ID: 3447
Date: 25/10/2007
Title: 3447 - Lotus Notes Memory Mapped Files Vulnerability
Platform level affected:Office Application
Hardware components affected:Intel PC
Specific operating systems components affected: 32-bit Windows
Net-enabled software: Enterprise Application
Remediation Summary:Update your copy of the software with the download available from the supplier.
Vendors affected:IBM
Applications affected:Lotus Notes
Adversity source: Unknown
Attack Vector: Vulnerability exploitation
Virulence: Unknown
Warning Status: Imminent
Potential Damage: Remote access
Possible Duration: Open Ended
Availability of fix: Available
Type of fix: Patch
Source: Symantec, IBM
Reliability of source: Trusted
Source URL: http://www-1.ibm.com/support/docview.wss?rs=477&uid=swg21257030
CVE: CVE-2007-5544
Abstract: Lotus Domino is a client/server product designed for collaborative working environments. There exists a vulnerability in the way memory mapped files are used under Windows. The result of which is that if the Lotus Notes Client is used in a Microsoft Terminal Services or Citrix environment users can read each others Lotus Notes session data including items such as E-Mail.
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Symantec Vulnerability Research
http://www.symantec.com/research
Security Advisory
Advisory ID: SYMSA-2007-013
Advisory Title: Lotus Notes Memory Mapped Files Vulnerability
Author: Ollie Whitehouse / ollie_whitehouse@symantec.com
Release Date: 23-10-2007
Application: Lotus Notes / Domino
Platform: Microsoft Windows
Severity: Session hijacking in shared user environments
/ Data leakage in shared user environments Vendor status: Updated Application Versions Available
CVE Number: CVE-2007-5544
Reference: http://www.securityfocus.com/bid/26146
Overview:
Lotus Domino is a client/server product designed for collaborative
working environments. Domino is designed for e-mail, scheduling,
instant messaging and data driven applications.
There exists a vulnerability in the way memory mapped files are
used under Windows. The result of which is that if the Lotus Notes
Client is used in a Microsoft Terminal Services or Citrix
environment users can read each others Lotus Notes session data
including items such as E-Mail.
This vulnerability also impacts the server product.
Details:
The vulnerability arises due to the mechanism used for
Inter-Process Communication (IPC) between NLNOTES and NTASKLDR.
IPC is performed via memory mapped files. When the files are
created a NULL is passed to the ACL parameter resulting in EVERYONE
being granted 'full-control'.
The result of this is that an attacker can read the contents of
any users Lotus Notes session when deployed in shared user
environments such as Terminal Services or Citrix. The data which is
accessible ranges from e-mail through to databases and associated
Lotus Script.
It should be noted that this vulnerability could also be used to
write to the memory mapped files. The impact of which is that an
attacker could potentially inject active content such as Lotus
Script.
Vendor Response:
* Fixed for the Notes client with 6.5.6, 7.0.3 and 8.0
* Fixed for the Domino server with 6.5.5 FP3, 6.5.6, 7.0.2
FP1, 7.0.3, 8.0
The fix requires that "SharedMemoryAllowOnly=1" be set in the
notes.ini file. Additional details about the notes.ini variable
is available in technote #1257030
http://www-1.ibm.com/support/docview.wss?rs=477&uid=swg21257030
Recommendation:
Update to a secure version of Notes client and Domino server.
Implement the appropriate notes.ini fix.
Common Vulnerabilities and Exposures (CVE) Information:
The Common Vulnerabilities and Exposures (CVE) project has assigned the following names to these issues. These are candidates for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems.
CVE-2007-5544
- - -------Symantec Vulnerability Research Advisory Information-------
For questions about this advisory, or to report an error:
research@symantec.com
For details on Symantec's Vulnerability Reporting Policy:
http://www.symantec.com/research/Symantec-Responsible-Disclosure.pdf
Symantec Vulnerability Research Advisory Archive:
http://www.symantec.com/research/
Symantec Vulnerability Research GPG Key:
http://www.symantec.com/research/Symantec_Vulnerability_Research_GPG.asc
- - -------------Symantec Product Advisory Information-------------
To Report a Security Vulnerability in a Symantec Product:
secure@symantec.com
For general information on Symantec's Product Vulnerability reporting and response:
http://www.symantec.com/security/
Symantec Product Advisory Archive:
http://www.symantec.com/avcenter/security/SymantecAdvisories.html
Symantec Product Advisory PGP Key:
http://www.symantec.com/security/Symantec-Vulnerability-Management-Key.asc
- - ---------------------------------------------------------------
Copyright (c) 2007 by Symantec Corp.
Permission to redistribute this alert electronically is granted as long as it is not edited in any way unless authorized by Symantec Consulting Services. Reprinting the whole or part of this alert in any medium other than electronically requires permission from research@symantec.com.
Disclaimer
The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information.
Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.
Symantec, Symantec products, and Symantec Consulting Services are registered trademarks of Symantec Corp. and/or affiliated companies in the United States and other countries. All other registered and unregistered trademarks represented in this document are the sole property of their respective companies/owners.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
iD8DBQFHHhA4uk7IIFI45IARAnNvAJ486zzFMCK7JLeJF5fiFClIpoWuIwCfeT1Z
ttzIDucCa2P+HK1T8xrCgfo=
=Z3gM
- -----END PGP SIGNATURE-----
This advisory contains information released by the original author. Some of the information may have changed since it was released. If the issue affects you, it may be prudent to retrieve the advisory from the site of the original source to ensure that you receive the most current information concerning that problem. Reference to any specific commercial product, process, or service by trade name, trademark manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favouring by CPNI.
The views and opinions of authors expressed within this notice shall not be used for advertising or product endorsement purposes. CPNI shall not accept responsibility for any errors or omissions contained within this advisory. In particular, they shall not be liable for any loss or damage whatsoever, arising from or in connection with the usage of information contained within this advisory.
CSIRTUK is a member of the Forum of Incident Response and Security Teams (FIRST) and has contacts with other international Incident Response Teams (IRTs) in order to foster cooperation and coordination in incident prevention, to prompt rapid reaction to incidents, and to promote information sharing amongst its members and the community at large.
Thu, 25 Oct 2007 00:00:00 GMT
Domain affected: Technical