Feeds

Confusion over serious Notes, Domino vulns

If we tell you what's wrong, we'd have to kill you

  • alert
  • submit to reddit

Next gen security for virtualised datacentres

Lotus Notes and Domino are subject to an unholy trio of serious security vulnerabilities which could exploited in denial of service or privilege elevation attacks on the vulnerable system.

That's the stark warning from security outfit Rapid 7 (via a posting to BugTraq), which advises that a successful denial of service attack could result in corruption of Notes databases. Also, crackers may be able to take over vulnerable servers, Rapid 7 warns.

Rapid 7 is delaying release of details of the vulnerabilities until Wednesday; in the mean time it strongly urges admins to "upgrade immediately to R5.0.12 or R6.0.1 to protect their servers". Lotus R4, unsupported but widely used, is also vulnerable to the undocumented flaws.

But R5.0.12 is still at risk to a separate set of security vulnerabilities, discovered by NGSSoftware last month.

The only safe option seems to be to upgrade to R6.0.1, a major version upgrades for Notes 5 users. Most Lotus Notes users - more than 85 per cent, according to Rapid 7 - are still on version 5.

From Rapid 7's warning we learn only that it has discovered three vulnerabilities in the Lotus Notes and Domino server platforms, two of which also affect the Lotus Notes client. The vulnerability is generic to Notes and not particular to the platform (Linux, window, Unix etc.) a Notes database runs on.

The lack of additional information is unhelpful, because Rapid 7's advice conflicts with earlier advisories from NGSSoftware, warning of potential problems with R5.0.12.

Quite apart from the security issues that might still apply, Domino add-ons (such as Quickplace) are not supported on 5.0.12 (see Forum here and Lotus statement here).

Uggh.

So can we find a way through this mess? Only partially.

Both Chad Loder, of Rapid 7, and Mark Litchfield, of NGSSoftware agree that "their" vulns are different. Litchfield told us that Lotus is yet to issue a fix for all the R5.0.12 problems discovered by him. R5.0.12 isn't mentioned by name in Litchfield's advisories but it is vulnerable, he tells us.

According to Litchfield, the only available fix for the (separate) problems NGSSoftware documents is to upgrade to R6.0.1. In particular he refers to an incomplete post request DoS vulnerability affecting R5.0.12.

Pending definitive advice from IBM/Lotus itself, the situation is deeply confusing, particularly for R5 users. Lotus Web site states all the NGS vulnerabilities bar an ActiveX issue (which is still under investigation) are fixed in 5.0.12.

Last night we asked Lotus' security manager for clarification on its advice to users. We've yet to receive a response. ®

External Links

Rapid7 discovers critical Lotus Notes/Domino vulnerabilities, mention of this on here and here on Lotus' Web site
Rapid7's advice FAQ
... you might to think carefully about the R5.0.12 upgrade for security and
usability reasons

Related Stories

We won't tell you what this patch does, but apply it NOW
Light shed on Novell's darkest security secret
Slammer: Why security benefits from proof of concept code

The essential guide to IT transformation

More from The Register

next story
Goog says patch⁵⁰ your Chrome
64-bit browser loads cat vids FIFTEEN PERCENT faster!
Chinese hackers spied on investigators of Flight MH370 - report
Classified data on flight's disappearance pinched
NIST to sysadmins: clean up your SSH mess
Too many keys, too badly managed
Scratched PC-dispatch patch patched, hatched in batch rematch
Windows security update fixed after triggering blue screens (and screams) of death
Researchers camouflage haxxor traps with fake application traffic
Honeypots sweetened to resemble actual workloads, complete with 'secure' logins
Attack flogged through shiny-clicky social media buttons
66,000 users popped by malicious Flash fudging add-on
prev story

Whitepapers

Top 10 endpoint backup mistakes
Avoid the ten endpoint backup mistakes to ensure that your critical corporate data is protected and end user productivity is improved.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Backing up distributed data
Eliminating the redundant use of bandwidth and storage capacity and application consolidation in the modern data center.
The essential guide to IT transformation
ServiceNow discusses three IT transformations that can help CIOs automate IT services to transform IT and the enterprise
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.