=====================================================================
                                    CERT-Renater

                         Note d'Information No. 2008/VULN125
_____________________________________________________________________

DATE                      : 10/04/2008

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Systems running Lotus Notes.

======================================================================
http://www-1.ibm.com/support/docview.wss?rs=463&uid=swg21298453
______________________________________________________________________

Potential security vulnerabilities in Lotus Notes file viewers for
Applix Presents, Folio Flat File, HTML speed reader, KeyView and MIME
Technote

Secunia contacted IBM Lotus to report several potential buffer overflow
vulnerabilities in Lotus Notes. In specific situations, there exists the
possibility to execute arbitrary code.

To exploit these vulnerabilities, an attacker would have to send a
specially crafted file attachment to users, and the users would then
have to double-click and "View" the attachment.

These issues are relative to the following file attachment types:
   - Applix Presents (.ag)
   - Folio Flat File (.fff)
   - HTML speed reader (.htm)
   - KeyView document viewing engine
   - Text mail (MIME)

You can access the advisory at the following link:
http://secunia.com/advisories/28210

These issues were reported to Lotus Quality Engineering and the
technology vendor involved has provided software updates. These
vulnerabilities are currently being addressed with a patch and are
targeted to be included in the next major release.

Refer to the table below for details on the issues and the associated
Lotus SPR tracking number.

The issues vary depending on the file attachment type, but are all
related in how the buffer overflow denial of service could be
accomplished. In all cases, the issues involve viewing a malicious
attached file.

===========================================================================
File Format            | Associated    | Lotus SPR     |  Additional
                        | Keyview dll   | Tracking #    |   Details
===========================================================================
Applix Presents (.ag)  | kpagrdr.dll   | PRAD79EMMB    |
===========================================================================
Folio Flat File (.fff) | foliosr.dll   | PRAD7AM3LG    |
===========================================================================
HTML Speed Reader      | htmsr.dll     | PRAD7AP563    |  Lotus Notes 8.0
(.htm)                 |               |               |  and higher is
                        |               |               |  not vulnerable
===========================================================================
KeyView document       | kvdocve.dll   | PRAD7AP563    |  Lotus Notes 8.0
viewing engine, which  |               |               |  and higher is
is used for viewing    |               |               |  not vulnerable
html attachments       |               |               |
===========================================================================
Text mail (MIME)       | mimesr.dll -  | PRAD78SMQM and|
                        | used by Lotus | PRAD78SN3A    |
                        | Notes prior   |               |
                        | to release 8.0|               |
                        |               |               |
                        | emlsr.dll - is|               |
                        | used by Lotus |               |
                        | Notes 8.0 or  |               |
                        | higher        |               |
============================================================================

Note: This issue impacts the Lotus Notes client only; it does not impact
the Domino server.

Workarounds for Notes 6.x, 7..x, and 8.x client versions:

Option 1: Contact IBM Support to obtain the patch for the Notes client.

Option 2: Alternately, you can disable the affected file viewers by
           following one of the options in the "How to disable viewers
           within Lotus Notes" section of this technote.

Workaround for Notes 5.x client versions:

If you are interested in protecting yourself from these vulnerabilities,
we recommend disabling the viewers as described in the "How to Disable
Viewers within Lotus Notes" section of this technote. There is no
software fix available for the 5.x Notes client version.

How to disable viewers within Notes:

Option 1 : Delete the keyview.ini file in the Notes program directory.
            This disables ALL viewers. When a user clicks View (for any
            file), a dialog box will display with the message "Unable to
            locate the viewer configuration file."

Option 2 : Delete the problem .dll file. When a user tries to view the
            specific file type, a dialog box will display with the message
            "The viewer display window could not be initialized." All other
            file types work without returning the error message.

Option 3 : Comment out specific lines in keyview.ini for any references
            to the problem file (dll). To comment a line, you precede it
            with a semi-colon (;). When a user tries to view the specific
            file type, a dialog box will display with the message
            "The viewer display window could not be initialized."

For example:

[KVARCVE]
; 35=lasr.dll

Additional Background

In general, users are strongly urged to use caution when opening or viewing
unsolicited file attachments.

The attachments will not auto-execute upon opening or previewing the email
message; the file attachment must be opened by the user using one of the
mentioned file viewers. In some cases, further user action is also
required to trigger the exploit.

Security Rating using Common Vulnerability Scoring System (CVSS) v2
CVSS Base Score: < 9.3 >
- ---- Impact Subscore: < 10 >
- ---- Exploitability Subscore: < 8.6 >
CVSS Temporal Score: < 7.3 >
CVSS Environmental Score: < Undefined* >
Overall CVSS Score: < 7.3 >

Base Score Metrics:
     * Related exploit range/Attack Vector: < Network >
     * Access Complexity: < Medium >
     * Authentication < None >
     * Confidentiality Impact: < Complete >
     * Integrity Impact: < Complete >
     * Availability Impact: < Complete >

Temporal Score Metrics:
     * Exploitability: < Proof of Concept Code>
     * Remediation Level: < Official Fix >
     * Report Confidence: < Confirmed >

References:
     * CVSS v2 Complete Documentation
     * CVSS v2 Online Calculator

*The CVSS Environment Score is customer environment-specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the
impact of this vulnerability in their environments by accessing the
referenced links.

======================================================================

           =========================================================
           Les serveurs de référence du CERT-Renater
           http://www.urec.fr/securite
           http://www.cru.fr/securite
           http://www.renater.fr
           =========================================================
           + CERT-RENATER          | tel : 01-53-94-20-44          +
           + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
           + 75013 Paris           | email: certsvp@renater.fr     +
           =========================================================