24 October 2007, 11:05

Vulnerabilities in Lotus Notes and Domino

Attackers can inject and execute arbitrary malicious code on systems running IBM's Lotus Notes and Domino due to numerous vulnerabilities. IBM has released updated versions of the software in which the bugs are fixed.

An advisory by Tan Chew Keong on vuln.sg identifies vulnerabilities in the Lotus Notes modules for viewing e-mail file attachments. Due to insufficient length checking, buffer overflows which may lead to execution of injected code can occur when processing WordPerfect (.wpd), Ami Pro (.sam), Microsoft Word for DOS (.doc) and FrameMaker (.mif) documents. The security advisory from Keong includes links to documents which demonstrate the vulnerabilities.

Lotus Notes and Domino use memory mapped files for interprocess communication (IPC) between the NLNOTES and NTASKLDR services. Access to these files is assigned to Everyone. On systems such as terminal servers, on which multiple users work at the same time, this could allow users to read other users' data or even to inject scripts.

The Lotus Domino IMAP server allows nefarious individuals with valid accounts to execute code by exploiting a buffer overflow. IBM does not give details in its advisory. The Evaluate LotusScript function may disclose confidential data. The activate and unlock functions for working with the Domino Certificate Authority on the server console may lead to the password being displayed as plain text if upper case letters are used in the commands.

IBM has released software updates in which the bugs are fixed. Administrators should install the updated, bug-fixed Lotus Notes Releases 6.5.6, 7.0.3, 8.0 or 8.0.1 and Lotus Domino Server 6.5.5 Fix Pack 3, 6.5.6 Fix Pack 2, 7.0.2 Fix Pack 1, 7.0.3 or 8.0. The current versions allow new parameters to be set in notes.ini to remedy the security vulnerabilities – according to the IBM advisories, this relates to the SharedMemoryAllowOnly and Enforce_EffectiveUserRights_EvaluteCommand parameters.