Lotus Domino Denial of Service Malformed HTML Email

SUMMARY

SARC Security Alert: SARC Alert-2001-001

Denial of Service, Malformed HTML Email attachment crashes Lotus R5 Domino Servers prior to R5.06

Update 2001-001A: Lotus has posted a response to this issue. Click here to view.

Affected Components:

Lotus R5 Domino Server 5.04+, <5.06; Lotus R5 Client 5.04+, <5.05

Not Affected:

Lotus R4 Domino Server 4.x, Lotus R5 Domino Server 5.06+

Details:

Symantec recently discovered a previously unknown buffer overflow vulnerability in the Lotus Domino R5 Server HTML parser. Buffer overflows can be exploited for Denial of Service (DoS) or unauthorized access.

The vulnerability is exploited whenever a Notes client views a malformed HTML attachment. The overflow condition is caused by not correctly terminating a font size statement in an HTML attachment/page. When the Lotus Domino Server attempts to parse the HTML, it fails to do proper error checking on the malformed font size statement and overflows the font size input buffer.

The specific exploit that was tested caused the Lotus Notes Domino server to become completely unresponsive. It is possible to design an exploit that grants unauthorized access rather than denial of service.


Risk Impact:

Severe depending on the criticality of the affected Domino R5 Server(s).

Security Response:

Symantec has worked closely with Lotus on a fix for this issue. Lotus recommends upgrading to at least Lotus Domino R5 Server R5.06. R5.06 and later have a reworked engine for handling HTML formatting that is not susceptible to this bug.

Temporary Solution: A temporary workaround is to purge all emails from the offending domain allowing the Domino Servers to function normally.

CVE:

The Common Vulnerabilities and Exposures(CVE) project has assigned the name CAN-2001-0130 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems.

Copyright (c) 2001 by Symantec Corp.

Permission to redistribute this Bulletin electronically is granted as long as it is not edited in any way unless authorized by the SARC. Reprinting the whole or part of this Bulletin in medium other than electronically requires permission from sarc@symantec.com.

Disclaimer:
The information in the advisory is believed to be accurate at the time of printing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect or consequential loss or damage arising from use of, or reliance on this information.

Symantec and SARC are Registered Trademarks of Symantec Corp. and/or affiliated companies in the United States and other countries. All other registered and unregistered trademarks represented in this document are the sole property of their respective companies/owners.