Users login

Create an account »


Users login

Home » Hacking News » CERT CA-2003-11: vulnerabilities in Lotus Notes and Domino

CERT CA-2003-11: vulnerabilities in Lotus Notes and Domino

by Nikola Strahija on March 26th, 2003 Multiple vulnerabilities have been reported to affect Lotus Notes clients and Domino servers. Remote attacker can exploit buffer overflow and denial of service attacks.


CERT Advisory CA-2003-11 Multiple Vulnerabilities in Lotus Notes and Domino

Original release date: March 26, 2003
Last revised: --
Source: CERT/CC

A complete revision history can be found at the end of this file.

Systems Affected

* Lotus Notes and Domino versions prior to 5.0.12 and 6.0 Gold
* VU#571297 affects 5.0.12, 6.0.1 and prior versions.


Multiple vulnerabilities have been reported to affect Lotus Notes
clients and Domino servers. Multiple reporters, the close timing, and
some ambiguity caused confusion about what releases are vulnerable. We
are issuing this advisory to help clarify the details of the
vulnerabilities, the versions affected, and the patches that resolve
these issues.

I. Description

In February 2003, NGS Software released several advisories detailing
vulnerabilities affecting Lotus Notes and Domino. The following
vulnerabilities reported by NGS Software affect versions of Lotus
Domino prior to 5.0.12 and 6.0:

VU#206361 - Lotus iNotes vulnerable to buffer overflow via
PresetFields FolderName field
Lotus Technical Documentation: KSPR5HUQ59
NGS Software's Advisory: NISR17022003b

VU#355169 - Lotus Domino Web Server vulnerable to denial of service
via incomplete POST request
Lotus Technical Documentation: KSPR5HTQHS
NGS Software's Advisory: NISR17022003d

VU#542873 - Lotus iNotes vulnerable to buffer overflow via
PresetFields s_ViewName field
Lotus Technical Documentation: KSPR5HUPEK
NGS Software's Advisory: NISR17022003b

VU#772817 - Lotus Domino Web Server vulnerable to buffer overflow
via non-existent "h_SetReturnURL" parameter with an overly long
"Host Header" field
Lotus Technical Documentation: KSPR5HTLW6
NGS Software's Advisory: NISR17022003a

The following vulnerability reported by NGS Software affects versions
of Lotus Domino up to and including 5.0.12 and 6.0.1:

VU#571297 - Lotus Notes and Domino COM Object Control Handler
contains buffer overflow
Lotus Technical Documentation: SWG21104543
NGS Software's Advisory: NISR17022003e

VU#571297 was originally reported as a vulnerability in an iNotes
ActiveX control. The vulnerable code is not specific to iNotes or
ActiveX. The iNotes ActiveX control was an attack vector for the
vulnerability and is not the affected code base. Because this issue is
not specific to ActiveX, Lotus Notes clients and Domino Servers
running on platforms other than Microsoft Windows may be affected.

In March 2003, Rapid7, Inc. released several advisories. The following
vulnerabilities, reported by Rapid7, Inc., affect versions of Lotus
Domino prior to 5.0.12:

VU#433489 - Lotus Domino Server susceptible to a pre-authentication
buffer overflow during Notes authentication
Lotus Technical Documentation: DBAR5CJJJS
Rapid7, Inc.'s Advisory: R7-0010

VU#411489 - Lotus Domino Web Retriever contains a buffer overflow
Lotus Technical Documentation: KSPR5DFJTR
Rapid7, Inc.'s Advisory: R7-0011

Rapid7, Inc. also discovered that Lotus Domino pre-release and beta
versions of 6.0 were also affected by the following vulnerability:

VU#583184 - Lotus Domino R5 Server Family contains multiple
vulnerabilities in LDAP handling code
Lotus Technical Documentation: DWUU4W6NC8
Rapid7, Inc.'s Advisory: R7-0012

VU#583184 was a regression of the PROTOS LDAP Test-Suite from
CA-2001-18 and was originally fixed in 5.0.7a.

II. Impact

The impact of these vulnerabilities range from denial of service to
data corruption and the potential to execute arbitrary code. For
details about the impact of a specific vulnerability, please see the
related vulnerability note.

III. Solution


Most of these vulnerabilities are resolved in versions 5.0.12 and
6.0.1 of Lotus Domino.

Only VU#571297, "Lotus Notes and Domino COM Object Control Handler
contains buffer overflow," is not resolved in 5.0.12, or 6.0.1.
Critical Fix 1 for 6.0.1 was released on March 18, 2003, to resolve
this issue for both the Notes client and Domino server.

Apply a patch

Patches are available for some vulnerabilities. Please view the
individual vulnerability notes for specific patch information.

Block access from outside the network perimeter

Lotus Domino servers listen on port 1352/TCP. Notes may also be
configured to listen on other ports, such as NETBIOS, SPX, or XPC.
Blocking access to these ports from machines outside your trusted
network perimeter may help mitigate successful exploitation of these

Appendix A - References

3. 4.
6. 7.
9. 10.
12. 13.
15. 16.
18. 19.
21. 22.
24. 25.

Our thanks to NGS Software and Rapid7, Inc. for discovering and
reporting on these vulnerabilities. We also thank the Lotus Security
Team for aiding in the resolution and clarification of these issues.

Feedback on this document can be directed to the author,
Jason A. Rafail.

This document is available from:

CERT/CC Contact Information

Email: [email protected]
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
Postal address:
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890

CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) /
EDT(GMT-4) Monday through Friday; they are on call for emergencies
during other hours, on U.S. holidays, and on weekends.

Using encryption

We strongly urge you to encrypt sensitive information sent by email.
Our public PGP key is available from

If you prefer to use DES, please call the CERT hotline for more

Getting security information

CERT publications and other security information are available from
our web site

To subscribe to the CERT mailing list for advisories and bulletins,
send email to [email protected] Please include in the body of your

subscribe cert-advisory

* "CERT" and "CERT Coordination Center" are registered in the U.S.
Patent and Trademark Office.

Any material furnished by Carnegie Mellon University and the Software
Engineering Institute is furnished on an "as is" basis. Carnegie
Mellon University makes no warranties of any kind, either expressed or
implied as to any matter including, but not limited to, warranty of
fitness for a particular purpose or merchantability, exclusivity or
results obtained from use of the material. Carnegie Mellon University
does not make any warranty of any kind with respect to freedom from
patent, trademark, or copyright infringement.

Conditions for use, disclaimers, and sponsorship information

Copyright 2003 Carnegie Mellon University.

Revision History
Mar 26, 2003: Initial release

Version: PGP 6.5.8


Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.


Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »