{"vuid":"VU#5962","idnumber":"5962","name":"Notes default ECL allows execution of unsigned code","keywords":["Lotus Notes","postopen","ECL","signed forms","signed subforms","stored form"],"overview":"Lotus Notes prior to version 5.02, had permissive ECLs that allow for the execution of malicious mail messages.","clean_desc":"A Notes ECL is a list consisting of a Notes Username and a set of permissions from the following list (for Notes 4.6.x): Access to file system\nAccess to current database\nAccess to Non-notes databases\nAccess to external code\nAccess to external programs\nAbility to send mail\nAbility to read other databases\nAbility to modify other databases\nAbility to export data\nAccess to Workstation Security ECL For example, an ECL might \"look like\" the following: {Shawn Hernan : Access to file system, Ability to Send Mail} {Cory Cohen : Access to file system, Ability to export data} ECLs are used to control the level of access that Notes Forms, LotusScripts, and Notes Agents have to the local workstation. In the example above, programs (i.e. forms, scripts or agents) written by Shawn would have access to the file system, and the ability to send mail. Programs written by Cory would not be able to send mail, but they could access data. (Notes will prompt the user for instructions when a program violates the ECL) Authorship is determined by cryptographically strong signatures on the programmatic objects. It is possible to attach a program to a Notes Form; the program will be triggered when certain events occur. For example, you could attach a program to a Notes form that displays a welcome message immediately after the form is opened (the so-called \"PostOpen\" event). Further, it is possible to mail forms, including the attached program(s), from one user to another, or to a database. The abilities and permissions of the programs attached to the form depends on the ECL for the user opening the form. Finally, the default ECLs for Notes are very permissive. In fact, the defaults allow any program, regardless of authorship, all 11 permissions. This level of access can be leveraged to run arbitrary code with the privileges of the user. Combining all these attributes, and assuming the default configuration for ECLs, we believe it is possible for an intruder to mail a malicious program to a Notes user in such a way that the program will be executed when the user opens the mail. In such a scenario, the user would not have to click on any attachments, nor would they be presented with a dialog that would give them a chance to prevent the code from running. Although this behavior is well documented, it is likely that many installations have accepted the default, permissive, configuration. In the wake of the Melissa and ExploreZip viruses, it is easy to imagine a similarly destructive virus being launched against Notes users. Additionally, because Notes mail supports strong encryption, it may be difficult or impossible to apply a general purpose central filtering system to 'screen out' malicious Notes programs.","impact":"Attackers can cause victims to execute arbitrary code simply by sending them a mail message. The message need only be opened by an appropriate victim.","resolution":"","workarounds":"The following procedure has to be followed for each certifier [or identifier] used on each Notes desktop. This procedure must be repeated per user.id file per desktop. Start Notes and for each .id file available, do the following Select File -> Tools -> Switch ID \nSelect an .id file \nClick the Open button, a dialog will prompt for the passphrase for this identifier \nSelect File -> Tools -> User Preferences \nClick the \"Security Options\" button, and the  \"Workstation Security: ECL\" dialog appears \nChoose -Default- \nUncheck all of the checkboxes to the right \nChoose -No Signature- \nUncheck all of the checkboxes to the right \nClick the \"Add\" button, and the \"Add User\" dialog appears \nClick the little blue man button, and the \"Names\" dialog appears \nSelect the appropriate address book  \nSelect any developers who write code used on your systems, and click the Add button \nClick Ok button to dismiss \"Names\" dialog \nFor each authorized developer that you added, set the ECL appropriately. Click the Ok button to dismiss the \"Workstation Security: ECL\" dialog Note that even if you do not use Notes for electronic mail, the same situation applies to any database that can receive mail. It may be possible to automate this procedure via LotusScript.","sysaffected":"","thanks":"Our thanks to a contributor wishing to remain anonymous and Kevin O'Brien of Neon Systems Inc for their contributions to this document.","author":"This document was written by Shawn V Hernan.","public":["http://www.notes.net/R5FixList.nsf/Search!SearchView&Query=CBAT45TU9S","http://listserv.okstate.edu/CGI/WA.EXE?A2=ind9708&L=domino-l&P=R5936","http://www.securityfocus.com/bid/2358","http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0891","http://www.notes.net/today.nsf/f01245ebfc115aaf8525661a006b86b9/3a9da544637a69b2852568310078b649?OpenDocument"],"cveids":["CVE-2000-0891"],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"1999-06-30T18:04:17Z","publicdate":"1997-08-15T00:00:00Z","datefirstpublished":"2000-09-26T15:00:42Z","dateupdated":"2001-06-26T03:46:50Z","revision":7,"vrda_d1_directreport":"","vrda_d1_population":"","vrda_d1_impact":"","cam_widelyknown":"15","cam_exploitation":"0","cam_internetinfrastructure":"17","cam_population":"16","cam_impact":"19","cam_easeofexploitation":"15","cam_attackeraccessrequired":"20","cam_scorecurrent":"54.72","cam_scorecurrentwidelyknown":"63.27","cam_scorecurrentwidelyknownexploited":"97.47","ipprotocol":"","cvss_accessvector":"","cvss_accesscomplexity":"","cvss_authentication":null,"cvss_confidentialityimpact":"","cvss_integrityimpact":"","cvss_availabilityimpact":"","cvss_exploitablity":null,"cvss_remediationlevel":"","cvss_reportconfidence":"","cvss_collateraldamagepotential":"","cvss_targetdistribution":"","cvss_securityrequirementscr":"","cvss_securityrequirementsir":"","cvss_securityrequirementsar":"","cvss_basescore":"","cvss_basevector":"","cvss_temporalscore":"","cvss_environmentalscore":"","cvss_environmentalvector":"","metric":54.72,"vulnote":null}