Date: 29 April 2013
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2013.0593
Security Bulletin: For safer IBM Notes single sign on with Windows, use
Notes Shared Login or Notes Federated Login (CVE-2013-0522)
29 April 2013
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: IBM Notes
Publisher: IBM
Operating System: Windows
Impact/Access: Access Confidential Data -- Existing Account
Resolution: Mitigation
CVE Names: CVE-2013-0522
Original Bulletin:
http://www-01.ibm.com/support/docview.wss?uid=swg21634508
- --------------------------BEGIN INCLUDED TEXT--------------------
Security Bulletin: For safer IBM Notes single sign on with Windows, use Notes
Shared Login or Notes Federated Login (CVE-2013-0522)
Document information
IBM Notes
Security
Software version:
8.0, 8.0.1, 8.0.2, 8.5, 8.5.1, 8.5.2, 8.5.3, 9.0
Operating system(s):
Windows
Reference #:
1634508
Modified date:
2013-04-24
Abstract
Notes Client Single Logon uses an operating system communication mechanism for
password transmission between Windows and Notes that can be attacked by
malicious code planted on the user workstation to reveal the user password.
To prevent the potential for attack, disable Notes Client Single Logon and
instead opt to use the more secure Notes Shared Login or Notes Federated Login.
Content
CVE ID: CVE-2013-0522
DESCRIPTION
When adopting any single sign on solution, administrators face the tough
trade-off between usability (a single password granting access to multiple
systems) and better security (different passwords for different systems).
A single password for multiple systems is obviously popular with users, while
different passwords for different systems is popular with security-minded
administrators. However, when these administrators prevail, users often
resort to writing down multiple passwords. And so grows the demand for
better single sign on solutions.
Notes Client Single Logon uses an operating system communication mechanism for
password transmission between Windows and Notes that can be attacked by
malicious code planted on the user workstation to reveal the password of an
authenticated user. To prevent the potential for attack, disable Notes Client
Single Logon and instead opt to use the more secure Notes Shared Login or
Notes Federated Login.
For more information on Notes Shared Login, see
- - Using Notes Shared Login to suppress password prompts
For more information on Notes Federated Login, see section "Using Security
Assertion Markup Language (SAML) to configure federated-identity
authentication" in
- - IBM Domino 9.0 Administrator Help
For more information on disabling Notes Client Single Logon, refer to the Note
in the following Help topic:
- - Using Notes client single logon to synchronize Notes and OS passwords
For a comparison of Notes Client Single Logon and Notes Shared Login, see
technote 1437726.
CVSS:
Using the Common Vulnerability Scoring System (CVSS) v2, the security rating
for this issue is:
CVSS Base Score: 4.1
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/82531 for the
current score.
CVSS Environmental Score: Undefined
CVSS String: (AV:L/AC:M/Au:S/C:P/I:P/A:P)
Access Vector: Local Access Complexity: Medium
Authentication: Single Confidentiality Impact: Partial
Integrity Impact: Partial Availability Impact: Partial
AFFECTED PLATFORMS
Any version of IBM Notes running on Windows with Notes Client Single
Logon enabled.
REMEDIATION:
Workaround:
To prevent the potential for attack, disable Notes Client Single Logon and
instead opt to use the more secure Notes Shared Login or Notes Federated Login.
Mitigation(s):
1. For your Notes Execution Control list settings for -Default- and
- -No Signature-, do NOT allow access to File system, External code or
External programs.
2. Frequently change your Windows password with length and complexity
commensurate to the information it protects.
3. Use Windows screen saver password to prevent unauthorized access to your
workstation.
References:
Complete CVSS Guide
On-line Calculator V2
CVE-2013-0522
X-Force Vulnerability Database: http://xforce.iss.net/xforce/xfdb/82531
Related Information:
IBM Product Security Incident Response Program
ACKNOWLEDGEMENT
This vulnerability was reported to IBM by Markus PiƩton of it.sec GmbH &
Co. KG.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBUX3ple4yVqjM2NGpAQKBLg//QTXM6/PIs0K5YGjiUGNq/8LRHDC4LFzf
48GZpElwMT+fdKt/Vkmj9qk1nNlv4RtuefOvh8XCMO8ti05hGJfdGaT6ljp6WOag
EXBqgXgidyybgQFnmbDkGDitVkOG7W6QMopSdpKv5ARbnd61rs3bXdUO8/0Lf1Gh
13ptPTDcaYKQVVMa8dpRb65D0AgdW2tVN4I+Xjs1T2JUEUWhHPo00cWJVzkhpygH
F3K6KLzjHQAP3JIAWaZFlcF59T2ChrpSREW1CWvZNjOuozPzQwZiN4aDD9u3XTeP
Wun8kYLBRB/DkOl5dz78SEag3xxF8On+UaWb3Yschwn6dqJg89KDjMm6V5P0Dwfc
ttOIOxCCUk46KY6FBsfltBdXs/FLn33IRB5VhUOCGPyjIrS2giP1n5YxBBc2+lWC
NzsdLh9xc3P0lqNJ20EIFD70QOp2RGS01o7r93s93EAUzQstiOGYj7UknaN3e3Yp
r9nlpMTGGZN2RDrWfIulQNfviKBs+xr2MUhHL0klW1WO/pjXd0bxIbP1S/Ye1ePl
jL+Ut4vbA/wL1mPcGQw4AgCxI6/HF4B/H1Hc372wWj+hu6TPCl7dNhe7xsr4pFVu
0fmH748bxO8fwYsbg1i0BlcJYUbFI4wTCbbB2ulCytKetX60g1wUGspkHaahjpLQ
Or5Wv2QmSPY=
=LF8Q
-----END PGP SIGNATURE-----
|