Passwords are written to a file on the
client computer in clear text, if the following notes.ini variables
are set:
KFM_ShowEntropy=1
Debug_Outfile=c:\pwdchange.txt
and the user changes his password.
This is a debbuging function, which
got into the production code of the Notes client.
Risks:
1st If the attacker
- has write access to the notes.ini of the user or
- he write him a notes-internal email with some appropriate code and the user executes it or
- the attacker writes or modifies a Notes application in a way that the notes.ini is changed and the user executes it
and
2. the user restarts the Notes client
and
3. he changes his password
and
4. the attacker has access to the created
file and the ID file of the user
than
he can authenticate as this user against
the Domino server.
Defense:
- There is the possibility to distribute notes.ini variables by Policies and Desktop settings since Notes 6. This should be done now for reasons of precaution.
- IBM has announced that the KFM_ShowEntropy variable will be removed from the next versions 7.0.3 and 8.0 of Notes.
- Basically only the user himself should have access to his ID file.
- The ECL (Excecution Control List) should be set reasonable and the users should know, the the corrisponding warn dialog is there for a reason. To sign Notes applications with a special ID can help to reduce false alarms as far as possible.
Personal annotation: Forced periodic
changes of passwords are no more only risky, because the users tend to
easy passwords or to write them down...
Sources:
Huge
security hole in Notes (by Volker Weber)
Password
exposure in Lotus Notes
Response
to 'Password exposure in Lotus Notes'
