Lotus Domino is "a client/server product designed for collaborative working environments. Domino is designed for e-mail, scheduling, instant messaging and data driven applications". There exists a vulnerability in the way memory mapped files are used under Windows. The result of which is that if the Lotus Notes Client is used in a Microsoft Terminal Services or Citrix environment users can read each others Lotus Notes session data including items such as E-Mail. The vulnerability also impacts the server product.
The vulnerability arises due to the mechanism used for Inter-Process Communication (IPC) between NLNOTES and NTASKLDR. IPC is performed via memory mapped files. When the files are created a NULL is passed to the ACL parameter resulting in EVERYONE being granted 'full-control'.
The result of this is that an attacker can read the contents of any users Lotus Notes session when deployed in shared user environments such as Terminal Services or Citrix. The data which is accessible ranges from e-mail through to databases and associated Lotus Script.
It should be noted that this vulnerability could also be used to write to the memory mapped files. The impact of which is that an attacker could potentially inject active content such as Lotus Script.
Vendor Response:
* Fixed for the Notes client with 6.5.6, 7.0.3 and 8.0
* Fixed for the Domino server with 6.5.5 FP3, 6.5.6, 7.0.2 FP1, 7.0.3, 8.0
