Password exposure in Lotus Notes
A debug function in version 5 and up of Lotus Notes can be used to write a file containing the new password in plain text when a user password is changed. This function has been designed to bring more transparency into password quality verification. If two additional lines are entered in the Notes.INI configuration file, Notes will log the evaluation:
During the next password change, Notes will create a file with the following content:
testvowe_TLANB_2007_07_18@17_07_33.txt<br> 18.07.2007 17:07:36 Lotus Notes client started<br> 18.07.2007 17:07:47 Index update process started<br> Entering SpellCheckInit<br> entropy.c SpellCheckAccess Get 13A834 0<br> Initializing spell checking code<br> SPELLInitialize succeeded; spell checking DLL loaded<br> SPELLInitMainDict succeeded<br> SPELLInitUserDict succeeded<br> Password Entropy: spell checking code initialized<br> SpellCheckInit succeeded<br> Bytes per char: 1<br> Distribution base multiplier: 6<br> Resulting entropy limit: 60<br> [c]alp[c]: 0<br> [c]alp[t]: 0<br> [-]alp-s[-]: 18<br> [t]nalp-s[t]: 18<br> [t]alp[e]: 18<br> [t]alp[s]: 18<br> [t]alp[t]: 18<br> Testing word: [test]<br> Searching for [test]<br> Found [test], worth 12 bits<br> alp-s: 36<br> nalp: 42<br> nalp: 48<br> Entropy as determined by the state machine: 48<br><br> Entropy Limit: 60<br> Current Entropy: 48<br> Final Entropy: 48<br><br> Final Entropy: 48 bits, 12 chars<br> entropy.c SpellCheckAccess Put 422EB60 F01069BD
The password is found in the lines after "Resulting entropy limit: 60" and is made up of single characters in square brackets: ct-test234.
IBM published the debug parameter as support document, but has removed it recently. At present, the document can still be read in the Google cache.
Since the Notes.INI file on a user’s hard disk must be manipulated, physical access to the system is required to exploit this flaw. But there are various possibilities within Notes to manipulate this file, which can, in turn, also be used to protect systems from this vulnerability:
- From Notes 7 upwards, settings in NOTES.INI can be made based on workstation policies, which makes it possible to enforce the setting "KFM_ShowEntropy=0".
- An undocumented possibility of making the same setting exists in Notes 6. To do so, a field with the name $PrefKFM_ShowEntropy with the value 0 must be added to the policy document.
- Alternatively, the setting may be made with the following short Lotuscript:
Dim s As New NotesSession<br> Call s.SetEnvironmentVar("KFM_ShowEntropy","0", true)
If this script is loaded automatically when the mail database of all users is opened, this setting is made each time. See also the support document provided by IBM.
Notes uses the password to protect the certificate storage Notes.ID used by every user for authentication. This file is encrypted or decrypted with the user password. Together with the Notes certificates, Notes.ID also stores the user's private key and X.509 certificates, where required. For this reason, it is of utmost importance to ensure that nobody can create a copy of the password and Notes.ID at the same time. If somebody gains concurrent access to both the log file and the Notes.ID, this person can authenticate himself to Notes at any time.
Even though administrators can eliminate exploitation of this debug function in most cases, a Notes administrator with appropriate privileges is able to discover all user passwords.
Unlike under Windows, the Notes administrator is not able to reset forgotten passwords, since passwords are only required for decrypting the Notes.ID. Some Notes customers have implemented complex solutions to allow for the central storage of password changes, while resetting passwords is only possible based on the four-eye principle, i.e. administration and revision must work together to do so. The debug function makes it possible to bypass this security measure.
In a Response to 'Password exposure in Lotus Notes' by heise Security IBM essentially confirms the vulnerability. They rate the severity as rather low, (Overall CVSS Score: 0.9) but do not discuss the numerous possibilties for remote administration of Notes clients. This can only be reliably prevented by using all available access restrictions (ECL = Execution Control Lists). This is often not the case. According to IBM "Lotus Notes versions 8.0, 7.0.3 and all future versions will contain a fix that will remove the use of this undocumented debug variable."