Vulnerabilities in groupware mailers
Security researchers have discovered vulnerabilities in Novell's GroupWise client, and in ActiveX components of IBM's Lotus Domino Web Access, that could allow malicious persons to smuggle in potentially harmful code. An updated version of Novell's client is supposed to close the security hole, but users of IBM's Lotus Domino Web Access will need to set a killbit for the time being.
Web Access, the Web mailer function of Lotus Domino, installs the ActiveX module dwa7.dwa7.1 (dwa7w.dll). Because length is not checked when the General_ServerName parameter is processed, a buffer overflow can occur when the InstallBrowserHelperDll() function is called. US CERT confirms this loophole in a Vulnerability Note, and has discovered yet more in the inotes6.dll, inotes6w.dll and dwa7.dll ActiveX modules.
Users of the software should set the killbit for components with the ClassIDs E008A543-CEFB-4559-912F-C27C2B89F13B and 3BFFE033-BF43-11d5-A271-00A024A51325, so that Web sites cannot attach to the vulnerable modules, and should use the Webmail front end with an alternative browser such as Opera, Firefox or Safari. Microsoft explains the necessary steps for setting a killbit in a Knowledge Base article.
A vulnerability in Novell's GroupWise client through which attackers could smuggle in and execute any programming code became known just last week. The E-mail client has problems processing excessively lengthy SRC parameters of the <IMG> HTML tag (those having more than 1200 characters). However, according to the security advisory from Infobyte Security Research, the error only occurs if users of the software, answer or forward an E-mail with an appropriately prepared tag. Novell is said to have closed the hole in version 6.5.7 of the GroupWise client.
- IBM Domino Web Access Upload Control dwa7w.dll Memory Corruption, security report by Elazar Broad
- IBM Lotus Domino Web Access ActiveX control stack buffer overflow, US CERT Vulnerability Note
- Novell GroupWise client remote stack overflow silently patched, Infobyte Security Research vulnerability report
(trk)