Lotus flaw reported--but IBM's unfazed

A flaw in IBM's Lotus Domino Server could be used to crash systems, a security company has warned, but Big Blue is disagreeing that a vulnerability exists.

The denial-of-service flaw appears in versions 6.5.1 and 6.0.3 of the e-mail and calendar server software, security company iDefense said in an advisory released Wednesday.

"Exploitation of this vulnerability allows unauthenticated remote attackers to crash the Web service, thereby preventing legitimate usage," iDefense said in the advisory. "This attack requires minimal resources to launch and can be repeated to ensure that an unpatched computer is unable to recover."

IBM, however, rebuffed the report. In a posting to its tech support site, the company said it has thoroughly investigated the issue and has not been able to verify the vulnerability.

"We appreciate the work they do, and we worked hard with them on this, but we found no processes that were hung up," said Katherine Emling, IBM's development manager for Domino security. "The only reason I can think for the differences we found were the configurations that were specific to their hardware."

iDefense first notified IBM of the problem in the Lotus Domino Server software in February, said Michael Sutton, director of iDefense Labs. The companies have been working together since then to test the flaw, but in the end, came to different conclusions.

"We worked forever with IBM on this and we think they're wrong," Sutton said. "In my opinion, this is not a difficult vulnerability to re-create."

In the past, IBM and iDefense have had a good working relationship, Sutton said. iDefense would notify Big Blue of vulnerabilities it found in IBM's products before publicly releasing the details of the flaw, he said. IBM in turn would work with iDefense in identifying the problem and developing a patch, so that an update would be ready when iDefense publicly announced the flaw.

"We ultimately agreed to disagree on the vulnerability," Sutton said. "And as we were trying to figure out how to handle the disclosure of this information, IBM posted their technical advisory on this without coordinating with us."

Sutton and Emling noted that it is unusual when a technology vendor and a security research company cannot agree on whether a flaw exists.

The vulnerability that iDefense found affects the older versions of Lotus Domino Server, a rival software to Microsoft Exchange that runs on a number of operating systems and underpins message, calendar and schedule features. Both 6.5.1 and 6.0.3 were released in February 2004, Emling said., she noted. Both parties said that iDefense's flaw report does not apply to more recent versions, such as version 6.5.3, released in October, and version 6.5.4, released this week.

The vulnerability allows people to launch a remote attack by sending a long string of ASCII characters with a /cgi-bin/ prefix to the vulnerable server, according to iDefense. The resulting stack overflow eats up computing resources and can be used in a denial-of-service attack, iDefense said.

In absence of a patch, iDefense has outlined a workaround. It is advising companies to limit access to systems and services using firewalls, access control lists or other mechanisms.

Emling said that if any Lotus Domino server customers encounter denial-of-service problems, she hopes they will contact IBM and provide them with information.