Rapid7 Advisory R7-0010 information
Rapid7 Security Advisory - Lotus Notes/Domino
- What vulnerabilities has Rapid7 discovered in Lotus Notes/Domino?
- What is the impact of these vulnerabilities?
- What versions of Notes/Domino are affected?
- Where can I download the updates?
- Are Notes clients affected?
- How can I mitigate my risk without upgrading?
The impact of these vulnerabilities ranges from denial of service (crashing the Domino server) to potentially gaining full remote control of the Domino server.
In some situations, crashing the Domino server can lead to corruption of Notes databases, including the Name and Address book.
The list of affected versions is different for each of the three vulnerabilities. The most critical vulnerability affects all versions of Lotus Notes going back to R4 and possibly earlier. Users running 5.0.11 or earlier are vulnerable and should upgrade to R5.0.12.
If you are running a beta version of R6 prior to the R6 "Gold" release, you are vulnerable. Note that while these three vulnerabilities are fixed in R6 Gold, users should upgrade to R6.0.1 (released last week) to protect themselves from other vulnerabilities in the Gold build.
Finally, if you are running any pre-R5 (R4 or earlier) release, you are vulnerable. Notes R4 is no longer supported and there are other widely known vulnerabilities in these old releases. You should consider upgrading to R5.0.12.
You can download Notes and Domino incremental installers by clicking here.
Yes, Notes clients are affected by two of these vulnerabilities. While client risks are not as great, clients should also upgrade to the latest release.
Because each vulnerability affects a different area of Domino, the best way to mitigate your risk is to upgrade immediately if you are running one of the versions of Notes/Domino listed above in the question "What versions of Notes/Domino are Effected". It is not possible to continue providing Notes/Domino services in a safe way without upgrading.
Short of upgrading, you can help mitigate your risk by following best practices for Domino servers. Disable all unused Domino server tasks and block off all unnecessary services (including the native Notes port 1352/tcp), from the outside world.
Organizations which perform Notes replication externally with other servers should configure the firewall to allow in ONLY those IP addresses belonging to trusted external servers. A safer alternative is to tunnel Notes replication over a VPN.
Rather than allowing native Notes access on WAN-facing Notes servers, it is safer to offer Internet mail with encrypted SMTP/IMAP/POP3 or iNotes (webmail) over HTTPS with certificate-based authentication. However, due to other recently published iNotes vulnerabilities, it may not be possible to offer safe iNotes access without upgrading to R5.0.12 or R6.0.1.
Domino servers which operate strictly in a stripped-down web-only capacity (without Notes users, replication, or other services) are not affected as long as ONLY the following ports are open: ports 80 and 443 (HTTP/S), ports 110 and 995 (POP3/S), ports 143 and 993(IMAP/S), and port 25 (SMTP).