Dennis' Domino Blog

Category: "security"

Disabling HTTP methods

  08/30/13 08:49 am, by , Categories: Administration, IBM, Lotus, security
For those being involved in security scans, you will probably know that they complain about TRACE and OPTIONS methods.
You can disable those quite easily in your Internet site documents, but some products (Traveler,Sametime) don't officially support those.
This Technote #21201202 explains how to do it for those products.
1 comment »

IBM Lotus Notes Traveler Open-Redirection and Cross Site Scripting Vulnerabilities

  10/05/12 11:13 am, by , Categories: Administration, IBM, security, Traveler
IBM Lotus Notes Traveler is prone to an open-redirection and cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input.

Attackers can exploit these issues to execute arbitrary script or HTML code, steal cookie-based authentication credentials, and conduct phishing attacks. Other attacks may also be possible.

Versions prior to IBM Lotus Notes Traveler 8.5.3 Fix Pack 2 are vulnerable.

Read more here: SecurityFocus

IBM Lotus Domino RPC Operation Denial of Service Vulnerability

  01/03/12 08:30 am, by , Categories: Administration, IBM, Lotus, security
According to the IBM page about this: "If an attacker can monitor and record all communications between a Notes client and a Domino server then it is possible to crash the Domino server by modifying a specific packet, in a specific way, during a specific operation.", so a relatively low threat. Upgrade to 8.5.3 if you can, if not (because of the server changes in 8.5.3) upgrade to 8.5.2 FP4.

Source: SecurityFocus
IBM Lotus Domino RPC Operation Denial of Service Vulnerability

Bugtraq ID: 51167
Class: Failure to Handle Exceptional Conditions
CVE: CVE-2011-1393
Remote: Yes
Local: No
Published: Dec 22 2011 12:00AM
Updated: Jan 02 2012 11:20PM
Credit: Xiaopeng Zhang of Fortiguard Labs
Vulnerable: IBM Lotus Domino 8.5.2
IBM Lotus Domino 8.5
IBM Lotus Domino 8.0.2 Fix Pack 5
IBM Lotus Domino 8.0.2
IBM Lotus Domino 8.5.2 FP3
IBM Lotus Domino 8.5.2 FP2
IBM Lotus Domino 8.5.0.1
IBM Lotus Domino 8.5 FP1
IBM Lotus Domino 8.5
IBM Lotus Domino 8.0.2.4
IBM Lotus Domino 8.0.2.3
IBM Lotus Domino 8.0.2.2
IBM Lotus Domino 8.0.2.1
IBM Lotus Domino 8.0
Not Vulnerable: IBM Lotus Domino 8.5.3
IBM Lotus Domino 8.5.2 FP4


IBM Lotus Domino is prone to a denial-of-service vulnerability.

An attacker can exploit this issue to crash the affected application, denying service to legitimate users.

An attacker can use readily available network utilities.

Solution:
The vendor released an update. Please see the references for details.

References:

