search menu icon-carat-right cmu-wordmark

CERT Coordination Center


IBM Lotus Domino server mailbox name stack buffer overflow

Vulnerability Note VU#676632

Original Release Date: 2017-04-17 | Last Revised: 2017-04-27

Overview

The IBM Lotus Domino server IMAP service contains a stack-based buffer overflow vulnerability in IMAP commands that refer to a mailbox name. This can allow a remote, authenticated attacker to execute arbitrary code with the privileges of the Domino server

Description

IBM Lotus Domino includes an IMAP server. This server contains a stack buffer overflow in the handling of mailbox names. By specifying a large mailbox name, an attacker can trigger a stack-based buffer overflow. Because IMAP commands that refer to a mailbox name are used after authentication, this vulnerability appears to only be exploitable by authenticated attackers. We have confirmed that this vulnerability affects Domino server 9.0.1FP8 and earlier versions. This exploit has been referred to by the "EMPHASISMINE" code name. Public exploit code uses the EXAMINE IMAP command, but other IMAP commands that refer to mailbox names may also be used.

Note that on Windows at least one library used by Domino does not opt in to using ASLR, which makes exploitation trivial even on modern Windows platforms. This vulnerability is also exploitable when Domino is running on other platforms, such as Linux.

Impact

By sending a specially-crafted IMAP command that references a mailbox name to an affected server, a remote, authenticated attacker can execute arbitrary code on the Domino system with the privileges of the Domino IMAP server.

Solution

Apply an update

This issue is addressed in IBM Domino 9.0.1 Fix Pack 8 Interim Fix 2, and 8.5.3 Fix Pack 6 Interim Fix 17. Please see the IBM Security Bulletin for more details.

Please also consider the following workarounds:

Use the Microsoft Enhanced Mitigation Experience Toolkit

The Microsoft Enhanced Mitigation Experience Toolkit (EMET) can be used to help prevent exploitation of this and other vulnerabilities on the Windows platform.

Vendor Information

676632
Expand all

IBM Corporation

Notified:  April 17, 2017 Updated:  April 27, 2017

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

http://www-01.ibm.com/support/docview.wss?uid=swg22002280 https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-domino-server-imap-examine-command-stack-buffer-overflow-cve-2017-1274/

Addendum

This issue is addressed in IBM Domino 9.0.1 Fix Pack 8 Interim Fix 2, and 8.5.3 Fix Pack 6 Interim Fix 17. Please see the IBM Security Bulletin for more details. Despite what the IBM security bulletin indicates, IBM Domino does not fully employ ASLR on any platform that we have tested. Windows or Linux, 32-bit or 64-bit.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base 9.0 AV:N/AC:L/Au:S/C:C/I:C/A:C
Temporal 8.5 E:F/RL:ND/RC:C
Environmental 6.4 CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

References

Credit

This document was written by Will Dormann.

Other Information

CVE IDs: CVE-2017-1274
Date Public: 2017-04-14
Date First Published: 2017-04-17
Date Last Updated: 2017-04-27 14:32 UTC
Document Revision: 43

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.