Vulnerability Note VU#383092

IBM Lotus Notes sets insecure default permissions on program data

Overview

IBM Lotus Notes sets insecure default permissions on the Notes directory. This vulnerability may allow a local attacker to gain unintended access to Lotus Notes program data.

I. Description

IBM Lotus Notes installs numerous program files and program data in a special directory known as the Notes directory. According to IBM Technote #21246773:

By default, beginning with Notes 6.5.4 and affecting 6.5.5, 7.0 and 7.0.1, "Full Control" access (read/write/execute) to the Notes program and data directory is granted to the Windows group "Everyone".

II. Impact

A local attacker may be able to gain unintended access to Lotus Notes program data.

III. Solution

Upgrade to unaffected versions of Lotus Notes

Lotus Notes versions 6.5.6 and 7.0.2 are reportedly not affected by this issue.

Workarounds to mitigate this vulnerability can be found in IBM Technote #21246773.�

Systems Affected

Vendor	Status	Date Updated
Lotus Software	Vulnerable	20-Oct-2006

References

http://secunia.com/secunia_research/2005-29/
http://secunia.com/advisories/19537/
http://www-1.ibm.com/support/docview.wss?rs=463&uid=swg21246773

Credit

This issue was reported by Carsten Eiram of Secunia Research.

This document was written by Jeff Gennari.

Other Information

Date Public	10/18/2006
Date First Published	10/20/2006 07:42:56 AM
Date Last Updated	10/20/2006
CERT Advisory
CVE-ID(s)	CVE-2005-2454
NVD-ID(s)	CVE-2005-2454
US-CERT Technical Alerts
Metric	1.39
Document Revision	31

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Produced 2006 by US-CERT, a government organization
Disclaimers and copyright information

Get Adobe Reader