication buffer overflow during Notes authentication. The Lotus Domino Web Retriever also contained a buffer overflow vulnerability.
Rapid7 also warned of holes in Lotus Domino pre-release and beta versions of 6.0 were also affected by multiple vulnerabilities in LDAP handling code. "The impact of these vulnerabilities range from denial of service to data corruption and the potential to execute arbitrary code," the Center warned.
It noted that patches are available only for some of the vulnerabilities. Until patches are made available for all, IT administrators are encouraged to block access from outside the network perimeter or configure Lotus Notes to help mitigate successful exploitation of the flaws.