Notes/Domino Fix List
 |  |
| SPR # GGEB4NHQKB | Fixed in 5.0.6 release | Security fix |
Product Area: Client Technical Area: Security - Workstation (ECL - Local security) Platform: Cross Platform
SPR# GGEB4NHQKB - Fixed a potential security issue.
Technote Number: 1091186
Problem:
This type of attack is prevented by using the Lotus recommended default
settings for the Execution Control List (ECL) feature.
To check your workstation's ECL settings, select File, Preferences, User
Preferences from the Notes client menu, then click on the Security Options
button on the User Preferences dialog box and review the settings for "No
Signature". Lotus recommends that all access be disabled for the "No
Signature" and "Default" entries.
Specifically, the entry for "No Signature" should not allow "Access to External
Programs" in order to prevent this particular attack.
If a Lotus Notes mail message has been received that is set to activate an
object upon reading, the user will receive an Execution Security Alert dialog
box containing the following information:
Action: OLE Object Activation
Signed by: -No Signature-
Not allowed: Access to external programs
Users have four options in this dialog box: "Abort", "Execute Once", "Trust
Signer", "Help". The recommended action is "Abort". Choosing this option will
prevent the object from executing and will open the document so that it can be
read.
However, due to a regression introduced in R5.0.2, the recommended settings are
not sufficient for certain releases. Lotus strongly recommends that users
running versions Notes R5.0.2 - Notes R5.0.5 upgrade to Notes R5.0.6 or higher
as soon as possible. If it is not possible to upgrade immediately, users
should update their ECL settings to deny "Access to external programs" for ALL
ECL entries, including "Lotus Notes Template Development/Lotus Notes".
The potential risk of such an attack originating from the Internet is extremely
limited in Domino R5. Notes-formatted messages that are sent over the Internet
and received by Domino R5 SMTP servers are not automatically decapsulated. The
original message is delivered as an ENCAP2.OND attachment. To configure Domino
R4.6x SMTP MTA servers to deliver ENCAP2.OND attachments rather than
decapsulated messages, upgrade the SMTP MTA servers to Domino R4.6.7 and then
configure the Notes.ini parameter: SMTPMTA_NO_DECAPSULATE=1.
Extreme caution should be exercised when launching any attachment; this
includes opening a .OND attachment. Supporting Information:
Lotus has been aware of the potential for malicious email messages since our
early releases. In 1996, we released Notes R4.5, which included a "sandbox"
and a PKI-based authorization mechanism, which we call Execution Control Lists,
for native Notes programs. We did this before such mechanisms were widely used
for securing Java applets in web browsers, and we are proud of the way our
foresight has provided protection to millions of our users for many years
without crippling their ability to integrate sophisticated workflow
applications with their email -- a claim that no other vendor can make even
today. We are confident in the high level of security our Notes and Domino
client/server environment provides against malicious mail messages, and we
continually strive to educate our customers how to manage the security features
of the products properly.
We know that strong protection mechanisms and customer education occasionally
aren't enough. Users will sometimes do ill-advised things that circumvent all
the technical protections we give them, just like they will occasionally
circumvent the desktop virus protection software. We are active participants
in the PKI, security and Internet standards communities, and have even
contributed PKI code to the public domain in the hopes that operating system
vendors and Internet standards bodies will someday adopt technologies that
provide protection that measures up to what we already provide in Notes and
Domino.
When was this feature introduced?
The Execution Control List (ECL) feature was introduced in Notes R4.5.
Where is the Execution Control List (ECL) stored and configured?
The ECL is stored for each user in their desktop.dsk/desktop5.dsk file. Users
can access their ECL from File\Preferences\User Preferences\Security Options.
Administrators can configure domain wide settings in the Public Address
Book/Domino Directory by selecting Actions\Edit Administration ECL.
Workstation ECLs are inherited from the Administration ECL during workstation
setup. In R5.0.5 or higher, these settings can be refreshed from the
Administration ECL by clicking the "Refresh" button on the Workstation Security
Options dialog. The use of the @RefreshECL command can also be used in
formulas to update a user's settings.
How do ECLs protect workstations?
ECLs rely on the use of digital signatures. When a design element is created
and saved, it is signed with the user's private key from their ID file.
When executable code is activated, Notes checks the signature and verifies what
level of access the signer is allowed for that user's workstation. Notes
relies on the use of certificates to verify these digital signatures. If a
signer can be verified and is listed in the ECL, the rights assigned for that
entry apply. If the signature is verified, but an entry for the signer does
not exist, the rights assigned to the "Default" entry apply. If a signature
cannot be verified, the access rights assigned to the entry for "No Signature"
apply.
What is the "Lotus Notes Template Development/Lotus Notes" entry in the ECL?
All Lotus Notes templates shipped with the product are signed with this ID
file. This entry is listed in the ECL with all access rights enabled which
means that code signed with this ID is trusted to execute on the workstation.
Is it possible for someone to create an ID with the name "Lotus Notes Template
Development/Lotus Notes" and evade the ECL?
No. While it is possible for an ID to be created with the same name, the
public/private key pair will not match the original. When code signed with the
false ID is executed, Notes will be unable to verify the signer and therefore
the rights assigned to the entry for "No Signature" will apply. If "No
Signature" is not permitted to execute that particular action, Notes will
generate an Execution Security Alert dialog box with the warning that "The
version of Notes you are running does not recognize the Template Development
key that signed this document".
What are the Lotus recommended ECL settings for the "Default" and "No
Signature" entries?
Both "Default" and "No Signature" should have all access rights disabled.
Beginning with R5.0.2 (available in Dec 1999), this is the default
configuration.
Related Documents:
How ECLs Respond to Changes in the Notes/Domino Environment
Document #: 183254
Recommendations for Deploying Tighter ECLs in Notes R5
Document #: 183256
Default ECL Entries Beginning with Notes 5.0.3
Document #: 183257
Domino R5 SMTP Does Not Support .OND Messages Sent Over the Internet
Document #: 173301
Domino 4.6x: Can Decapsulation on Inbound Messages Be Made Configurable?
Document #: 179128
"Staying Alert with Execution Control Lists"
by Amy Smith, published on Iris Today on Dec 1, 1999 at
http://www.notes.net/today.nsf/9148b29c86ffdcd385256658007aaa0f/3a9da544637a69b2
852568310078b649?OpenDocument
This report has been published by the following sources:
SecurityBugware --> http://www.securitybugware.org/NT/4786.html
SecuriTeam --> http://www.securiteam.com/securitynews/6C00N0U2UI.html
BugTraq --> http://archives.neohapsis.com/archives/bugtraq/2001-10/0180.html
Hideaway.net --> http://www.hideaway.net/vulnerabilities/lotus_mail_38.html
Security Alert Consensus Newsletter #120 - {01.43.019} --> http://www.sans.org
Predictive Systems REACT advisory --> http://www.predictive.com
More >
Last Modified on 05/22/2001
Go back
|