Network Security, Vulnerability Management

CERT/CC issues vulnerability advisory for ‘Equation Group’ exploit targeting IBM Lotus Domino

The CERT Coordination Center (CERT/CC) at Carnegie Mellon University has issued an advisory for a vulnerability in IBM Domino servers that has apparently been exploited by a technique referenced in the Shadow Brokers' latest unauthorized release of alleged U.S. National Security Agency (NSA) hacking tools.

According to the CERT/CC, the IBM servers include an IMAP (Internet Message Access Protocol) server that exhibits a stack-based buffer overflow flaw in the way it handles its EXAMINE command. This bug can enable an authenticated attacker to remotely execute arbitrary code on the server by specifying a large mailbox name in order to trigger the exploit. The documentation leaked by the Shadow Brokers on Friday refers to this particular exploit by the name EMPHASISISMINE.

The attacker cannot attack without first being authenticated because the EXAMINE command is used only after the user verification process takes place. "Note that at least one library used by Domino does not opt in to using ASLR [address space layout randomization], which makes exploitation trivial on modem Windows platforms," the advisory points out.

The CERT/CC said it has confirmed that EMPHASISISMINE affects Domino (formerly known as Lotus Domino) versions 9.0.1FP8 and earlier; however, the Shadow Brokers dump says that the exploit affects versions 6.6.4 to 8.5.2.

There is currently no known practical solution that fixes the vulnerability, notes the CERT/CC, which operates out of the Software Engineering Institute at Carnegie Mellon. Instead, the organization suggests using the Microsoft Enhanced Mitigation Experience Toolkit as a workaround to help prevent the EMPHASISMINE exploit.

IBM on Tuesday issued the following statement: "A vulnerability in the IBM Domino server IMAP EXAMINE command potentially could be exploited on Windows 32-bit platforms while authenticated as a legitimate user and could result in a stack buffer overflow. This could allow a remote attacker to execute code with the privileges of the Domino server. Current 64-bit platforms leverage ASLR (Address Space Layout Randomization) which dramatically reduces the probability of rogue code execution (Windows 32-bit platform versions are not prevalent in Domino Server deployments). IBM has determined that IBM Domino Server versions 8.5 and greater running IMAP are affected and, as described above, could potentially be exploited if running on Windows 32 bit platforms. For clients not using IMAP, IBM recommends the IMAP service be disabled as a temporary fix. IBM will be issuing permanent fixes for all affected versions as soon as possible. Versions older than 8.5.x are out of support. Please actively monitor both the IBM PSIRT Blog and IBM Support Portal for fix availability and additional information..."

UPDATE APRIL 19, 2017: The story was updated to include a statement from IBM.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.