Feeds

Confusion over serious Notes, Domino vulns

If we tell you what's wrong, we'd have to kill you

  • alert
  • submit to reddit

Choosing a cloud hosting partner with confidence

Lotus Notes and Domino are subject to an unholy trio of serious security vulnerabilities which could exploited in denial of service or privilege elevation attacks on the vulnerable system.

That's the stark warning from security outfit Rapid 7 (via a posting to BugTraq), which advises that a successful denial of service attack could result in corruption of Notes databases. Also, crackers may be able to take over vulnerable servers, Rapid 7 warns.

Rapid 7 is delaying release of details of the vulnerabilities until Wednesday; in the mean time it strongly urges admins to "upgrade immediately to R5.0.12 or R6.0.1 to protect their servers". Lotus R4, unsupported but widely used, is also vulnerable to the undocumented flaws.

But R5.0.12 is still at risk to a separate set of security vulnerabilities, discovered by NGSSoftware last month.

The only safe option seems to be to upgrade to R6.0.1, a major version upgrades for Notes 5 users. Most Lotus Notes users - more than 85 per cent, according to Rapid 7 - are still on version 5.

From Rapid 7's warning we learn only that it has discovered three vulnerabilities in the Lotus Notes and Domino server platforms, two of which also affect the Lotus Notes client. The vulnerability is generic to Notes and not particular to the platform (Linux, window, Unix etc.) a Notes database runs on.

The lack of additional information is unhelpful, because Rapid 7's advice conflicts with earlier advisories from NGSSoftware, warning of potential problems with R5.0.12.

Quite apart from the security issues that might still apply, Domino add-ons (such as Quickplace) are not supported on 5.0.12 (see Forum here and Lotus statement here).

Uggh.

So can we find a way through this mess? Only partially.

Both Chad Loder, of Rapid 7, and Mark Litchfield, of NGSSoftware agree that "their" vulns are different. Litchfield told us that Lotus is yet to issue a fix for all the R5.0.12 problems discovered by him. R5.0.12 isn't mentioned by name in Litchfield's advisories but it is vulnerable, he tells us.

According to Litchfield, the only available fix for the (separate) problems NGSSoftware documents is to upgrade to R6.0.1. In particular he refers to an incomplete post request DoS vulnerability affecting R5.0.12.

Pending definitive advice from IBM/Lotus itself, the situation is deeply confusing, particularly for R5 users. Lotus Web site states all the NGS vulnerabilities bar an ActiveX issue (which is still under investigation) are fixed in 5.0.12.

Last night we asked Lotus' security manager for clarification on its advice to users. We've yet to receive a response. ®

External Links

Rapid7 discovers critical Lotus Notes/Domino vulnerabilities, mention of this on here and here on Lotus' Web site
Rapid7's advice FAQ
... you might to think carefully about the R5.0.12 upgrade for security and
usability reasons

Related Stories

We won't tell you what this patch does, but apply it NOW
Light shed on Novell's darkest security secret
Slammer: Why security benefits from proof of concept code

Beginner's guide to SSL certificates

More from The Register

next story
Russian hackers exploit 'Sandworm' bug 'to spy on NATO, EU PCs'
Fix imminent from Microsoft for Vista, Server 2008, other stuff
Microsoft pulls another dodgy patch
Redmond makes a hash of hashing add-on
FYI: OS X Yosemite's Spotlight tells Apple EVERYTHING you're looking for
It's on by default – didn't you read the small print?
'LulzSec leader Aush0k' found to be naughty boy not worthy of jail
15 months home detention leaves egg on feds' faces as they grab for more power
Forget passwords, let's use SELFIES, says Obama's cyber tsar
Michael Daniel wants to kill passwords dead
Kill off SSL 3.0 NOW: HTTPS savaged by vicious POODLE
Pull it out ASAP, it is SWISS CHEESE
Facebook slurps 'paste sites' for STOLEN passwords, sprinkles on hash and salt
Zuck's ad empire DOESN'T see details in plain text. Phew!
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Cloud and hybrid-cloud data protection for VMware
Learn how quick and easy it is to configure backups and perform restores for VMware environments.
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.