Huge security hole in Notes
by Volker Weber
Would you believe that you can make Notes log all password changes to hard disk? In clear text?
Well, I did not, until I learned something new today. [Update:] Long and winding explanation moved here in German and there in English.
Opinion: Somebody shot a huge hole into Notes. And this might hurt.
Update 19 JUL 2007: IBM is removing this parameter from all future versions of Notes:
Lotus Notes versions 8.0, 7.0.3 and all future versions will contain a fix that will remove the use of this undocumented debug variable.
Comments
Lucky enough you have to restart notes for having it work. And you have actually to try to change the password. So the lesson here - time bombed passwords changing policies are bad. :-)
The hole is limited to people who have access to user desktops to make the settings and then steal the log. But in discussions in Mary Beth Raven's blog about the F5 workstation lockout feature, the point was made several times that the people who do have rights to manage the Windows domain and user desktops are not one-and-the-same. So yes, there's a problem here. I'm not sure I agree that it is "huge", but it can not be completely discounted with the old "if the desktop is insecure, then all bets are off" excuse.
Anything that logs passwords to unprotected memory in clear text is a huge security hole in my book. Notes appears to be its own keylogger. No need for additional trojan horses. Notes can do it all by itself.
How about pushing always the values
KFM_ShowEntropy=0
Debug_Outfile=
to the Notes clients using a desktop policy?
Good point Uwe. However, the Debug_Outfile can be legitimately used for other client debugging. But just pushing the KFM_ShowEntropy option would work.
Vowe, why would you even post this to your blog and let people know that this can be done? ;)
Thanks for the heads-up. I'm sure there was a reason for this, but hopefully IBM will correct this to at least hash the password in some way. I can understand it - I can imagine a case (not that it's happened to me...) where a user's password change isn't working but they swear they're typing it correctly...
Hmm, how about further extending this to a startup script? A rogue network admin finds Vowe's flying circus and creates a script to append this to all notes.ini files and also place a copy of the txt file and ID file on his own personal share. Now to force password changes!
NOT GOOD!
Huge LOL here - I just googled kfm_showentropy and vowe.net was the first hit. Talk about a fast index...
Chris, don't shoot the messenger. This parameter was published by IBM.
Ok, so let's not shoot the messenger. Let's ask the messenger ... did you contact IBM? Did you contact the security folks who work on Notes about this? We all know you know them. Did you contact support? Enter a bug report? Follow the chain?
We all know you are a consultant as well as an author Volker. I would never want to work with a consultant who, instead of contacting IBM and tryinig to get this fixed, used it to 'stir the pot.'
Is it bad? yes. Horrible in fact. IBM needs to fix it. But is the right way to get it fixed to blog it vs. contacting them directly?
So ok, let us not shoot the messenger. But I think we can expect more from the messenger.
I kinda agree with both Volker and John. This isn't a case where a previously unknown exploit was found, like an unhandled exception that allowed remote code execution. This is a feature built into the product that could relatively easily be used to defeat the security of the product. I disagree that one oblique reference in the vast expanse of the Knowledgebase makes this officially published, but then again, most of the documentation from IBM and Lotus is scattered.
Anyway, I do think the better approach would have been to contact people at IBM or Lotus to get this addressed. Now everybody under the sun knows about it instead of the few people who happened to stumble across an old Knowledgebase article.
Which begs the question, how did you find this in the first place?
@Vowe,
Seems like you too are getting clubbed by one of the Lotus-Sapranos :-) Nathan clubbed me earlier today about some other OpenNTF thingie.
By the way, the KB articles don't exist any longer. There are two and one is in Google's cache and the other has been modified and doesn't contain that setting any longer. It was modified on July 11, 2007.
In googling, I noticed two other sites that had this setting listed. They were from posts in two German message boards within the past couple of weeks. I'm assuming this is where the information originated (besides the technotes, of course).
I wasn't trying to club Vowe in my post (hence the wink...). I don't know if he tried contacting IBM or not. I certainly hope so...
@Chris,
You weren't the clubber - Mr. Head was.
Since IBM edited their technotes to remove specific references to the details (thus making us look in Google's cache for the previous version - and why hasn't IBM instructed Google to purge the cache?), is there any question that IBM knows that this is a sensitive issue? Since IBM already knows about the problem, and the evidence indicates they are acting on their knowledge, why does it matter if Volker spoke with them before posting this? Speaking only for myself, I'm not a fan of security by obscurity, and I am very happy to know about this problem now.
Let's sort out a few things:
This is not a bug. This is a deliberate and fully documented feature. Which never should have existed in the first place.
IBM has been alerted by several customers about this issue several weeks ago. Which means they have told IBM they are not particularly happy about this feature. As stated above this is not a bug. IBM knows about it, has built it and documented it.
On 11 Mar 1996 the german publication Der Spiegel published an article about Notes security titled "Panzerschrank aus Pappe" (cardbord safe). This one could run as "Schlüssel liegt unter der Fußmatte" (keys are under the front door mat).
This blog posting is the run-up for a bigger publication.
I am trying to collect some ideas of how you would close this open barn door while IBM struggles to comment out a debug switch.
Johannes, isch mach Pippi in dein Bier. ;-)
What would happen if it were exposed that Outlook did this?
Wish you would have added that information to your main post. Things would probably have been a little more calm.
We would close the door by adding the line to the Desktop Settings policy document. This would mostly prevent anyone from being able to set it manually or programmatically. If the value were set in some way, then the policy would be enforced and change it back. There's always that chance, though.
Other than that, if someone figured out how to script this in an email to someone, then the Admin ECL should be locked down to prevent it (well, at least to prompt the user). Again, this would rely on the user declining it.
