IBM Lotus Domino Server LDAP DoS Vulnerability iDEFENSE Security Advisory 02.10.06 http://www.idefense.com/intelligence/vulnerabilities/display.php?id=389 February 10, 2006 I. BACKGROUND IBM Lotus Domino Server software provides messaging, calendaring and scheduling capabilities on a variety of operating systems. More information about the product is available from: http://www.lotus.com/products/product4.nsf/wdocs/dominohomepage II. DESCRIPTION Remote exploitation of a denial of service vulnerability in IBM Corp.'s Lotus Domino LDAP server allows attackers to crash the service, thereby preventing legitimate access. iDEFENSE is currently unaware of exploits for this vulnerability other than those maintained by iDEFENSE Labs. Vendor patches for this iDEFENSE exclusive report are currently unavailable. A workaround has been provided. The problem specifically exists within the LDAP server "nldap.exe." When sending a specially crafted bind request with a long string to the LDAP server port (389), a NULL pointer dereference occurs, resulting in a crash of the process. III. ANALYSIS Exploitation of this vulnerability allows unauthenticated remote attackers to crash the LDAP service, thereby preventing legitimate usage. This attack takes little resources to launch and can be repeated to ensure that an unpatched computer is unable to recover even after the administrator manually restarts the service. IV. DETECTION iDEFENSE has confirmed the existence of this vulnerability in Lotus Domino Server version 6.5.4. It is suspected that earlier versions of Lotus Domino Server are also affected. V. WORKAROUND Employ firewalls, access control lists or other TCP/UDP restriction mechanisms to limit access to systems and services. More specifically, limit access to TCP port 389 on the LDAP server to only allow trusted hosts to connect. VI. VENDOR RESPONSE The vendor has addressed this issue in the following products: - IBM Lotus Notes/Domino 6.5.4 FP2 - IBM Lotus Notes/Domino 6.5.5 - IBM Lotus Notes/Domino 7.0.1 The vendor has published the following technote which details patching procedures: http://www-1.ibm.com/support/docview.wss?rs=463&uid=swg21229907 VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CAN-2005-2712 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 08/23/2005 Initial vendor notification 08/23/2005 Initial vendor response 02/10/2006 Coordinated public disclosure IX. CREDIT Sebastian Apelt is credited with the discovery of this vulnerability. Get paid for vulnerability research http://www.idefense.com/poi/teams/vcp.jsp Free tools, research and upcoming events http://labs.idefense.com X. LEGAL NOTICES Copyright © 2006 iDEFENSE, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDEFENSE. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please email customerservice@idefense.com for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.