Auf dieser Website werden Cookies gesetzt, die für den sicheren Betrieb technisch erforderlich sind. Siehe: Datenschutz

Clear text passwords...

by Thomas,
assono GmbH, Standort Kiel,


Passwords are written to a file on the client computer in clear text, if the following notes.ini variables are set:

KFM_ShowEntropy=1
Debug_Outfile=c:\pwdchange.txt


and the user changes his password.


This is a debbuging function, which got into the production code of the Notes client.


Risks:
1st If the attacker

  • has write access to the notes.ini of the user or
  • he write him a notes-internal email with some appropriate code and the user executes it or
  • the attacker writes or modifies a Notes application in a way that the notes.ini is changed and the user executes it

and

2. the user restarts the Notes client


and

3. he changes his password


and

4. the attacker has access to the created
file and the ID file of the user


than

he can authenticate as this user against
the Domino server.


Defense:

  • There is the possibility to distribute notes.ini variables by Policies and Desktop settings since Notes 6. This should be done now for reasons of precaution.
  • IBM has announced that the KFM_ShowEntropy variable will be removed from the next versions 7.0.3 and 8.0 of Notes.
  • Basically only the user himself should have access to his ID file.
  • The ECL (Excecution Control List) should be set reasonable and the users should know, the the corrisponding warn dialog is there for a reason. To sign Notes applications with a special ID can help to reduce false alarms as far as possible.

Personal annotation: Forced periodic
changes of passwords are no more only risky, because the users tend to
easy passwords or to write them down...


Sources:

Huge
security hole in Notes (by Volker Weber)


Password
exposure in Lotus Notes


Response
to 'Password exposure in Lotus Notes'

Technical article IBM Notes IBM Notes Traveler Security

You have questions about this article? Contact us: blog@assono.de

Sie wollen eine individuelle Beratung oder einen Workshop? Read more

More interesting entries

Any questions? Contact us.

If you want to know more about our offers, you can contact us at any time. There are several ways to contact us for a non-binding first consultation.

We don’t sell your data. 100% guaranteed. See: Privacy Policy
assono GmbH

Location Kiel (headquarters)
assono GmbH
Lise-Meitner-Straße 1–7
24223 Schwentinental

Location Hamburg
assono GmbH
Bornkampsweg 58
22761 Hamburg

Phone numbers:
Human resources department: +49 4307 900 407
Marketing department: +49 4307 900 402

E-Mail adresses:
contact@assono.de
bewerbung@assono.de