logo Home

Untitled Document

Home > Archives Advisories > Articles


Untitled Document
Untitled Document

Lotus Notes/Domino R6-beta PROTOS LDAP Denial of Service Regression
Date: 2003-03-14

Author : Rapid 7 Security Advisories - advisory@rapid7.com

1. Affected system(s):

KNOWN VULNERABLE:
o Lotus Notes/Domino R6 pre-release and beta versions
o Lotus Domino R5.0.7 and earlier

NOT VULNERABLE:
o Lotus Notes/Domino R6.0 Gold
o Lotus Notes/Domino R6.0.1
o Lotus Notes/Domino R5.0.7a through R5.0.12

2. Summary

In July 2001, the PROTOS protocol testing group at the University
of Oulu in Finland released an LDAP protocol test suite that exposed
flaws in LDAP implementations from multiple vendors. [1]

Lotus Domino R5.0.7 and earlier were affected by the PROTOS LDAP
issues, resulting in buffer overflows and denial of service against
the Domino server. Lotus addressed these issues in Domino R5.0.7a,
released May 18th 2001. [2]

While regression testing the pre-release and beta versions of Lotus
Domino R6 with the PROTOS LDAP test suite, we found that these
releases were vulnerable to the issues PROTOS discovered.

3. Vendor status and information

Lotus
http://www.lotus.com/
http://www.ibm.com/

Lotus was notified and they have fixed this vulnerability. Lotus
originally tracked these issues as SPR #DWUU4W6NC8 and are tracking
the R6 beta issues with this SPR. [3]

See the References section for more information.

4. Solution

Users running R6 beta and pre-release builds should upgrade to R6.0
Gold or higher. Due to other vulnerabilities discovered in R6.0
Gold, you should consider upgrading to R6.0.1, which was released in
February 2003.

Users running R5.0.7a and higher are not affected.

Domino incremental installers may be downloaded from the following
URL (which has been wrapped):

http://www14.software.ibm.com
/webapp/download/search.jsp?go=y&rs=ESD-DMNTSRVRi&sb=r

5. Detailed analysis

Credit for discovery of this vulnerability goes to the PROTOS
project. Please see their LDAP test suite page for more
information. [1]

6. References

[1] PROTOS - Security Testing of Protocol Implementations
http://www.ee.oulu.fi/research/ouspg/protos/

[2] Lotus statement about LDAP vulnerability fixes
http://www.kb.cert.org/vuls/id/JPLA-4WESN5

[3] Lotus SPR #DWUU4W6NC8
http://www.notes.net/r5fixlist.nsf/Search!SearchView&Query=DWUU4W6NC8

7. Contact Information

Rapid7 Security Advisories
Email: advisory@rapid7.com
Web: http://www.rapid7.com/
Phone: +1 (212) 558-8700

8. Disclaimer and Copyright

Rapid7, Inc. is not responsible for the misuse of the information
provided in our security advisories. These advisories are a service
to the professional security community. There are NO WARRANTIES
with regard to this information. Any application or distribution of
this information constitutes acceptance AS IS, at the user's own
risk. This information is subject to change without notice.

This advisory Copyright (C) 2003 Rapid7, Inc. Permission is
hereby granted to redistribute this advisory, providing that no
changes are made and that the copyright notices and disclaimers
remain intact.



 

arrowSearch Advisories

arrowNewsletter

Free weekly Newsletter.

Please enter your email address here:
arrowReport Vulnerability

If you've found a vulnerability please
click here to report it.
arrowPartners

newsnow

About Us | Contact Us | Advertise | email | Backend flag
Copyright © 2016-2017 Security Corporation - All Rights Reserved - Legal - Privacy Policy