Feeds

Confusion over serious Notes, Domino vulns

If we tell you what's wrong, we'd have to kill you

  • alert
  • submit to reddit

Intelligent flash storage arrays

Lotus Notes and Domino are subject to an unholy trio of serious security vulnerabilities which could exploited in denial of service or privilege elevation attacks on the vulnerable system.

That's the stark warning from security outfit Rapid 7 (via a posting to BugTraq), which advises that a successful denial of service attack could result in corruption of Notes databases. Also, crackers may be able to take over vulnerable servers, Rapid 7 warns.

Rapid 7 is delaying release of details of the vulnerabilities until Wednesday; in the mean time it strongly urges admins to "upgrade immediately to R5.0.12 or R6.0.1 to protect their servers". Lotus R4, unsupported but widely used, is also vulnerable to the undocumented flaws.

But R5.0.12 is still at risk to a separate set of security vulnerabilities, discovered by NGSSoftware last month.

The only safe option seems to be to upgrade to R6.0.1, a major version upgrades for Notes 5 users. Most Lotus Notes users - more than 85 per cent, according to Rapid 7 - are still on version 5.

From Rapid 7's warning we learn only that it has discovered three vulnerabilities in the Lotus Notes and Domino server platforms, two of which also affect the Lotus Notes client. The vulnerability is generic to Notes and not particular to the platform (Linux, window, Unix etc.) a Notes database runs on.

The lack of additional information is unhelpful, because Rapid 7's advice conflicts with earlier advisories from NGSSoftware, warning of potential problems with R5.0.12.

Quite apart from the security issues that might still apply, Domino add-ons (such as Quickplace) are not supported on 5.0.12 (see Forum here and Lotus statement here).

Uggh.

So can we find a way through this mess? Only partially.

Both Chad Loder, of Rapid 7, and Mark Litchfield, of NGSSoftware agree that "their" vulns are different. Litchfield told us that Lotus is yet to issue a fix for all the R5.0.12 problems discovered by him. R5.0.12 isn't mentioned by name in Litchfield's advisories but it is vulnerable, he tells us.

According to Litchfield, the only available fix for the (separate) problems NGSSoftware documents is to upgrade to R6.0.1. In particular he refers to an incomplete post request DoS vulnerability affecting R5.0.12.

Pending definitive advice from IBM/Lotus itself, the situation is deeply confusing, particularly for R5 users. Lotus Web site states all the NGS vulnerabilities bar an ActiveX issue (which is still under investigation) are fixed in 5.0.12.

Last night we asked Lotus' security manager for clarification on its advice to users. We've yet to receive a response. ®

External Links

Rapid7 discovers critical Lotus Notes/Domino vulnerabilities, mention of this on here and here on Lotus' Web site
Rapid7's advice FAQ
... you might to think carefully about the R5.0.12 upgrade for security and
usability reasons

Related Stories

We won't tell you what this patch does, but apply it NOW
Light shed on Novell's darkest security secret
Slammer: Why security benefits from proof of concept code

Top 5 reasons to deploy VMware with Tegile

Whitepapers

Choosing cloud Backup services
Demystify how you can address your data protection needs in your small- to medium-sized business and select the best online backup service to meet your needs.
Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.