NASIRC BULLETIN # 94-05 March 10,1994 Password Vulnerability in Lotus cc:Mail for Windows =========================================================== __ __ __ ___ ___ ____ ____ /_/\ /_/| /_/ / _/\ /_/| / __/ \ / __/\ | |\ \| || / \ \ | /\/ | || | /\ \/ | | \/ | ||\ \ || / /\ \ \ \ \ | || |_\/ /\ | | | || \ \|| / /--\ \ \ /\_\\ | || | |\ \ \ | \_/\ |_|/ \_|//_/ \_\/ \/__/ |_|/ |_| \_\/ \___\/ NASA Automated Systems Incident Response Capability =========================================================== NASIRC recently received notification of security vulnerabilities in Lotus cc:Mail for Windows (versions 2.0 and 2.01) which could make users' passwords readable on their local hard drive. This could lead to accounts being compromised if another person is allowed access to a cc:Mail user's personal computer. This problem is fixed in version 2.02 of Lotus cc:Mail for Windows. ACQUIRING THE FIX: Lotus has made the cc:Mail v2.02 upgrade file, called WINFIX.ZIP, available on-line through a variety of methods: anonymous ftp, the Lotus cc:Mail BBS, and CompuServe. Via Anonymous FTP, the file is available ftp from ftp.ccmail.com in the /pub/windows directory. On the anonymous ftp server, WINFIX.ZIP is dated Feb 19 00:53 and is 279803 bytes long. The Lotus cc:Mail BBS is available to everyone. The phone number is 1-415-691-0401 (8 data bits, No Parity, 1 stop bit). Once you have connected, go to the "File Area" by typing "F". Select the download option and download the file WINFIX.ZIP. On the BBS, WINFIX.ZIP is 279803 bytes long and is dated 2/18/94 at 2:02a. In CompuServe, enter the Lotus Forum by typing GO LOTUSC from any CompuServe prompt, then enter Section 10 when prompted for which section. From within Section 10, select "Download" and download the file WINFIX.ZIP. INSTALLING THE FIX: After WINFIX.ZIP is unzipped, the following files become available: ccmail.exe (628,656 bytes) and readme.now (1,062 bytes). The next step is to install the upgrade. First, move into the directory that contains the old version of ccmail.exe (this directory is likely to be m:\ccmail). RENAME the old copy of ccmail.exe to ccmail.old, and then copy the new v2.02 ccmail.exe to the directory. If cc:Mail for Windows has been installed on a network, the system administrator only needs to change the network copy of ccmail.exe. If cc:Mail for Windows has been installed locally, ccmail.exe must be installed in the proper directory of every workstation. Once installation of the new v2.02 ccmail.exe has been completed, all users should change their password. NASIRC will continue to monitor the situation and will post additional information as it becomes available. If you have any questions about this bulletin, please contact NASIRC at any of the venues listed below. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= NASIRC ACKNOWLEDGES: Karyn Pichnarczyk and the U.S. Department of Energy's Computer Incident Advisory Capability (CIAC) for forwarding this information in a rapid and timely manner. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= =============================================================== For further assistance, please contact the NASIRC Helpdesk: Phone: 1-800-7-NASIRC Fax: 1-301-441-1853 Internet Email: nasirc@nasa.gov 24 Hour/Emergency Pager: 1-800-759-7243/Pin:2023056 STU III: 1-301-982-5480 =============================================================== This bulletin may be forwarded without restriction to sites and system administrators within the NASA community. The NASIRC online archive system is available via anonymous ftp. Just ftp to nasirc.nasa.gov and login as anonymous. You will be required to enter your valid e-mail address. Once there you can access the following information: /toolkits ! contains automated toolkit software /bulletins ! contains NASIRC bulletins Information maintained in these directories is updated on a con- tinuous basis with relevant software and information. Contact the NASIRC Helpdesk for more information or assistance with tool kits or security measures. ----------------- PLEASE NOTE: Users outside of the NASA community may receive NASIRC bulletins. If you are not part of the NASA community, please contact your agency's response team to report incidents. Your agency's team will coordinate with NASIRC, who will ensure the proper internal NASA team(s) are notified. NASIRC is a member of the Forum of Incident Response and Security Teams (FIRST), a world-wide organiza- tion which provides for coordination between incident response teams in handling computer-security-related issues. You can obtain a list of FIRST member organizations and their constituencies by sending email to docserver@first.org with an empty "subject" line and a message body containing the line "send first-contacts".