This is the official lotus response:

The following document will be posted shortly to the
Security Zone web
site at http://www.lotus.com/security. It is also
documented in technote #183851 (still in editorial
process).
 In the event of any updates, please see the technote,
or the web site.

Reported Issue:
In a recent post to an Internet mailing list, the author
asserts that,
regardless of ACL settings, anyone who can intercept
network packets
between a Notes client and Domino server can
circumvent the ACL ( Access
Control List) and gain access to another user's mail
file.

Lotus Response:
We have thoroughly investigated this claim and have
determined it to be
false. The Domino server checks and enforces the
ACL for each request
based on the user's authenticated identity. To
prevent interception of
the user's credentials, network port encryption can
and should be enabled
on the Domino servers.

Supporting Information:
The report discusses two potential issues. Neither
of these should be
considered a bug in the software.

The first part of the attack can be described as a
"Man-in-the-Middle"
attack. This type of attack intercepts packets on the
network and either
modifies or reads them. Notes and Domino offer a
network port encryption
feature which prevents this type of attack. This
feature is very simple
to enable and has been in the product since its initial
release (R1).
Details on how to enable this feature are included at
the end of this
document. Similar attacks can be executed against
web servers as well.
That is why administrators configure SSL (Secure
Sockets Layer) on web
servers to protect user credentials and confidential
data by encrypting
network traffic.

The second alludes to a potential issue with ACLs.
In the example
described, User A's credentials have been
intercepted and are used to
access User B's mail file. Based on a user's
authenticated identity,
Domino checks the ACL (access control list) and
determines whether the
user has authorized access to the database. In this
case, an entry for
User A is checked in the ACL for User B's mail file. If
User A is not
listed explicitly in the ACL or as part of a group listed
in the ACL, the
level of access assigned to "Default" will apply. The
standard ACL for
mail files has "Default" access set to "No Access".
Users can optionally
enable other users to view public documents, which
are typically Calendar
and Scheduling documents.

To encrypt network data on a port
  1. From the Domino Administrator, choose the
server for which you
want to encrypt network data.
  2. Click the Server - Status tab.
  3. On the tool bar, choose Setup Ports
  4. Select a network port in the Communication
Ports box.
  5. Select Encrypt network data.
  6. Click OK.

Thomas Hinders
Technical Account Manager / SE - New York
Lotus Development Corp / An IBM Company
Phone: 610-578-2565 Fax: 610-970-5633
Notes: Thomas Hinders Lotus
Notes Net: Thomas Hinders Lotus Notes Net
Internet: thomas_hinderslotus.com

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]