Flaws discovered in Lotus software

Three software security flaws could allow attackers to run malicious code on machines running IBM’s Lotus Domino or iNotes software.

The flaws were disclosed on Monday in three advisories published by Next Generation Security Software Ltd. (NGSS), a software security consulting company in Sutton, England.

Using a vulnerability in the Lotus iNotes messaging software, a remote attacker could gain control of a Domino server by providing an overly long value in a request for Web-based mail services.

The long value would create a buffer overrun on the server, allowing attackers to execute their own software code using the privileged account that runs the Domino Web Services, according to NGSS, which rated the vulnerability a “Critical Risk.”

A buffer overrun occurs when too much data is sent to a buffer in a computer’s memory. When the buffer overflows, critical information that controls a program’s execution is overwritten, allowing attackers to fill the buffer with their own code and causing the program to start executing the code.

A second vulnerability, also rated “Critical Risk,” affects the Lotus Domino 6 application server software. Using the vulnerability, an attacker could create a buffer overrun by supplying false and excessively long host names in a request for a document or view that is stored in a Lotus database.

After triggering the overrun, attackers could execute their own code under the account running the Domino Web Service process, gaining control of the Domino server.

A third vulnerability, found in an ActiveX client control used by the iNotes software, allows an attacker to execute malicious code on a remote machine that is attempting to use iNotes Web-based messaging features.

An attacker could use an e-mail or a Web page to send a value that is too long to the Active X control, creating a buffer overrun on the target machine that allows the attacker to execute code using the privileges of the current user.

NGSS rated the ActiveX vulnerability “Medium Risk.”

The three vulnerabilities, which were found in Release 6.0 of Lotus Notes and Domino, have been patched by IBM in the 6.0.1 maintenance release. (See: www-10.lotus.com/ldd/products.nsf/products/notesdomino.)

Although it did not mention the NGSS vulnerabilities, information posted on IBM’s Web page said that the 6.0.1 release “includes fixes to enhance the quality and reliability of the Notes and Domino 6 products,” and recommended that customers who haven’t already done so upgrade to version 6.0.1.