(May 2011) Fixes for potential security vulnerabilities in Lotus Notes file viewers

News


Abstract

Both iDefense Labs and CoreLabs Research have contacted IBM to report potential buffer overflow vulnerabilities in several Lotus Notes file viewers. The specific issues vary depending on attachment type; however, they are all related in how the buffer overflow denial-of-service could be accomplished. In all cases, the issues involve viewing a malicious attachment from a Notes client on a Windows-based machine. Domino servers are not impacted. (Original publish date May 24, 2011. See "Change History" table below.)

Content

In specific situations, arbitrary code could potentially be executed when the following types of attachments are viewed in Notes:

  • LZH archive
  • RTF document
  • Applix Spreadsheets
  • Microsoft Excel document
  • Microsoft Office document
  • Lotus Notes .prz file
  • Lotus Notes .zip file

To exploit these vulnerabilities, an attacker would have to send a specially crafted file attachment to users, and then users would have to double-click the attachment and select "View".

The specific issues vary depending on attachment type; however, they are all related in how the buffer overflow denial-of-service could be accomplished. In all cases, the issues involve viewing a malicious attachment from a Notes client on a Windows-based machine. Domino servers are not impacted.

Refer to the tables in the "Additional Information" section below for more information on each issue, including the name of the vulnerable .dll files, the IBM SPR tracking numbers, and fix availability for each code stream. You can also find related information on the Web sites of the security researchers who discovered the issues:


Recommended Fix

These issues have been investigated by IBM and the technology vendors involved. To address the issues, customers are encouraged to apply one of these Fix Packs:
  • Interim Fix 1 for Notes 8.5.2 Fix Pack 2 (Available on Fix Central as of May 25, 2011. See technote 1500632 for download links and more info)
  • 8.5.2 Fix Pack 3
  • 8.5.3

Workarounds

For Notes 8.5.2.x

Option 1: Upgrade to Interim Fix 1 for Notes 8.5.2 Fix Pack 2. See technote 1500632 for download links and more information..

- or -

Option 2: Apply patch detailed below in " Self-extracting patch" section.

- or -

Option 3: Disable viewer as described in the "Options to disable viewers within Lotus Notes" section of this technote.


For Notes 8.5.1. x and 8.0.x

Option 1: Apply patch detailed below in " Self-extracting patch" section.

- or -

Option 2: Disable viewer as described in the "Options to disable viewers within Lotus Notes" section of this technote.


For Notes 7.x, 6.x, and 5.x

Disable viewer as described in the "Options to disable viewers within Lotus Notes" section of this technote.


Self-extracting patch

Fix Central ID
Filename & download link
Notes_Keyview_Security_Fixes_06062011


** IMPORTANT NOTE ** There is an environment variable "KVPATCHER_UIMODE". By default KVPATCHER_UIMODE is disabled (set to "0"), which means that a success prompt will not display at the end of the install. See the instructions below for more details.


Instructions for running the patch:

1) Place the downloaded patch on the desired machine or network drive.

2) Shut down the Notes client to ensure KeyView files to be replaced are not in memory.

3) Run Keyview_Security_patch-06062011.exe as Administrator (a dialog will appear briefly as the files are being extracted).

By default, the install runs silently without displaying a success prompt at the end. If you want the success prompt shown below to appear, then you must issue the following two commands at the command prompt:

> Set KVPATCHER_UIMODE=1
> LotusNotesKeyviewUpdate.exe




*** TIP ***: An alternative method for deploying the patch is described in the following Wiki article: " How to deploy non-versioned patches via Smart Upgrade"


Additional details about the patch
  • This single cross-version patch will apply to Notes 8.5.2.x, 8.5.1.x, and 8.0.x so it can be run on a client machine with any of these releases.
  • The script will determine the correct version and then apply the patches into the Notes Program or MUI directory.
  • The patch will not interfere with existing hotfixes, Interim Fixes, Cumulative Client Hotfixes, Fix Packs, or Maintenance Releases, and it will not revise the Notes version string. Customers who want to confirm the patch has been applied can examine the file date.

Options to disable viewers within Notes

Delete the keyview.ini file in the Notes program directory.
This disables ALL viewers. When a user clicks View (for any file attachment), a dialog box will display with the message "Unable to locate the viewer configuration file."

Delete or rename the affected DLL file.
After removing the dll file, when a user tries to view a file that requires that viewer, a dialog box will display with the message "The viewer display window could not be initialized." All other file types work without returning the error message.