IBM Lotus Domino Remote Console Authentication Bypass Vulnerability

  12/01/11 08:22 am, by , Categories: Administration, IBM, security
Via SecurityFocus:
Bugtraq ID: 46985
Class: Unknown
CVE: CVE-2011-1519
Remote: Yes
Local: No
Published: Mar 22 2011 12:00AM
Updated: Dec 01 2011 06:36AM
Credit: Patrik Karlsson
Vulnerable: IBM Lotus Domino 8.5.3
IBM Lotus Domino 8.5.2
IBM Lotus Domino 8.5.1 Fix Pack 2
IBM Lotus Domino 8.5.1
IBM Lotus Domino 8.5
IBM Lotus Domino 8.0.2 Fix Pack 5
IBM Lotus Domino 8.0.2
IBM Lotus Domino 8.0.1
IBM Lotus Domino 7.0.4
IBM Lotus Domino 7.0.3 Fix Pack 1 (FP1)
IBM Lotus Domino 7.0.3
IBM Lotus Domino 7.0.2 FP3
IBM Lotus Domino 7.0.2 FP2
IBM Lotus Domino 7.0.2 FP1
IBM Lotus Domino 7.0.2
IBM Lotus Domino 7.0.1
IBM Lotus Domino 7.0
IBM Lotus Domino 6.5.6
IBM Lotus Domino 6.5.5 FP3
IBM Lotus Domino 6.5.5 FP2
IBM Lotus Domino 6.5.5 FP1
IBM Lotus Domino 6.5.5
IBM Lotus Domino 6.5.4 FP 2
IBM Lotus Domino 6.5.4 FP 1
IBM Lotus Domino 6.5.4
IBM Lotus Domino 6.5.3
IBM Lotus Domino 6.5.2 FP 1
IBM Lotus Domino 6.5.2
IBM Lotus Domino 6.5.1
IBM Lotus Domino 6.5 .0
IBM Lotus Domino 6.0.5
IBM Lotus Domino 6.0.4
IBM Lotus Domino 6.0.3
IBM Lotus Domino 6.0.2 CF2
IBM Lotus Domino 6.0.2
IBM Lotus Domino 6.0.1
IBM Lotus Domino 6.0
IBM Lotus Domino 5.0.13
IBM Lotus Domino 8.5.2 FP3
IBM Lotus Domino 8.5.1.1
IBM Lotus Domino 8.5.0.1
IBM Lotus Domino 8.5 FP1
IBM Lotus Domino 8.5
IBM Lotus Domino 8.0.2.4
IBM Lotus Domino 8.0.2.3
IBM Lotus Domino 8.0.2.2
IBM Lotus Domino 8.0.2.1
IBM Lotus Domino 8.0
IBM Lotus Domino 0
Not Vulnerable:


IBM Lotus Domino is prone to a remote authentication-bypass vulnerability.

Successfully exploiting this issue will allow remote attackers to execute arbitrary code with SYSTEM-level privileges. Successful exploits will completely compromise affected computers. Failed exploit attempts will result in a denial-of-service condition.

The following exploit is available:

Solution:

Currently, we are not aware of any vendor-supplied patches. If you feel we are in error or if you are aware of more recent information, please mail us at: vuldb@securityfocus.com.

References:
2 comments »

Advisory: Range header DoS vulnerability Apache HTTPD 1.3/2.x (CVE-2011-3192) -> IBM HTTP Server too!

  08/25/11 10:18 am, by , Categories: Administration, IBM, Websphere, security, Sametime
Go read this, and apply the fixes. Your IBM HTTP server with the Websphere servers is just a rebranded Apache.

Example:

D:\IBM\bin>Apache.exe -v
Server version: IBM_HTTP_Server/6.0.2.29 Apache/2.0.47

(see update below)




Excerpt below:

          Apache HTTPD Security ADVISORY
          ==============================

Title:    Range header DoS vulnerability Apache HTTPD 1.3/2.x

CVE:      CVE-2011-3192: 
Date:     20110824 1600Z
Product:  Apache HTTPD Web Server
Versions: Apache 1.3 all versions, Apache 2 all versions

Description:
============

A denial of service vulnerability has been found in the way the multiple 
overlapping ranges are handled by the Apache HTTPD server:

     http://seclists.org/fulldisclosure/2011/Aug/175 

An attack tool is circulating in the wild. Active use of this tools has 
been observed.

The attack can be done remotely and with a modest number of requests can 
cause very significant memory and CPU usage on the server. 

The default Apache HTTPD installation is vulnerable.

There is currently no patch/new version of Apache HTTPD which fixes this 
vulnerability. This advisory will be updated when a long term fix 
is available. 

A full fix is expected in the next 48 hours. 


Update: The fix reportedly working for 2.0 and 2.2 doesn't work on 2.0 as the syntax is different. Apply the following:

# Drop the Range header when more than 5 ranges.
# CVE-2011-3192
SetEnvIf Range (,.*?){5,} bad-range=1
RequestHeader unset Range

# optional logging.
CustomLog logs/range-CVE-2011-3192.log common env=bad-range

Vulnerabilities in BlackBerry Enterprise Server components that process images could allow remote code execution

  08/12/11 08:38 am, by , Categories: IBM, Lotus, security, Blackberry
From the blackberry site. I've posted an excerpt below:


Overview

Vulnerabilities exist in components of the BlackBerry Enterprise Server that process PNG and TIFF images for rendering on the BlackBerry smartphone. The BlackBerry® Mobile Data System – Connection Service component processes images on web pages that the BlackBerry® Browser requests. The BlackBerry® Messaging Agent component processes images in email messages.

