SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (Generic)  >   IBM Lotus Notes Vendors:   IBM
IBM Lotus Notes Debug Function Discloses Passwords to Administrative Users
SecurityTracker Alert ID:  1018433
SecurityTracker URL:  http://securitytracker.com/id/1018433
CVE Reference:   CVE-2007-4309   (Links to External Site)
Updated:  Apr 24 2008
Original Entry Date:  Jul 19 2007
Impact:   Disclosure of authentication information
Vendor Confirmed:  Yes  Exploit Included:  Yes  

Description:   A vulnerability was reported in IBM Lotus Notes. An administrator can view user passwords.

An authenticated Notes administrator can invoke a debug function configured via the 'Notes.INI' configuration file to cause user passwords to be logged in plain text when the user password is changed.

Juergen Schmidt of Heise Security reported this vulnerability.

The original advisory is available at:

http://www.heise-security.co.uk/news/92958

Impact:   An authenticated Notes administrative can view user passwords.
Solution:   The vendor plans to issue a fix in versions 8.0, 7.0.3, and all future versions.

The IBM advisory is available at:

http://www-1.ibm.com/support/docview.wss?rs=475&uid=swg21266085

Vendor URL:  www-1.ibm.com/support/docview.wss?rs=475&uid=swg21266085 (Links to External Site)
Cause:   Access control error
Underlying OS:  

Message History:   None.


 Source Message Contents

Date:  Thu, 19 Jul 2007 20:30:16 +0200 (CEST)
Subject:  [Full-disclosure] heise Security: Password exposure in Lotus Notes

--8323329-259279592-1184869816=:27970
Content-Type: TEXT/PLAIN; charset=iso-2022-jp; format=flowed


Excerpt from: http://www.heise-security.co.uk/news/92958

------
Password exposure in Lotus Notes

A debug function in version 5 and up of Lotus Notes can be used to write a 
file containing the new password in plain text when a user password is 
changed. This function has been designed to bring more transparency into 
password quality verification. If two additional lines are entered in the 
Notes.INI configuration file, Notes will log the evaluation.

Since the Notes.INI file on a user’s hard disk must be manipulated, 
physical access to the system is required to exploit this flaw. But there 
are various possibilities within Notes to manipulate this file, which can, 
in turn, also be used to protect systems from this vulnerability.

Assessment:

Notes uses the password to protect the certificate storage Notes.ID used 
by every user for authentication. This file is encrypted or decrypted with 
the user password. Together with the Notes certificates, Notes.ID also 
stores the user's private key and X.509 certificates, where required. For 
this reason, it is of utmost importance to ensure that nobody can create a 
copy of the password and Notes.ID at the same time. If somebody gains 
concurrent access to both the log file and the Notes.ID, this person can 
authenticate himself to Notes at any time.

Even though administrators can eliminate exploitation of this debug 
function in most cases, a Notes administrator with appropriate privileges 
is able to discover all user passwords. Some Notes customers have 
implemented complex solutions to allow for the central storage of password 
changes, while resetting passwords is only possible based on the four-eye 
principle, i.e. administration and revision must work together to do so. 
The debug function makes it possible to bypass this security policy.
(Volker Weber)
------


For a more detailed analysis, please see the original article on: 
http://www.heise-security.co.uk/news/92958



bye, ju


-- 
Juergen Schmidt, editor-in-chief heise Security www.heise-security.co.uk
GPG-Key: 0x38EA4970,  5D7B 476D 84D5 94FF E7C5  67BE F895 0A18 38EA 4970
--8323329-259279592-1184869816=:27970
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
--8323329-259279592-1184869816=:27970--

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC