Rapid7 Vulnerability & Exploit Database

Lotus Notes/Domino Anonymous Access to Server Certifcate Administration

Back to Search

Lotus Notes/Domino Anonymous Access to Server Certifcate Administration

Severity
8
CVSS
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
Published
11/01/2004
Created
07/25/2018
Added
11/01/2004
Modified
07/19/2012

Description

The Domino server has been configured to allow anonymous access to the Server Certificate Administration database (certsrv.nsf). This database contains the server's cryptographic key information, including SSL public and private keys. If this information is leaked or compromised, an attacker could potentially decrypt information that was encrypted for your server (via HTTPS or SSL). An attacker could also potentially spoof users into believing that some other server is, in fact, your server. If the attacker has write access to the database, he could modify and issue certificates at will.

Solution(s)

  • disable-anonymous-default-notes-acl

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;