Affected Software

The issue affects the following software versions:
  • BlackBerry® Enterprise Server version 5.0.1 through 5.0.3 MR2 for Microsoft Exchange
  • BlackBerry® Enterprise Server version 5.0.1 through 5.0.3 MR2 for IBM Lotus Domino
  • BlackBerry® Enterprise Server version 4.1.7 and version 5.0.1 through 5.0.1 MR3 for Novell GroupWise
  • BlackBerry® Enterprise Server Express version 5.0.1 through 5.0.3 for Microsoft Exchange
  • BlackBerry® Enterprise Server Express version 5.0.2 and 5.0.3 for IBM Lotus Domino


Note: BlackBerry Enterprise Server version 5.0.3 MR3 and later for Microsoft Exchange and IBM Lotus Domino are not affected.

IBM Lotus Domino iCalendar Meeting Request Parsing Remote Stack Buffer Overflow Vulnerability

  07/20/11 02:19 pm, by , Categories: Administration, IBM, Lotus, security
The solution in short: Upgrade to the latest version asap if you use iNotes outward facing. Some issues are fixed in 8.5.3, so beware until then.
Bugtraq ID: 46232
Class: Input Validation Error
CVE: CVE-2011-0915
Remote: Yes
Local: No
Published: Feb 07 2011 12:00AM
Updated: Jul 20 2011 11:10AM
Credit: anonymous
Vulnerable: IBM Lotus Domino 8.0.2
IBM Lotus Domino 8.0.1
IBM Lotus Domino 7.0.4
IBM Lotus Domino 7.0.3 Fix Pack 1 (FP1)
IBM Lotus Domino 7.0.3
IBM Lotus Domino 7.0.2 FP3
IBM Lotus Domino 7.0.2 FP2
IBM Lotus Domino 7.0.2 FP1
IBM Lotus Domino 7.0.2
IBM Lotus Domino 7.0.1
IBM Lotus Domino 7.0
IBM Lotus Domino 6.5.6
IBM Lotus Domino 6.5.5 FP3
IBM Lotus Domino 6.5.5 FP2
IBM Lotus Domino 6.5.5 FP1
IBM Lotus Domino 6.5.5
IBM Lotus Domino 6.5.4 FP 2
IBM Lotus Domino 6.5.4 FP 1
IBM Lotus Domino 6.5.4
IBM Lotus Domino 6.5.3
IBM Lotus Domino 6.5.2
IBM Lotus Domino 6.5.1
IBM Lotus Domino 6.5 .0
IBM Lotus Domino 6.0.5
IBM Lotus Domino 6.0.4
IBM Lotus Domino 6.0.3
IBM Lotus Domino 6.0.2 CF2
IBM Lotus Domino 6.0.2
IBM Lotus Domino 6.0.1
IBM Lotus Domino 6.0
IBM Lotus Domino 5.0.13
IBM Lotus Domino 8.5 FP1
IBM Lotus Domino 8.5
IBM Lotus Domino 8.0



IBM Lotus Domino is prone to a remote stack-based buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied input.
Successfully exploiting this issue may allow remote attackers to execute arbitrary code with SYSTEM-level privileges. Successful exploits will completely compromise affected computers. Failed exploit attempts will result in a denial-of-service condition.

The following proof-of-concept code is available:
/data/vulnerabilities/exploits/46232.ics

Solution:
Updates are available. Please see the references for more information.

