Data leak in Lotus Notes
A vulnerability in Lotus Notes makes it easier for attackers to crack into other users' accounts and to log onto the server in their context. The flaw is related to Notes Remote Procedure Calls (NRPC) and allows Lotus Notes user ID files to be downloaded from the server without prior authentication during the a client setup. The attacker need only know another user's valid login name. The flaw does require that the Notes Server be addressable via port 1532.
In Lotus Notes, the ID files serve as authentication to the server and are password protected. That said, there are diverse tools for cracking passwords using brute force or dictionary attacks – the simpler the secret phrase, the more likely it is that an attack will succeed.
In its advisory, the vulnerability's discoverers, the Copenhagen-based security vendor Fortconsult, describes the progression of one of these attacks and the tools necessary to make it happen. IBM was informed of the problem in May 2006 and required some time to make the necessary corrections. Fortconsult claims that the newest Lotus Notes versions include an option by which the downloading of ID files without authentication can be blocked.
- Lotus Notes Pre-Login Information Leakage, advisory from Fortconsult