Information Security News mailing list archives

Previous By Date Next
Previous By Thread Next

Lotus flaw threatens email security

From: InfoSec News <isn () C4I ORG>
Date: Wed, 10 Jan 2001 21:41:16 -0600
http://www.vnunet.com/News/1116133

By Ian Lynch
January 10, 2001

Lotus has given the highest priority to fixing a security hole in its
Domino messaging system which could allow junior employees to read the
email of the most senior figures in companies using the software.

The exploitable gap in the system's security was reported to the
moderated industry mailing list bugtraq late on Monday. It prompted
some consultants to inform clients that they had no secure alternative
but to close down their email servers until a workaround was
published.

The gap allows any authorised user of the Domino mail system to gain
access to any mailbox in the system by modifying the traffic between
their client and the Domino server or by modifying the client software
itself.

The problem remains even if the system administrator has set up access
control lists, and allows the most junior clerk to gain access to the
boss's email if he or she can follow the now published procedure.

However, it appears that the problem is dependent on how Domino has
been configured and may only affect some users. Security industry
professionals began posting suggestions for a workaround late on
Tuesday, and Lotus has now published a workaround on its www.notes.net
website.

A spokeswoman for Lotus said the company was aware of the issue and
hoped to have a patch ready by 13 January. She added that a full
statement has been posted on the Notes/Domino Gold release Forum at
the notes.net website.

Experts said they were not surprised that such a problem had been
discovered and predicted that more would come to light as security
professionals switched their focus from Microsoft products to those of
other vendors.

Paul Rogers, network security analyst at MIS Corporate Defence
Solutions, said: "It was only a matter of time before a serious
vulnerability was discovered in Lotus, or a similar messaging system,
as security professionals start to put them under the same degree of
scrutiny as they do products from Microsoft."

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".
Previous By Date Next
Previous By Thread Next

Current thread: