Lotus Domino Vulnerability

Updated (3.1.1)

Impact

A remote attacker could cause a denial of service or execute arbitrary commands on the server.

Background

The Lotus Domino family of servers includes an e-mail server which implements the Simple Mail Transfer Protocol (SMTP). It also supports extensions which allow for the use of delivery status notifications, which provide information about the delivery status of an e-mail message to the sender. The ENVID keyword is optionally used by an e-mail client to specify an identifier for an outgoing message. This identifier is then included in any delivery status notifications regarding that message.

The Problem

By sending a very long argument to the ENVID keyword, it is possible to cause a buffer overflow in the mail server. This condition could be exploited by a remote attacker to cause a denial of service or to execute arbitrary code. Lotus Domino version 5 up through 5.04 is affected by this vulnerability.

A second, unrelated vulnerability could allow an attacker to cause a denial-of-service in Lotus Domino 5.0.2a and 5.0.2c by sending a very long argument to the RCPT TO, SAML FROM, or SOML FROM commands.

Resolution

Upgrade to the latest version of Lotus Domino.

Where can I read more about this?

This vulnerability was discussed in S.A.F.E.R. Security Bulletin 001103.EXP.1.9. The second vulnerability was posted to Bugtraq.