Lotus Domino SMTP Vulnerability

Updated (3.1.4)

Impact

A remote attacker could cause a denial of service or execute arbitrary commands on the server.

Note: The red stoplight on this page indicates the highest severity level for this category of vulnerabilities. To determine the severity level for this particular case, refer to the dot beside the link to this tutorial on the previous page.

Background

The Lotus Domino family of servers includes an e-mail server which implements the Simple Mail Transfer Protocol (SMTP). It also supports extensions which allow for the use of delivery status notifications, which provide information about the delivery status of an e-mail message to the sender. The ENVID keyword is optionally used by an e-mail client to specify an identifier for an outgoing message. This identifier is then included in any delivery status notifications regarding that message.

Another feature of Lotus Domino mail servers is the policy feature, which can be used to set relaying rules. With this feature, an e-mail administrator can specify the rules which determine when the server may be used for relaying mail from one remote site to another.

The Problem

By sending a very long argument to the ENVID keyword, it is possible to cause a buffer overflow in the mail server. This condition could be exploited by a remote attacker to cause a denial of service or to execute arbitrary code. Lotus Domino version 5 up through 5.04 is affected by this vulnerability.

Another buffer overflow condition exists in the code which implements the policy feature. This vulnerability could also be used to cause a denial of service or to execute arbitrary commands. Lotus Domino version 5 up through 5.05 is affected by this vulnerability if the policy feature is enabled.

A third, unrelated vulnerability could allow an attacker to cause a denial-of-service in Lotus Domino 5.0.2a and 5.0.2c by sending a very long argument to the RCPT TO, SAML FROM, or SOML FROM commands.

Resolution

Upgrade to the latest version of Lotus Domino.

Where can I read more about this?

The ENVID vulnerability was discussed in S.A.F.E.R. Security Bulletin 001103.EXP.1.9. The vulnerability in the policy feature was discussed in S.A.F.E.R. Security Bulletin 010123.EXP.1.10. The third vulnerability was posted to Bugtraq.