Vulnerability Note VU#383092

IBM Lotus Notes sets insecure default permissions on program data

Original Release date: 20 Oct 2006 | Last revised: 20 Oct 2006

Overview

IBM Lotus Notes sets insecure default permissions on the Notes directory. This vulnerability may allow a local attacker to gain unintended access to Lotus Notes program data.

Description

IBM Lotus Notes installs numerous program files and program data in a special directory known as the Notes directory. According to IBM Technote #21246773:

    By default, beginning with Notes 6.5.4 and affecting 6.5.5, 7.0 and 7.0.1, "Full Control" access (read/write/execute) to the Notes program and data directory is granted to the Windows group "Everyone".

Impact

A local attacker may be able to gain unintended access to Lotus Notes program data.

Solution

Upgrade to unaffected versions of Lotus Notes
Lotus Notes versions 6.5.6 and 7.0.2 are reportedly not affected by this issue.


Workarounds to mitigate this vulnerability can be found in IBM Technote #21246773

Systems Affected

VendorStatusDate NotifiedDate Updated
Lotus SoftwareVulnerable-20 Oct 2006

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

This issue was reported by Carsten Eiram of Secunia Research.

This document was written by Jeff Gennari.

Other Information

  • CVE IDs: CVE-2005-2454
  • Date Public: 18 Oct 2006
  • Date First Published: 20 Oct 2006
  • Date Last Updated: 20 Oct 2006
  • Severity Metric: 1.39
  • Document Revision: 31

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

This product is provided subject to the Notification as indicated here: http://www.us-cert.gov/legal.html#notify

Document Feedback

Was this document helpful?   Yes   |   Somewhat   |  No