Security threat to Domino

Lotus Notes Domino Server 4.6 users are leaving themselves wide open to denial of service attacks, according to security firm ISS.

ISS issued an advisory notice last week, saying that an overflow problem in Notes LDAP (NLDAP) Service could allow even inexperienced crackers - with off the shelf software - to crash servers, so bringing email and other Domino services to a standstill.

Hackers could sever vital communications links with ease, said Kevin Black, ISS sales director.

His advice to anyone using 4.6 was to immediately upgrade to version 4.6.6 or 5.0, which does not contain the security flaw. "The response we have had to this notice shows there is a considerable user base still using 4.6, which is worried about this problem," he said.

But Michael Chapman Pincher, head of operations at the User Group, an association for groupware professionals, said Lotus had a good security history and the ISS notice was one of the first warnings he had seen for Domino.

He argued that the LDAP problem would not affect many companies as most had already gone through the relatively simple process of upgrading their Domino servers. "Most hackers attack corporates because they make a better story, but large companies are generally the first to upgrade," he said.

According to ISS, the overflow is related to the way NLDAP handles the ldap_search request. By sending a large amount of data to the parameter in the request, an attacker could stop all Domino services on the affected machine.

www.lotus.com

www.iss.net.