Recent Lotus Notes/Domino Denial of Service Vulnerability
I wanted to let you know that contrary tosome beliefs, there are still Lotus Notes users out there. During acursory look at Notes around the end of 2004 (just after @stake was bought by Symantec) I had identified a denial of service (DoS) condition that could be triggered via SMTP (the advisory was released last month). I wanted to take a few moments to discuss some of the details around this vulnerability.
Ihad originally identified the bug using SMTP as the injection vector.However, during Symantec's patching process (I was fortunate enough towork with our team that focuses on Notes issues) we identified thatNotes RPC could also be used as a vector. What is the result? Well,even if you patch the edge (peripheral) Lotus servers, as soon as asuitably malformed message hits a vulnerable server deep inside theorganization, then that server will suffer the DoS instead. You canthen envisage a scenario where these servers—those that are deep withinthe organization—will be the ones that actually host the users’mailboxes. As a result, the DoS attack will have a more significantimpact (as if losing external e-mail wasn't significant enough).
I thought this was interesting because it demonstrated to me thatthe "patch only Internet-facing hosts" mindset that some organizationsmay have is somewhat flawed. This approach can actually increaseexposure rather than decrease it, especially when particularvulnerabilities (such as this Notes DoS vulnerability) are taken intoconsideration. So, in summary: if you run Lotus Notes/Domino in yourorganization, you need to patch every server that email reaches inorder to mitigate this vulnerability.