Most of these attacks represent denial of service attacks by buffer
overflow. To exploit these vulnerabilities, an attacker would need to
send maliciously malformed messages to the Lotus Domino server over a
variety of protocols as indicated below. However, in specific
situations, there exists the possibility to execute arbitrary code. In
the case of ZDI-CAN-647 (SPR# PRAD82YJW2), malicious users could supply
damaged cai::URIs to facilitate execution of arbitrary code in Notes.
Refer to the table for more information on each, including the SPR
number for tracking purposes and, where applicable, fix availability.
For four of these nine, namely ZDI-CAN-373, ZDI-CAN-647, ZDI-CAN-758,
ZDI-CAN-759, IBM Lotus has fixes. For two of these, ZDI-CAN-375 and
ZDI-CAN-927, IBM has confirmed the issue and continues to pursue
appropriate fixes. IBM Lotus is currently unable to reproduce the
remaining three exploits based on the information provided by
TippingPoint's ZDI.
TippingPoint Reference #
|
Description
|
IBM Lotus SPR #
|
Status
|
| ZDI-CAN-375 | Domino MIME stack overflow | KLYH889M8H | Confirmed.
Investigating fix. |
| ZDI-CAN-647 | Notes cai URI Handler remote code execution vulnerability | PRAD82YJW2 | Confirmed.
Fixed in 8.0.2 FP6, 8.5.1 FP5, 8.5.2 and later releases |
| ZDI-CAN-373 | Notes iCal stack overflow | KLYH87LL23 | Confirmed.
Fixed in 8.5.3 |
| ZDI-CAN-758 | Domino DIIOP remote code execution vulnerability | KLYH87LML7 | Confirmed.
Fixed in 8.5.3 |
| ZDI-CAN-759 | Domino DIIOP remote code execution vulnerability | KLYH87LM4S | Confirmed.
Fixed in 8.5.3 |
| ZDI-CAN-927 | Domino Remote Console authentication bypass remote code execution vulnerability | PRAD89WGRS | Confirmed.
Unsuppported configuration with workaround available. |
| ZDI-CAN-372 | Domino Router stack overflow | KLYH87LKRE | Unconfirmed. Unable to reproduce. Need more information. |
| ZDI-CAN-374 | Domino IMAP and POP3 stack overflow | KLYH87LLVJ | Unconfirmed. Unable to reproduce. Need more information. |
| ZDI-CAN-779 | Domino LDAP bind request remote code execution vulnerability | KLYH87LMVX | Unconfirmed. Unable to reproduce. Need more information. |
IBM targets 2Q2011 for release of Lotus Notes and Domino 8.5.3. You can track progress at the Notes/Domino Update Status page.
At time of publication, there currently are no known active exploits of
these issues. However, if you encounter any of the unconfirmed issues, contact IBM Support with reproducible steps, referencing the related SPR number.
For additional information on these issues, you can access the TippingPoint's ZDI advisories at the following link: http://www.zerodayinitiative.com/advisories
Workarounds:
For ZDI-CAN-927 (SPR# PRAD89WGRS), Domino does not support use of UNC
paths for usage with Remote Console. As a workaround, you should specify
absolute paths.
For all others, there are currently no known workarounds to avoid these issues.
The following CVSS scores are based on testing results observed by IBM*.
SPR KLYH87LL23 - Lotus Notes ICAL Stack Overflow
|
CVSS Base Score: < 7.1>
---- Impact Subscore: < 6.9>
---- Exploitability Subscore: < 8.6>
CVSS Temporal Score: < 5.6 >
CVSS Environmental Score: < Undefined* >
Overall CVSS Score: < 5.6> |
Base Score Metrics:
- Related exploit range/Attack Vector: < Network >
- Access Complexity: < Medium >
- Authentication < None >
- Confidentiality Impact: < None >
- Integrity Impact: < None >
- Availability Impact: < Complete >
|
Temporal Score Metrics:
- Exploitability: < Proof of Concept Code >
- Remediation Level: < Official Fix >
- Report Confidence: < Confirmed >
|
References:
|
SPR PRAD82YJW2 - Lotus Notes cai URI Handler Remote Code Execution
|
CVSS Base Score: < 7.1>
---- Impact Subscore: < 6.9>
---- Exploitability Subscore: < 8.6>
CVSS Temporal Score: < 5.6 >
CVSS Environmental Score: < Undefined* >
Overall CVSS Score: < 5.6> |
Base Score Metrics:
- Related exploit range/Attack Vector: < Network >
- Access Complexity: < Medium >
- Authentication < None >
- Confidentiality Impact: < None >
- Integrity Impact: < None >
- Availability Impact: < Complete >
|
Temporal Score Metrics:
- Exploitability: < Proof of Concept Code >
- Remediation Level: < Official Fix >
- Report Confidence: < Confirmed >
|
References:
|
SPR KLYH87LML7 - Lotus Domino DIIOP Remote Code Execution
|
CVSS Base Score: < 6.9>
---- Impact Subscore: < 10>
CVSS Temporal Score: < 3.4 >
CVSS Environmental Score: < Undefined* >
Overall CVSS Score: < 5.4> |
Base Score Metrics:
- Related exploit range/Attack Vector: < Local >
- Access Complexity: < Medium >
- Authentication < None >
- Confidentiality Impact: < Complete>
- Integrity Impact: < Complete >
- Availability Impact: < Complete >
|
Temporal Score Metrics:
- Exploitability: < Proof of Concept Code >
- Remediation Level: < Official Fix >
- Report Confidence: < Confirmed >
|
References:
|
SPR KLYH889MH8 - Lotus Domino MIME Stack Overflow
|
CVSS Base Score: < 7.1>
---- Impact Subscore: < 6.9>
CVSS Temporal Score: < 6.1>
CVSS Environmental Score: < Undefined* >
Overall CVSS Score: < 6.1> |
Base Score Metrics:
- Related exploit range/Attack Vector: < Network >
- Access Complexity: < Medium >
- Authentication < None >
- Confidentiality Impact: < None>
- Integrity Impact: < None >
- Availability Impact: < Complete >
|
Temporal Score Metrics:
- Exploitability: < Proof of Concept Code >
- Remediation Level: < Unavailable>
- Report Confidence: < Confirmed >
|
References:
|
*The CVSS Environment Score is customer environment-specific and will
ultimately impact the Overall CVSS score. Customers can evaluate the
impact of this vulnerability in their environments by accessing the
referenced links.
- wong chee tat :) |
No comments:
Post a Comment