Comment out lines in keyview.ini that reference affected DLL file.
To comment a line, you precede it with a semi-colon (;). When a user tries to view the specific file type, a dialog box will display with the message "The viewer display window could not be initialized."

Example:
[KVWKBVE] --> this is the section of the keyview.ini
;188=xlssr.dll ---> this would be the result of the Excel dll commented out


Additional Information

Note: All potential vulnerabilities are investigated to understand the issue and the required fix. However, in some cases (as is this one), due to significant architectural enhancements in the product there may be cases where a workaround will be the only option. Refer back to the above section for the workaround option for Notes 5.x, 6.x, and 7.x.

Discovered by CoreLabs Research


CVE #

SPR #

File viewer / vulnerable DLL

Notes
8.0.x

Notes
8.5.1

Notes 8.5.2

Notes
8.5.3

CVE-2011-1512

and

CVE-2011-1213

PRAD8E3HKR

  • Excel Document
  • xlssr.dll

Patch

Patch

IF1 for 852FP2

Patch


852FP3 (ETA Q3)

Fix
Included


Discovered by iDefense Labs

CVE # SPR #
File viewer / vulnerable DLL
Notes 8.0.x
Notes 8.5.1
Notes 8.5.2
Notes 8.5.3
CVE-2011-1214 PRAD88MJ2W
  • LZH archive file format
  • lzhsr.dll
Patch
Patch
IF1 for 852FP2

Patch

852FP3 (ETA Q3)
Fix
Included
CVE-2011-1215 PRAD8823JQ
  • RTF Attachment Viewer
  • rtfsr.dll
Patch
Patch
Not vulnerable Fix
Included
CVE-2011-1216 PRAD8823ND
  • Office Document
  • mw8sr.dll
Patch
Patch
IF1 for 852FP2

Patch

852FP3 (ETA Q3)
Fix
Included
CVE-2011-1217 PRAD8823A7
  • Applix Spreadsheets
  • assr.dll
Patch
Patch
IF1 for 852FP2

Patch

852FP3 (ETA Q3)
Fix
Included
CVE-2011-1218 RAD8E3NKZ
  • Lotus Notes .prz file format
  • kpprzrdr.dll
Patch
Patch
IF1 for 852FP2

Patch

852FP3 (ETA Q3)
Fix
Included
CVE-2011-1219 PRAD8E3NSP
  • Lotus Notes .zip File format
  • kvarcve.dll
Patch
Patch
IF1 for 852FP2

Patch

852FP3 (ETA Q3)
Fix
Included


General cautionary note

Users are strongly urged to use caution when opening or viewing unsolicited file attachments.

Attachments will not auto-execute upon opening or previewing the email message; the file attachment must be opened by the user using the mentioned file viewers. In some cases, further user action is also required to trigger the exploit.

Security Rating using Common Vulnerability Scoring System (CVSS) v2
CVSS Base Score: < 9.3 >
---- Impact Subscore: < 10 >
---- Exploitability Subscore: < 8.6 >
CVSS Temporal Score: < 7.3 >
CVSS Environmental Score: < Undefined* >
Overall CVSS Score: < 7.3 >
Base Score Metrics:
  • Related exploit range/Attack Vector: < Network >
  • Access Complexity: < Medium >
  • Authentication < None >
  • Confidentiality Impact: < Complete >
  • Integrity Impact: < Complete >
  • Availability Impact: < Complete >
Temporal Score Metrics:
  • Exploitability: < Proof of Concept Code>
  • Remediation Level: < Official Fix >
  • Report Confidence: < Confirmed >
References:

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the referenced links.


Change History
17 Jun 2011 Added download link to patch on Fix Central
01 Jun 2011 Added CVE numbers
25 May 2011 Added link to readme technote for Interim Fix 1 for 852FP2
24 May 2011 Changed ETA for Interim Fix 1 for 852FP2 to May 25th
24 May 2011 Initial publication

Related information

Interim Fix 1 for Notes 8.5.2 Fix Pack 2 (852FP2IF1)
IBM Fix Central


Rate this page:

(0 users)Average rating

Add comments

Document information


More support for:

IBM Notes
Editor

Software version:

6.0, 6.5, 7.0, 8.0, 8.5

Operating system(s):

Windows

Reference #:

1500034

Modified date:

2011-06-17

Translate my page

Machine Translation

Content navigation