Amy, that would be quite a story. :-)
Chris, I am not concerned about anybody going wild in the comments. I know the usual suspects and they are doing their best. ;-)
where's the problem?
that param seems to be spellchecker related. WTF? in password dialog????
Lotus should consider where to run (and debug) spellchecking routines.
@Frantisek,
looking at the log & doc I'd say that the programmer chose to call his routine 'spellcheck' when it really looks for similar words in several sources ( dictionary, cache ...)
I'm not a domino guy but it seems that you are upset about the wrong thing.
Regards, Martin
Well, if find this kind of hidden 'feature' fairly disgusting, and shame on those who let it out the door. We've all made stupid mistakes though, so lets not take them out back and shoot them just yet.
If this were Microsoft's mistake, the same people who would like to castigate Mr. Weber for pointing this out would be gleefully spreading the news.
The fortress we like to think of as our Domino server may be at least in part tempered glass.
I really don't know how long this has been out there, but it doesn't shock me given the way ownership of and understanding of the Notes product went through such disregard for several.
In the mean time, when was the last big reported IIS bug?
Oh, and a little credit where its due -- Many at IBM are on record for years being against overt marketing of Domino's superior security record for exactly this reason -- that one day they'd one one too.
wow. I can't type or read at all tonight. Sorry.
Thank you for posting this. I'm not a fan of security by obscurity, and I am very happy to know about this problem now.
wow - looking for kfm_showentropy on google (as mentioned before), and 21minutes after the heise.de entry was published, it chased your blog from the top answer in google! right now only top 4 for vowe.net
by the way, the debug outfile is getting rewritten every time the notes client is restarted. So the potential attacker needs to collect it after the password reset and before the notes client restarts, limiting further the practical use of this "exploit" for hacking. If someone have an access to the client machine and to the .id file and the notes.ini - than it is probably easier just to run a simple key logger.
@vowe: on the heise article you write that notes passwords cannot be reseted - this is not entirely true. You have to modify the certifier (or the Ca process) to enclude recovery information and then the button in the login dialog "forgot password" would work. It is built into notes if my memory suits me well since the 6.0 release.
Samuel, Heise.de has a much higher page rank. It should lead the results.
Gregory, that is true. I had to simplify a little bit. I know about the ID recovery procedure, but there are actually quite a few large German organizations who have built their own scheme. I had to contrast this with the simple reset of a password on the server.
I'm with Gregory on this one - it's not like it is on by default.. instead someone has to have access to the machine, change the ini, wait for the user to change the password, and grab it before they next open Notes. It would be simpler to use a keylogger.. which would get more passwords, and faster. I don't see what the big deal is here.
P.S on another thing, this is the second time I've typed this, because of the stupid 'services' wap browser on the E61i doesn't send the referrer.. why oh why did Nokia make this the unchangeable default browser, when the E61i has a excellent and capable real web browser? Its probably my biggest issue with the phone.
It's illegal to even have a keylogger in Germany. Which makes you wonder if it is now illegal to have Notes. ;-)
i know about PR, but 20minutes is cool ;)
Not sure I like a public discussion about those kind of topics. Specially because some people add extra ideas to exploit this potential security weakness an clever ways. IBM tried to remove all references about this from all kind of documentation and now this is visible for everyone and widely spread. This allows script kiddies to jump on the train ... You should have at least wait until the problem has been fixed. According to the IBM security website this will be fixed in N7.0.3 and N8.0
See this link for details
http://www.ibm.com/developerworks/lotus/security/
On the other side it is good to know about issues like this if they are really critical. By default everyone should have the mentioned best practices in place to avoid other issues (lock down ECL, disable stored forms, etc ...) so I see no need to make this issue public at this moment.
What security bulletins normally do is to report it in private to the vendor and publish it once a fix is widely available... I don't know the detailed history about reporting this. But Volker has good contacts to IBM to have a good channel to report it. I fully agree with John Head.
What can I say the cat is out of the bag ...
-- Daniel
-You should have at least wait until the problem has been fixed. According to the IBM security website this will be fixed in N7.0.3 and N8.0
it really dont change anything , if you get get the id file you can get a old client and problem is still there as i understand there is no need for server access (i could be wrong though).
Flemming and Daniel,
IBM has been properly informed about this issue two weeks and has replied with an assessment that the security impact is low. Since IBM thinks there is no problem, why should we?
If someone is going to the trouble of stealing a password, possessing a illegal keylogger should not be a problem. The biggest security hole in my network is that we are forced to Windows:-(
Volker,
if you had the response already two weeks ago, you could have worded your posting in a different way and have mentioned the background and that IBM already responded. It is aguable how big this problem is and I want to keep out of this dicussion. But you could have posted the full story from the beginning and made clear that you and IBM have different opinon about this.
Nobody really posted an idea how to fix this issue yet.
Here is the idea. Ok it is a hack, but it works on all releases and is available today.
Seach for the string in nnotes.dll (occurs only once) and replace the first character with something non printable. This will not allow anyone to use the parameter anymore. This will also work in Notes 6. This will disable the notes.ini parameter ... This could be done by a patch program or if somone has just a single notes release deployed with a hex editor.
-- Daniel
you could have ...
Yes, I could. But to what benefit? It has absolutely nothing to do with the problem at hand. What does it help to say that IBM thinks its no big deal? The only thing necessary was that people understand what they are exposed to.
IBM has opened an SPR and fixed it in the same day for 7.0.3 and 8.0. I don't think it would be much of a hassle to also fix 6.x, but what do I know. Let's leave it to some big customers sitting on 6 to explain this to IBM.
Instead of you patching a DLL, why not let IBM do it?
There will be a HotFix for earlier versions (like 7.0.2 and 6.0.3) - if a CritSit Manager does not lie. :)
