AusCERT - ESB-2013.0593 - [Win] IBM Notes: Access confidential data

HOME
About AusCERT
Membership
PKI Services
Training
Publications
Sec. Bulletins
Conferences
News & Media
Services
Web Log
Site Map
Site Help
Member login
ESB-2013.0593 - [Win] IBM Notes: Access confidential data - Existing account
Date: 29 April 2013

Click here for printable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2013.0593
  Security Bulletin: For safer IBM Notes single sign on with Windows, use
        Notes Shared Login or Notes Federated Login (CVE-2013-0522)
                               29 April 2013

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           IBM Notes
Publisher:         IBM
Operating System:  Windows
Impact/Access:     Access Confidential Data -- Existing Account
Resolution:        Mitigation
CVE Names:         CVE-2013-0522  

Original Bulletin: 
   http://www-01.ibm.com/support/docview.wss?uid=swg21634508

- --------------------------BEGIN INCLUDED TEXT--------------------

Security Bulletin: For safer IBM Notes single sign on with Windows, use Notes 
Shared Login or Notes Federated Login (CVE-2013-0522)

Document information

IBM Notes

Security

Software version:
8.0, 8.0.1, 8.0.2, 8.5, 8.5.1, 8.5.2, 8.5.3, 9.0

Operating system(s):
Windows

Reference #:
1634508

Modified date:
2013-04-24

Abstract

Notes Client Single Logon uses an operating system communication mechanism for 
password transmission between Windows and Notes that can be attacked by 
malicious code planted on the user workstation to reveal the user password. 
To prevent the potential for attack, disable Notes Client Single Logon and 
instead opt to use the more secure Notes Shared Login or Notes Federated Login.

Content

CVE ID: CVE-2013-0522

DESCRIPTION

When adopting any single sign on solution, administrators face the tough 
trade-off between usability (a single password granting access to multiple 
systems) and better security (different passwords for different systems). 
A single password for multiple systems is obviously popular with users, while 
different passwords for different systems is popular with security-minded 
administrators. However, when these administrators prevail, users often 
resort to writing down multiple passwords. And so grows the demand for 
better single sign on solutions.
Notes Client Single Logon uses an operating system communication mechanism for 
password transmission between Windows and Notes that can be attacked by 
malicious code planted on the user workstation to reveal the password of an 
authenticated user. To prevent the potential for attack, disable Notes Client 
Single Logon and instead opt to use the more secure Notes Shared Login or 
Notes Federated Login.

For more information on Notes Shared Login, see
- - Using Notes Shared Login to suppress password prompts

For more information on Notes Federated Login, see section "Using Security 
Assertion Markup Language (SAML) to configure federated-identity 
authentication" in
- - IBM Domino 9.0 Administrator Help

For more information on disabling Notes Client Single Logon, refer to the Note
in the following Help topic:
- - Using Notes client single logon to synchronize Notes and OS passwords

For a comparison of Notes Client Single Logon and Notes Shared Login, see 
technote 1437726.

CVSS:

Using the Common Vulnerability Scoring System (CVSS) v2, the security rating 
for this issue is:

CVSS Base Score: 4.1
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/82531 for the 
current score.
CVSS Environmental Score: Undefined
CVSS String: (AV:L/AC:M/Au:S/C:P/I:P/A:P)
Access Vector: Local Access Complexity: Medium
Authentication: Single Confidentiality Impact: Partial
Integrity Impact: Partial Availability Impact: Partial

AFFECTED PLATFORMS
Any version of IBM Notes running on Windows with Notes Client Single 
Logon enabled.

REMEDIATION:

Workaround:
To prevent the potential for attack, disable Notes Client Single Logon and 
instead opt to use the more secure Notes Shared Login or Notes Federated Login.

Mitigation(s):
1. For your Notes Execution Control list settings for -Default- and 
- -No Signature-, do NOT allow access to File system, External code or 
External programs.
2. Frequently change your Windows password with length and complexity 
commensurate to the information it protects.
3. Use Windows screen saver password to prevent unauthorized access to your 
workstation.

References: 

Complete CVSS Guide 
On-line Calculator V2 
CVE-2013-0522 
X-Force Vulnerability Database: http://xforce.iss.net/xforce/xfdb/82531 

Related Information: 

IBM Product Security Incident Response Program 

ACKNOWLEDGEMENT 
This vulnerability was reported to IBM by Markus Piéton of it.sec GmbH & 
Co. KG.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBUX3ple4yVqjM2NGpAQKBLg//QTXM6/PIs0K5YGjiUGNq/8LRHDC4LFzf
48GZpElwMT+fdKt/Vkmj9qk1nNlv4RtuefOvh8XCMO8ti05hGJfdGaT6ljp6WOag
EXBqgXgidyybgQFnmbDkGDitVkOG7W6QMopSdpKv5ARbnd61rs3bXdUO8/0Lf1Gh
13ptPTDcaYKQVVMa8dpRb65D0AgdW2tVN4I+Xjs1T2JUEUWhHPo00cWJVzkhpygH
F3K6KLzjHQAP3JIAWaZFlcF59T2ChrpSREW1CWvZNjOuozPzQwZiN4aDD9u3XTeP
Wun8kYLBRB/DkOl5dz78SEag3xxF8On+UaWb3Yschwn6dqJg89KDjMm6V5P0Dwfc
ttOIOxCCUk46KY6FBsfltBdXs/FLn33IRB5VhUOCGPyjIrS2giP1n5YxBBc2+lWC
NzsdLh9xc3P0lqNJ20EIFD70QOp2RGS01o7r93s93EAUzQstiOGYj7UknaN3e3Yp
r9nlpMTGGZN2RDrWfIulQNfviKBs+xr2MUhHL0klW1WO/pjXd0bxIbP1S/Ye1ePl
jL+Ut4vbA/wL1mPcGQw4AgCxI6/HF4B/H1Hc372wWj+hu6TPCl7dNhe7xsr4pFVu
0fmH748bxO8fwYsbg1i0BlcJYUbFI4wTCbbB2ulCytKetX60g1wUGspkHaahjpLQ
Or5Wv2QmSPY=
=LF8Q
-----END PGP SIGNATURE-----