IBM Lotus Notes arbitrary code execution

2013.05.01
Credit: n.runs
Risk: High
Local: No
Remote: Yes
CWE: CWE-264


CVSS Base Score: 5.8/10
Impact Subscore: 4.9/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: None

n.runs AG http://www.nruns.com/ security(at)nruns.com n.runs-SA-2013.005 30-APR-2013 ________________________________________________________________________ Vendors: IBM, http://www.IBM.com Product: Lotus Notes 8.5.3 Vulnerability: arbitrary code execution Tracking IDs: CVE-2013-0127, CERT VU#912420 __________________________________________________________________________ Vendor communication: 2013-02-22: Reported to IBM PSIRT via email 2013-02-25: IBM PSIRT acknowledges the receipt, vulnerability details have been forwarded to Notes developers 2013-03-18: Informed CERT of planned advisory date of 2013-04-15 and asked them to help with coordinated disclosure 2013-03-19: CERT informs IBM as VU#912420 2013-03-25: IBM requests holding off on disclosing the issue until a fix is released, which will occur before April 30th, 2013. 2013-03-26: n.runs agrees to delay the disclosure 2013-04-30: Coordinated disclosure with CERT and IBM PSIRT ___________________________________________________________________________ Overview: The Lotus Notes mail client accepts <applet> tags inside HTML emails, making it possible to load Java applets from a remote location. Combined with known Java sandbox escape vulnerabilities, it can be used to fully compromise the user reading the email. Description: Notes 8.5.3 does not filter <applet> tags inside HTML emails. This can be used to load arbitrary Java applets from remote sources (making it an information disclosure as well as it can be used to trigger an HTTP request once the mail is previewed/opened). Notes 8.5.3 FP3 ships with IBM Java 6 SR12 (since November 2012), older versions may ship with older Java releases. IBM's Java Security alerts page at http://www.ibm.com/developerworks/java/jdk/alerts/ shows several vulnerabilities with a CVSS score of 10 which have only been fixed in IBM Java 6 SR13. This would allow attackers to compromise users reading/previewing an email. Impact: Arbitrary code execution as the user is reading the email. Verification: Send an email to lotus-notes-java-test () klink name to get an automatic email back which checks whether Java applets and LiveConnect are enabled. The Java applet used for testing will not deliver any exploit code but just checks whether Java applets are loaded correctly. Fixes: Execution of Java applets is blocked for emails from the internet in Notes 8.5.3 FP4 Interim Fix 1 and Notes 9.0 Interim Fix 1. See also http://www-01.ibm.com/support/docview.wss?uid=swg21633819 Workarounds: Turn off the execution of Java applets using the EnableJavaApplets=0 directive in notes.ini. It is also recommended to turn off LiveConnect with EnableLiveConnect=0 as this provides another way to execute Java code even if EnableJavaApplets is set to zero. Alternatively, the File -> Preferences -> Basic Notes Client Preferences GUI can be used to uncheck the Enable Java applets" and the "Enable Java access from JavaScript" options. As Java applets are still executed for internal emails, it is strongly recommended to turn off this feature regardless of the implementation of the above-mentioned fix. ________________________________________________________________________ Credits: Alexander Klink, n.runs AG ________________________________________________________________________ References: This advisory and upcoming advisories: http://www.nruns.com/security_advisory.php ________________________________________________________________________ About n.runs: n.runs AG is a vendor-independent consulting company specialising in the areas of: IT Infrastructure, IT Security and IT Business Consulting. Copyright Notice: Unaltered electronic reproduction of this advisory is permitted. For all other reproduction or publication, in printing or otherwise, contact security () nruns com for permission. Use of the advisory constitutes acceptance for use in an "as is" condition. All warranties are excluded. In no event shall n.runs be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if n.runs has been advised of the possibility of such damages. Copyright 2013 n.runs AG. All rights reserved. Terms of use apply.

References:

http://www.nruns.com/security_advisory.php
http://seclists.org/fulldisclosure/2013/Apr/262
http://www-01.ibm.com/support/docview.wss?uid=swg21633819


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top