Hello list!
I want to warn you about Brute Force and Insufficient Authentication
vulnerabilities in IBM Lotus Domino. These are vulnerabilities in Domino,
which I've found at 03.05.2012 together with other holes.
Last year I've announced multiple vulnerabilities in IBM software and after
IBM fixed many of them, I've disclosed them. They fixed almost all
vulnerabilities (with few exceptions, like Brute Force in IBM Lotus Notes
Traveler), which I've informed them in May and December, and concerning
other holes they always told, that they were working on them. After IBM
released Domino 9.0 last month and still not answered concerning these
vulnerabilities, I've reminded IBM and they answered, that they would not be
fixing them.
-------------------------
Affected products:
-------------------------
Vulnerable are IBM Lotus Domino 8.5.3, 8.5.4, 9.0 and previous versions.
These vulnerabilities haven't been fixed non in Domino 8.5.4 (released in
August 2012), nor in Domino 9.0 (released in Match 2013).
As recently IBM told me, almost after a year since my informing about these
vulnerabilities, they didn't fixed them, as they didn't see a need in it.
Because, according to them, there are built-in mechanisms in Domino for
protecting against BF and IA, so these holes are not a problem of the
application (but a problem of specific web sites). I.e. they meant, that
owners of web sites with Lotus Domino need to better configure it for
protection against these attacks.
-------------------------
Affected vendors:
-------------------------
IBM Domino (formerly IBM Lotus Domino)
http://www-03.ibm.com/software/products/us/en/ibmdomino/
----------
Details:
----------
Brute Force (WASC-11):
These pages, which require authentication, have no protection against Brute
Force attacks:
http://site/names.nsf
http://site/admin4.nsf
http://site/busytime.nsf
http://site/catalog.nsf
http://site/certsrv.nsf
http://site/domlog.nsf
http://site/events4.nsf
http://site/log.nsf
http://site/statrep.nsf
http://site/webadmin.nsf
http://site/web/war.nsf
There are two variants of login form: Basic Authentication (I found it
during pentest already in 2008) and form-based authentication (I found it
during pentest in 2012, alongside with the first variant). In both cases
there is no protection against Brute Force.
Insufficient Authentication (WASC-01):
Unprivileged user (with any account at the site, access to which can be
received via Brute Force vulnerability) has access to the next pages:
https://site/names.nsf - leakage of information about all users (names,
surnames, logins, e-mails and other personal information and settings)
https://site/admin4.nsf - leakage of information about administration
requests, including personal information (names, surnames, logins, etc.)
https://site/catalog.nsf - leakage of important information about files at
the server, about installed applications and their settings (Application
Catalog), including personal information (names, surnames, logins, etc.)
https://site/events4.nsf - leakage of information about events (Monitoring
Configuration)
After receiving access to names.nsf, it's possible to use Information
Leakage vulnerability, which found by Leandro Meiners in 2005 (for getting
password hashes) and which is still not fixed. IBM hasn't fixed it in
default configuration, but only recommended to remove hash field from
profiles or to use salted hashes. My client has used exactly Lotus salted
hashes and it hasn't helped (99% of hashes were picked up, including admin's
one).
------------
Timeline:
------------
Full timeline read in the first advisory
( http://securityvulns.ru/docs28474.html ).
- During 16.05-20.05.2012 I've wrote announcements about multiple
vulnerabilities in IBM software at my site.
- During 16.05-20.05.2012 I've wrote five advisories via contact form at IBM
site.
- At 31.05.2012 I've resend five advisories to IBM PSIRT, which they
received and said they would send them to the developers (of Lotus
products).
- At 18.08.2012 I've reminded IBM about these holes and gave enough
arguments to fix them.
- At 14.04.2013 I've again remind IBM about these holes.
- At 23.04.2013 IBM answered that they would not fix these holes.
- At 26.04.2013 I've disclosed these vulnerabilities at my site
( http://websecurity.com.ua/5829/ ).
Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
I want to warn you about Brute Force and Insufficient Authentication
vulnerabilities in IBM Lotus Domino. These are vulnerabilities in Domino,
which I've found at 03.05.2012 together with other holes.
Last year I've announced multiple vulnerabilities in IBM software and after
IBM fixed many of them, I've disclosed them. They fixed almost all
vulnerabilities (with few exceptions, like Brute Force in IBM Lotus Notes
Traveler), which I've informed them in May and December, and concerning
other holes they always told, that they were working on them. After IBM
released Domino 9.0 last month and still not answered concerning these
vulnerabilities, I've reminded IBM and they answered, that they would not be
fixing them.
-------------------------
Affected products:
-------------------------
Vulnerable are IBM Lotus Domino 8.5.3, 8.5.4, 9.0 and previous versions.
These vulnerabilities haven't been fixed non in Domino 8.5.4 (released in
August 2012), nor in Domino 9.0 (released in Match 2013).
As recently IBM told me, almost after a year since my informing about these
vulnerabilities, they didn't fixed them, as they didn't see a need in it.
Because, according to them, there are built-in mechanisms in Domino for
protecting against BF and IA, so these holes are not a problem of the
application (but a problem of specific web sites). I.e. they meant, that
owners of web sites with Lotus Domino need to better configure it for
protection against these attacks.
-------------------------
Affected vendors:
-------------------------
IBM Domino (formerly IBM Lotus Domino)
http://www-03.ibm.com/software/products/us/en/ibmdomino/
----------
Details:
----------
Brute Force (WASC-11):
These pages, which require authentication, have no protection against Brute
Force attacks:
http://site/names.nsf
http://site/admin4.nsf
http://site/busytime.nsf
http://site/catalog.nsf
http://site/certsrv.nsf
http://site/domlog.nsf
http://site/events4.nsf
http://site/log.nsf
http://site/statrep.nsf
http://site/webadmin.nsf
http://site/web/war.nsf
There are two variants of login form: Basic Authentication (I found it
during pentest already in 2008) and form-based authentication (I found it
during pentest in 2012, alongside with the first variant). In both cases
there is no protection against Brute Force.
Insufficient Authentication (WASC-01):
Unprivileged user (with any account at the site, access to which can be
received via Brute Force vulnerability) has access to the next pages:
https://site/names.nsf - leakage of information about all users (names,
surnames, logins, e-mails and other personal information and settings)
https://site/admin4.nsf - leakage of information about administration
requests, including personal information (names, surnames, logins, etc.)
https://site/catalog.nsf - leakage of important information about files at
the server, about installed applications and their settings (Application
Catalog), including personal information (names, surnames, logins, etc.)
https://site/events4.nsf - leakage of information about events (Monitoring
Configuration)
After receiving access to names.nsf, it's possible to use Information
Leakage vulnerability, which found by Leandro Meiners in 2005 (for getting
password hashes) and which is still not fixed. IBM hasn't fixed it in
default configuration, but only recommended to remove hash field from
profiles or to use salted hashes. My client has used exactly Lotus salted
hashes and it hasn't helped (99% of hashes were picked up, including admin's
one).
------------
Timeline:
------------
Full timeline read in the first advisory
( http://securityvulns.ru/docs28474.html ).
- During 16.05-20.05.2012 I've wrote announcements about multiple
vulnerabilities in IBM software at my site.
- During 16.05-20.05.2012 I've wrote five advisories via contact form at IBM
site.
- At 31.05.2012 I've resend five advisories to IBM PSIRT, which they
received and said they would send them to the developers (of Lotus
products).
- At 18.08.2012 I've reminded IBM about these holes and gave enough
arguments to fix them.
- At 14.04.2013 I've again remind IBM about these holes.
- At 23.04.2013 IBM answered that they would not fix these holes.
- At 26.04.2013 I've disclosed these vulnerabilities at my site
( http://websecurity.com.ua/5829/ ).
Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua