[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] heise Security: Password exposure in Lotus Notes




Excerpt from: http://www.heise-security.co.uk/news/92958

------
Password exposure in Lotus Notes

A debug function in version 5 and up of Lotus Notes can be used to write a file containing the new password in plain text when a user password is changed. This function has been designed to bring more transparency into password quality verification. If two additional lines are entered in the Notes.INI configuration file, Notes will log the evaluation.

Since the Notes.INI file on a user’s hard disk must be manipulated, physical access to the system is required to exploit this flaw. But there are various possibilities within Notes to manipulate this file, which can, in turn, also be used to protect systems from this vulnerability.

Assessment:

Notes uses the password to protect the certificate storage Notes.ID used by every user for authentication. This file is encrypted or decrypted with the user password. Together with the Notes certificates, Notes.ID also stores the user's private key and X.509 certificates, where required. For this reason, it is of utmost importance to ensure that nobody can create a copy of the password and Notes.ID at the same time. If somebody gains concurrent access to both the log file and the Notes.ID, this person can authenticate himself to Notes at any time.

Even though administrators can eliminate exploitation of this debug function in most cases, a Notes administrator with appropriate privileges is able to discover all user passwords. Some Notes customers have implemented complex solutions to allow for the central storage of password changes, while resetting passwords is only possible based on the four-eye principle, i.e. administration and revision must work together to do so. The debug function makes it possible to bypass this security policy.
(Volker Weber)
------


For a more detailed analysis, please see the original article on: http://www.heise-security.co.uk/news/92958



bye, ju


-- Juergen Schmidt, editor-in-chief heise Security www.heise-security.co.uk
GPG-Key: 0x38EA4970,  5D7B 476D 84D5 94FF E7C5  67BE F895 0A18 38EA 4970
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/