Executive Summary

Summary
Title IBM Lotus Domino server mailbox name stack buffer overflow
Informations
Name VU#676632 First vendor Publication 2017-04-17
Vendor VU-CERT Last vendor Modification 2017-04-27
Severity (Vendor) N/A Revision M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:S/C:P/I:P/A:P)
Cvss Base Score 6.5 Attack Range Network
Cvss Impact Score 6.4 Attack Complexity Low
Cvss Expoit Score 8 Authentication Requires single instance
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#676632

IBM Lotus Domino server mailbox name stack buffer overflow

Original Release date: 17 Apr 2017 | Last revised: 27 Apr 2017

Overview

The IBM Lotus Domino server IMAP service contains a stack-based buffer overflow vulnerability in IMAP commands that refer to a mailbox name. This can allow a remote, authenticated attacker to execute arbitrary code with the privileges of the Domino server

Description

IBM Lotus Domino includes an IMAP server. This server contains a stack buffer overflow in the handling of mailbox names. By specifying a large mailbox name, an attacker can trigger a stack-based buffer overflow. Because IMAP commands that refer to a mailbox name are used after authentication, this vulnerability appears to only be exploitable by authenticated attackers. We have confirmed that this vulnerability affects Domino server 9.0.1FP8 and earlier versions. This exploit has been referred to by the "EMPHASISMINE" code name. Public exploit code uses the EXAMINE IMAP command, but other IMAP commands that refer to mailbox names may also be used.

Note that on Windows at least one library used by Domino does not opt in to using ASLR, which makes exploitation trivial even on modern Windows platforms. This vulnerability is also exploitable when Domino is running on other platforms, such as Linux.

Impact

By sending a specially-crafted IMAP command that references a mailbox name to an affected server, a remote, authenticated attacker can execute arbitrary code on the Domino system with the privileges of the Domino IMAP server.

Solution

Apply an update

This issue is addressed in IBM Domino 9.0.1 Fix Pack 8 Interim Fix 2, and 8.5.3 Fix Pack 6 Interim Fix 17. Please see the IBM Security Bulletin for more details.

Please also consider the following workarounds:

Use the Microsoft Enhanced Mitigation Experience Toolkit

The Microsoft Enhanced Mitigation Experience Toolkit (EMET) can be used to help prevent exploitation of this and other vulnerabilities on the Windows platform.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
IBM CorporationAffected17 Apr 201727 Apr 2017
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

GroupScoreVector
Base9.0AV:N/AC:L/Au:S/C:C/I:C/A:C
Temporal8.5E:F/RL:ND/RC:C
Environmental6.4CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

References

  • http://www-01.ibm.com/support/docview.wss?uid=swg22002280
  • https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-domino-server-imap-examine-command-stack-buffer-overflow-cve-2017-1274/
  • https://tools.ietf.org/html/rfc3501#section-6.3.2
  • https://support.microsoft.com/en-us/help/2458544/the-enhanced-mitigation-experience-toolkit

Credit

This document was written by Will Dormann.

Other Information

  • CVE IDs:CVE-2017-1274
  • Date Public:14 Apr 2017
  • Date First Published:17 Apr 2017
  • Date Last Updated:27 Apr 2017
  • Document Revision:43

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Original Source

Url : http://www.kb.cert.org/vuls/id/676632

CWE : Common Weakness Enumeration

% Id Name
100 % CWE-119 Failure to Constrain Operations within the Bounds of a Memory Buffer

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 5

Snort® IPS/IDS

Date Description
2018-06-05 Multiple IMAP servers DELETE command buffer overflow attempt
RuleID : 46484 - Revision : 2 - Type : SERVER-MAIL
2016-03-14 Multiple IMAP servers EXAMINE command buffer overflow attempt
RuleID : 37375 - Revision : 4 - Type : SERVER-MAIL
2014-01-10 STATUS overflow attempt
RuleID : 3072-community - Revision : 19 - Type : PROTOCOL-IMAP
2014-01-10 STATUS overflow attempt
RuleID : 3072 - Revision : 19 - Type : PROTOCOL-IMAP
2014-01-10 Multiple IMAP servers CREATE command buffer overflow attempt
RuleID : 17239 - Revision : 12 - Type : SERVER-MAIL
2014-01-10 Multiple IMAP servers APPEND command buffer overflow attempt
RuleID : 10011 - Revision : 18 - Type : SERVER-MAIL

Nessus® Vulnerability Scanner

Date Description
2017-12-21 Name : A business collaboration application running on the remote host is affected b...
File : domino_8_5_3fp6_if17.nasl - Type : ACT_GATHER_INFO
2017-04-26 Name : A business collaboration application running on the remote host is affected b...
File : domino_swg22002280.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.
0
1
2
3
4
5
6
7
Date Informations
2017-05-05 17:24:51
  • Multiple Updates
2017-04-27 17:23:13
  • Multiple Updates
2017-04-22 05:22:42
  • Multiple Updates
2017-04-22 00:21:44
  • Multiple Updates
2017-04-19 17:22:41
  • Multiple Updates
2017-04-19 05:21:51
  • Multiple Updates
2017-04-19 00:22:21
  • Multiple Updates
2017-04-18 00:22:55
  • First insertion