Firms claim Lotus Notes has security flaws

Representatives of two security firms claim that flaws in Lotus Development Corp.’s Notes allow a skilled intruder to open the e-mail boxes or databases of virtually any Lotus Notes user, send e-mail under that user’s name, and authorize others to access those mailboxes or databases.

The security consultants also contend that another flaw, tied to the Domino server, allows outside users to circumvent protections against viruses and other malicious code.

Lotus says that such attacks require very specific conditions and that remedies are already available to Notes administrators using newer versions of Domino server. Notes runs on the Domino server.

Some 60 million end-users, primarily corporate customers, run Notes, according to Lotus.

The alleged flaws were made public over the weekend in a presentation at the DefCon hacker’s conference in Las Vegas. The consultants say they had withheld crucial details that could permit others to easily duplicate their process. The security consultants described their research to Lotus before their DefCon presentation, say both parties.

Chris Goggans, a hacker who previously called himself Erik Bloodaxe, described the methods he and associates used to sneak into other users’ Lotus Notes accounts. Goggans, now the director of operations for Security Design International, worked with Kevin McPeake and others at Trust Factory, a Dutch security-consulting firm, to identify the alleged security holes.

The security product management team for Domino, however, says system administrators can thwart such attacks with tools offered in recent versions of the product.

“We have tools available today in the current version of the product that allow you to protect against all of these vulnerabilities,” says Katherine Spanbauer, a member of the Lotus security team. Lotus recommends customers use Domino version 5.02, the newest release, for the greatest protection – but Version 4.6 also contains safeguards.

Lotus is preparing a detailed response to the claims made by the security consultants. The information should be posted on the Lotus Security Zone portion of the company’s Web site by today, Spanbauer says.

“They explained their attacks to us, so we are comfortable that we could offer our customers solutions to the problems,” says Kevin Lynch, also a member of the Lotus security team. He says Lotus has not heard of any such attacks actually occurring, and has not received customer complaints.

Goggans and his associates say they discovered a simple way to get a Notes client user password, which enables them to access that person’s databases or e-mail. Attackers could also send mail as if they were the person whose account was compromised.

In a Notes mail system, the user names and e-mail addresses, as well as their ID files, are stored in a database called the Name and Address Book, which resides on a server. Too often, system administrators leave the Name and Address Book accessible to the outside world, so people can download the ID files, Goggans says.

“[Domino] is such a complicated product that most administrators can’t understand how to manage access controls and application controls,” says Goggans. “The security features are often misconfigured or ignored.” Knowledgeable Notes administrators, however, say only an inexperienced administrator would permit a vulnerability of this type.

Lynch and Spanbauer say the charges of a password vulnerability are partly valid, but fixable. Administrators can run a tool built into Domino 4.6 and later versions to apply a more complicated algorithm that will better protect passwords, Spanbauer says.

A bigger flaw exists in Notes’ Execution Control List, a part of the application that prevents most viruses and malicious scripts from running, Goggans says. The Trust Factory group examined public documents about how Notes works, and discovered what they call a simple method to communicate with Notes that bypasses the ECL and its safeguards. Lotus has placed a guard at the front door of its application, but Trust Factory’s programmers were able to “come in around from the back way,” he says.

Lotus says it added the ECL to Domino 4.1, and starting with Domino 5.02, the ECL is installed by default. Previously, it was up to an administrator to turn it on. Hackers might be able to circumvent the ECL, but the function has never protected against all potentially malicious scripts–notably, those that may arrive by Notes Mail but actually run on other applications, Spanbauer says.

“They may have expected ECL to protect against things it wasn’t intended to,” she says. “Notes can only protect within the Notes code.”

Although the Lotus representatives say their contact with Trust Factory has been limited, Goggans praised Lotus’ attitude upon learning of the discoveries.

“They said let’s get this thing out there and figure out a way to help our customers,” Goggans says of the Lotus representatives, and that may be an interesting assortment, according to the hackers’ conference speakers.

“The CIA uses Lotus Notes, so they’re very worried,” Goggans says.