Re: Lotus Notes security advisory

[Kevin_Lynch/CAM/Lotus () LOTUS COM (Kevin_Lynch/CAM/Lotus () LOTUS COM)]

Security Advisory

Application: Lotus Notes Client (R4.5 and Later)

Summary:

As reported March 23, 1999 by Martin Bartosch of Deutsche Bank AG, there is
a bug in the Lotus Notes Client which causes encrypted email messages to be
saved in the sender's mailbox in unencrypted form. The bug only occurs when
the Notes client is misconfigured, but it is not an unlikely
misconfiguration and it has few if any other symptoms. Until the problem is
fixed in a future release of the software, users are encouraged to consider
whether the problem is likely to affect them and if so check for the
misconfiguration.  To ensure that your email is saved in encrypted form,
Lotus recommends using  backslashes (\) as path separator in the Mail File
field of the user's Location Document (in both Personal and Public Address
Book)  and by  selecting "Encrypt Saved Mail"  in User Preferences.

Background:

The Lotus Notes Client has a built in capability to digitally sign and
encrypt mail that is sent to other Notes users. The sender can specify
whether mail is to be signed and/or encrypted on a per-message basis, and
can also specify whether mail should be signed and/or encrypted by default.
In addition, a user can configure whether saved copies of sent messages
should be stored encrypted in the user's own mail file.

Part of a client configuration is a specification of a Domino mail server
where a copy of the user's mail file resides and the name of the file on
that server. The file name on the server may be a simple name or a
hierarchical name reflecting the file structure on the server. The Domino
mail server runs on a variety of platforms, and those platforms have
different naming conventions for files and directories. For maximum
consistency of user interfaces, Notes and Domino hold all file names (both
internally and for display) following the Windows convention of using a
backslash character (\) as a separator. Those names are translated to a
platform specific separator when making calls to the native OS. In most
cases, if a user or administrator erroneously enters a filename with
forward slashes (/), Notes and Domino will do the appropriate translation
and work correctly.

The Bug:

If in a client configuration, the user specifies the name of a mail file
correctly except for using a forward slash instead of a backslash, it will
commonly (but not always) be the case that mail that is sent encrypted will
nevertheless have the user's own saved copy stored in unencrypted form. An
important case where the bug does not occur is if the client is configured
to encrypt all saved mail. The only way a user could notice that this has
happened is by some statements that are missing from the status bar as the
message is being sent or when a saved message is read. When the message is
saved in encrypted form, the status bar will display "Encrypted document
with your public key", and when it is subsequently opened, it will display
"Decrypting document...".

The Exposure:

If a mail message is sent encrypted but saved unencrypted, the message is
still protected in transit to the recipient and in stored form on the
recipient's system. The sender's saved copy, however, could be obtained
either by someone who can eavesdrop on the connection between the sender's
workstation and mail server or by someone who can gain privileged access to
the sender's mail server. A common reason to encrypt saved mail is to
protect it from being accessed by the mail server's authorized
administrators.

Recommendation:

This problem will only affect sites where mail encryption is used
occasionally but not routinely. If the sender encrypts all saved mail (see
setting in User Preferences above), the problem does not occur. If the
sender never encrypts mail, the problem will never come up. At such sites,
it would be prudent to check the client configurations to make sure the
mail file name is specified with backslashes. End users do not normally set
this configuration item; it is inherited during installation from an
administrator set value stored in the public directory. If the value was
created programmatically by Notes, it will be correct. Unless some of these
values were set manually and incorrectly by administrators, it may not be
worthwhile to alert end users. The problem is more likely to occur at sites
where the administrators and/or end users frequently use systems where the
file name convention includes forward slashes.

_________________________
Kevin Lynch, Product Manager
Lotus Development Corporation
email:  Kevin_Lynch () Lotus com