From advisory@rapid7.com Fri Mar 14 04:25:27 2003 From: Rapid 7 Security Advisories To: full-disclosure@lists.netsys.com Date: Thu, 13 Mar 2003 03:13:23 -0500 Subject: [Full-Disclosure] R7-0012: Lotus Notes/Domino R6-beta PROTOS LDAP Denial of Service Regression -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Rapid7, Inc. Security Advisory Visit http://www.rapid7.com/ to download NeXpose, the world's most advanced vulnerability scanner. Linux and Windows 2000/XP versions are available now! _______________________________________________________________________ Rapid7 Advisory R7-0012 Lotus Notes/Domino R6-beta PROTOS LDAP Denial of Service Regression Published: March 12, 2003 Revision: 1.0 http://www.rapid7.com/advisories/R7-0012.html CVE: CAN-2001-1311 (regression) CERT Note: 583184 (regression) CERT Advisory: CA-2001-18 (regression) Lotus SPR: DWUU4W6NC8 (regression) Bugtraq ID: 7039 1. Affected system(s): KNOWN VULNERABLE: o Lotus Notes/Domino R6 pre-release and beta versions o Lotus Domino R5.0.7 and earlier NOT VULNERABLE: o Lotus Notes/Domino R6.0 Gold o Lotus Notes/Domino R6.0.1 o Lotus Notes/Domino R5.0.7a through R5.0.12 2. Summary In July 2001, the PROTOS protocol testing group at the University of Oulu in Finland released an LDAP protocol test suite that exposed flaws in LDAP implementations from multiple vendors. [1] Lotus Domino R5.0.7 and earlier were affected by the PROTOS LDAP issues, resulting in buffer overflows and denial of service against the Domino server. Lotus addressed these issues in Domino R5.0.7a, released May 18th 2001. [2] While regression testing the pre-release and beta versions of Lotus Domino R6 with the PROTOS LDAP test suite, we found that these releases were vulnerable to the issues PROTOS discovered. 3. Vendor status and information Lotus http://www.lotus.com/ http://www.ibm.com/ Lotus was notified and they have fixed this vulnerability. Lotus originally tracked these issues as SPR #DWUU4W6NC8 and are tracking the R6 beta issues with this SPR. [3] See the References section for more information. 4. Solution Users running R6 beta and pre-release builds should upgrade to R6.0 Gold or higher. Due to other vulnerabilities discovered in R6.0 Gold, you should consider upgrading to R6.0.1, which was released in February 2003. Users running R5.0.7a and higher are not affected. Domino incremental installers may be downloaded from the following URL (which has been wrapped): http://www14.software.ibm.com /webapp/download/search.jsp?go=y&rs=ESD-DMNTSRVRi&sb=r 5. Detailed analysis Credit for discovery of this vulnerability goes to the PROTOS project. Please see their LDAP test suite page for more information. [1] 6. References [1] PROTOS - Security Testing of Protocol Implementations http://www.ee.oulu.fi/research/ouspg/protos/ [2] Lotus statement about LDAP vulnerability fixes http://www.kb.cert.org/vuls/id/JPLA-4WESN5 [3] Lotus SPR #DWUU4W6NC8 http://www.notes.net/r5fixlist.nsf/Search!SearchView&Query=DWUU4W6NC8 7. Contact Information Rapid7 Security Advisories Email: advisory@rapid7.com Web: http://www.rapid7.com/ Phone: +1 (212) 558-8700 8. Disclaimer and Copyright Rapid7, Inc. is not responsible for the misuse of the information provided in our security advisories. These advisories are a service to the professional security community. There are NO WARRANTIES with regard to this information. Any application or distribution of this information constitutes acceptance AS IS, at the user's own risk. This information is subject to change without notice. This advisory Copyright (C) 2003 Rapid7, Inc. Permission is hereby granted to redistribute this advisory, providing that no changes are made and that the copyright notices and disclaimers remain intact. -----BEGIN PGP SIGNATURE----- Version: PGP 8.0 iQA/AwUBPnA3PyT52JC2U8wAEQLHPQCcDEBlGignyH8zUjKDYkFKn67tZckAn01q iFqZh3acdOC/aMBSRZYWKBlO =ScAz -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html