Title:	Fixes from ver 4.5 to 4.5a
Category:	Lotus Notes 4.x
Author:	Ulf Elm
Title: Impersonation Scenarios with Lotus Domino Servers
Domino and Notes Versions: Domino R1.0; Domino R1.5; Domino 4.5, Powered by Notes
Date: 12/20/96

Problem 

A security audit was done within Lotus, stimulated by issues referenced in an "l0pht security advisory" published on the Internet. This advisory and our own internal audit revealed scenarios that might allow a Web browser user to impersonate a legitimate user; these include but are not limited to scenarios described in the advisory. We consider concerns of this kind to be sufficiently serious to warrant immediate action on our part. (In no case is the security compromised when accessing a Domino server directly from a Notes workstation or server.) 

We do not intend to disclose further details of these scenarios at this time, in order to deny information to potential attackers, but we are providing immediate resolutions in the Notes and Domino systems as described below. 



Solution 

Lotus has issued an immediate upgrade (maintenance releases "Domino R1.5a" and "Domino 4.5a, Powered by Notes") that fixes the problems. This release is otherwise identical to Releases 1.5 and 4.5. You should obtain the upgrade one of these ways: 



Obtain a new CD that contains the full kit directly from Lotus. Customers obtain this Release from Lotus Notes Sales by calling 1-800-346-1305. We expect CDs to be available by this route early in the week of December 23, 1996 for North American users. Contact this number for additional availability information.
Download an incremental install kit from the beta.notes.net Web site. This is available for Windows 32 servers on either the Intel or Alpha platforms.
If you are a Unix user download the necessary individual files (http and strings.res) from beta.notes.net.
If you previously downloaded a Domino 1.5 package from domino.lotus.com, go to the same page for Domino 1.5a.
If you are running a Domino Server which is being accessed only by Web browsers and not by Notes clients, an immediate fix to this problem is to make sure that the ACL on the server's Name and Address Book is set to No Access. You need to be certain in this case that the Name and Address book does not replicate to other servers that do provide service to Notes client users.



If you are delayed obtaining the upgrade or are in doubt about the status of a Domino server, we recommend that you shut down the HTTP service immediately to prevent exposure of confidential information. You can still proceed securely with Notes clients and normal Notes authentication; this shutdown will affect access by Web browsers only.To shut down the HTTP server task, issue the following command at the server console: 

TELL HTTP QUIT 

Also, to prevent the HTTP task from restarting on a reboot, edit the server's notes.ini file to remove the HTTP task from the ServerTasks settings. 



Who is affected? 

A typical server that is affected is one that runs the NT operating system with the Notes R4.12 + Domino R1.5, or that runs Domino 4.5 Powered by Notes. Specifically, these servers are affected:

Notes R4.1x servers running Domino R1.0 or Domino R1.5, including the commercially available NT versions, and the recently published beta version of Domino R1.5 for OS/2
Domino 4.5, Powered by Notes, on the NT Intel, NT Alpha, Solaris SPARC, and Solaris X.86, and AIX platforms.





Who is not affected? 

Any NLM server or HP-UX server. Domino has not yet been released on these server platforms. 

Any server running Release 1.5a or 4.5a or later. These releases fix the problems. Domino shipments and downloads occurring after December 20, 1996 are not affected, since they are packaged with this new "a" version.

Macintosh clients. This is a server-only problem.•Win16 clients. This is a server-only problem, and the former server for Win16 is not supported by Notes R4.




Summary of Lotus Response 

Manufacturing and Web-posting of the affected server platforms was halted on December 20, 1996. Lotus has responded to this situation by: 


replacing these software packages with the 1.5a and 4.5a releases for further customer shipments and downloads worldwide, 
posting upgrade kits for Release 4.1 (domino.lotus.com) and Release 4.5 (beta.notes.net)
posting the http executable and strings.res files, for Unix servers, on beta.notes.net. If you previously downloaded a Domino 1.5 package from domino.lotus.com, go to the same page for Domino 1.5a.
re-shipping new CDs to the customers who already received shipments of Domino 4.5, Powered by Notes
making additional CDs available via Customer Service, for any customers who received original shipments but were not reached by our recall/reshipment