Lotus NotesRPC Vulnerability
Created 3/17/03
CAN 2003-0122
Impact
A remote attacker could crash the Lotus Domino server, thereby causing
denial of service, and perhaps corrupt Lotus Notes databases on the
server, or execute attacker-supplied code.
Background
The Lotus Domino
family of servers provide a multi-platform foundation for
collaboration and e-business, featuring messaging, calendaring,
scheduling, and Web based transactions.
Lotus Notes is the
client for Lotus Domino servers.
The Problem
Lotus Notes clients and
servers support a proprietary protocol called NotesRPC. This
protocol provides a means for a client and server to authenticate
each other via a series of challenge-response exchanges. The
problem is that a malicious unauthenticated client can manipulate
the challenge-response data used in NotesRPC to cause a buffer
overflow on the Domino server. This allows an attacker to overwrite
large sections of the heap with arbitrary data.
NotesRPC typically runs on port 1352/tcp but may also use NetBIOS,
Netware SPX, Banyan Vines, and modem dialup for transport. The
vulnerability has so far only been tested on NotesRPC over TCP/IP,
but it may be possible for this overflow to be triggered via other
protocols, including dialup.
All Lotus Notes/Domino releases and versions up to and including R5.0.11,
and Lotus Notes/Domino R6 betas and pre-releases are affected by this
vulnerability. Note, while risks to the server are paramount, the
Lotus client is also vulnerable.
Resolution
Upgrade to Lotus Notes/Domino
R5 version 5.0.12 or higher. Lotus Notes/Domino R6 version 6.0 Gold is free
from this NotesRPC vulnerability, but it has other vulnerabilities, so R6
version 6.0.1 or higher is the recommended upgrade in the R6 series.
Where can I read more about this?
See the
information
and
Advisory R7-0010
provided by Rapid7. This vulnerability is also described in Security Focus
bugtraq id 7037
and CERT Advisory 2003-11.