References:
IBM Lotus Domino Homepage (IBM)
ZDI-11-048: IBM Lotus Domino iCalendar Meeting Request Parsing Remote Code Execu (IBM)
(Feb 2011) Potential security vulnerabilities in Lotus Notes & Domino (ibm)

IBM WebSphere Application Server JAX-RPC WS-Security/JAX-WS Runtime Security Bypass Vulnerability

  06/17/11 08:16 pm, by , Categories: IBM, Websphere, security
I just saw this in my RSS feeds:

Bugtraq ID: 40322
Class: Design Error
CVE: CVE-2010-0774
Remote: Yes
Local: No
Published: May 11 2010 12:00AM
Updated: Jun 17 2011 04:00PM
Credit: IBM
Vulnerable: IBM Websphere Application Server 7.0.*
IBM Websphere Application Server 6.1.*
IBM Websphere Application Server 6.0.*
IBM Tivoli Business Service Manager 4.2.1
(See full list in original document)
Not Vulnerable: IBM Websphere Application Server 7.0 .11
IBM Websphere Application Server 6.1.0.31
IBM Websphere Application Server 6.0.2.41


IBM WebSphere Application Server (WAS) is prone to a security-bypass vulnerability because the application fails to properly handle WebServices PKCS#7 and PKIPath tokens.

Successful exploits may allow attackers to gain unauthorized access to the service, which may lead to other attacks.
The following are vulnerable:
WebSphere Application Server prior to 6.0.2.41, 6.1.0.31, and 7.0.0.11.

Exploit:
Currently we are not aware of any exploits. If you feel we are in error or if you are aware of more recent information, please mail us at: vuldb@securityfocus.com.

Solution:
Updates are available; please see the references for more information.

References:

* IBM WebSphere Application Server Product Page (IBM)
* Recommended fixes for WebSphere Application Server (IBM)
* WebSphere Application Server WebServices PKIPath and PKCS#7 token type security (IBM XForce)
* websphere vulnerability (IBM)

Security enhancements in iNotes 8.5.2 may require configuration changes in environments with reverse proxies

  06/17/11 10:27 am, by , Categories: Administration, IBM, Lotus, security, Netscaler
I was playing with the application firewall in the citrix netscaler and I found a cookie I had never seen before to get blocked.

Some quick googling gave me this Technote swg21453878. Please read it if you are using firewall/reverse proxy products in from of iNotes (or webadmin for that matter).


Technote (troubleshooting)

Problem

Some security enhancements were introduced in iNotes 8.5.2 to prevent potential Cross Site Request Forgery (CSRF) attacks, and as part of these security enhancements, there are special considerations that should be made in environments that utilize reverse proxies. Upon sending POST requests to Domino, users may encounter 400 errors on the iNotes console, and administrators may see messages similar to the following on the console:

"iNotes XSS Security: Invalid Request, missing expected nonce value; with Referer: '%s'. Request not processed, throwing exception." "iNotes XSS Security: Invalid Request, unexpected nonce value; with Referer: '%s'. Request not processed, throwing exception."

To mitigate these issues, the following two changes should be noted and accounted for:

1) When using basic authentication (Disabled session authentication), we now will utilize the ShimmerS cookie. Previously, this cookie was only used when Domino was set up for session authentication, but now, it is used no matter what authentication scheme is used.



2) There is a new extended header field that iNotes utilizes named "X-IBM-INOTES-NONCE". This header field must be allowed to pass freely between the client and server for iNotes to function properly.

In addition to these considerations, please note that some products (including Juniper VPNs) utilize mechanisms that cache or obfuscate cookies so that they are not held in their original form in the browser. Exceptions need to be made for the ShimmerS cookie for iNotes to function properly.

Resolving the problem

Take steps to allow the ShimmerS cookie and the "X-IBM-INOTES-NONCE" field to pass freely and untouched between the browser and Domino.
2 comments »

IBM Tivoli Directory Server Multiple Security Vulnerabilities

  04/13/11 09:05 pm, by , Categories: Administration, IBM, security
All info can be found here.

IBM Tivoli Directory Server Multiple Security Vulnerabilities

IBM Tivoli Directory Server is prone to a stack-based buffer-overflow and an information-disclosure vulnerability.

Attackers can exploit theses issues to execute arbitrary code within the context of the affected application or retrieve potentially sensitive information.

::

 

©2017 by Dennis van Remortel

Contact | Help | Blog template by Asevo | blog tool | dedicated servers | authors