Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:29277
HistoryApr 28, 2013 - 12:00 a.m.

BF and IA vulnerabilities in IBM Lotus Domino

2013-04-2800:00:00
vulners.com
132
JSON

Hello 3APA3A!

I want to warn you about Brute Force and Insufficient Authentication vulnerabilities in IBM Lotus Domino. These are vulnerabilities in Domino, which I've found at 03.05.2012 together with other holes.

Last year I've announced multiple vulnerabilities in IBM software and after IBM fixed many of them, I've disclosed them. They fixed almost all vulnerabilities (with few exceptions, like Brute Force in IBM Lotus Notes Traveler), which I've informed them in May and December, and concerning other holes they always told, that they were working on them. After IBM released Domino 9.0 last month and still not answered concerning these vulnerabilities, I've reminded IBM and they answered, that they would not be fixing them.

Affected products:

Vulnerable are IBM Lotus Domino 8.5.3, 8.5.4, 9.0 and previous versions. These vulnerabilities haven't been fixed non in Domino 8.5.4 (released in August 2012), nor in Domino 9.0 (released in Match 2013).

As recently IBM told me, almost after a year since my informing about these vulnerabilities, they didn't fixed them, as they didn't see a need in it. Because, according to them, there are built-in mechanisms in Domino for protecting against BF and IA, so these holes are not a problem of the application (but a problem of specific web sites). I.e. they meant, that owners of web sites with Lotus Domino need to better configure it for protection against these attacks.

Affected vendors:

IBM Domino (formerly IBM Lotus Domino)
http://www-03.ibm.com/software/products/us/en/ibmdomino/

Details:

Brute Force (WASC-11):

These pages, which require authentication, have no protection against Brute Force attacks:

http://site/names.nsf
http://site/admin4.nsf
http://site/busytime.nsf
http://site/catalog.nsf
http://site/certsrv.nsf
http://site/domlog.nsf
http://site/events4.nsf
http://site/log.nsf
http://site/statrep.nsf
http://site/webadmin.nsf
http://site/web/war.nsf

There are two variants of login form: Basic Authentication (I found it during pentest already in 2008) and form-based authentication (I found it during pentest in 2012, alongside with the first variant). In both cases there is no protection against Brute Force.

Insufficient Authentication (WASC-01):

Unprivileged user (with any account at the site, access to which can be received via Brute Force vulnerability) has access to the next pages:

https://site/names.nsf - leakage of information about all users (names, surnames, logins, e-mails and other personal information and settings)

https://site/admin4.nsf - leakage of information about administration requests, including personal information (names, surnames, logins, etc.)

https://site/catalog.nsf - leakage of important information about files at the server, about installed applications and their settings (Application Catalog), including personal information (names, surnames, logins, etc.)

https://site/events4.nsf - leakage of information about events (Monitoring Configuration)

After receiving access to names.nsf, it's possible to use Information Leakage vulnerability, which found by Leandro Meiners in 2005 (for getting password hashes) and which is still not fixed. IBM hasn't fixed it in default configuration, but only recommended to remove hash field from profiles or to use salted hashes. My client has used exactly Lotus salted hashes and it hasn't helped (99% of hashes were picked up, including admin's one).

Timeline:

Full timeline read in the first advisory (http://securityvulns.ru/docs28474.html).

  • During 16.05-20.05.2012 I've wrote announcements about multiple vulnerabilities in IBM software at my site.
  • During 16.05-20.05.2012 I've wrote five advisories via contact form at IBM site.
  • At 31.05.2012 I've resend five advisories to IBM PSIRT, which they received and said they would send them to the developers (of Lotus products).
  • At 18.08.2012 I've reminded IBM about these holes and gave enough arguments to fix them.
  • At 14.04.2013 I've again remind IBM about these holes.
  • At 23.04.2013 IBM answered that they would not fix these holes.
  • At 26.04.2013 I've disclosed these vulnerabilities at my site (http://websecurity.com.ua/5829/).

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua

JSON