Vulnerabilities > CVE-2013-0534 - Credentials Management vulnerability in IBM Lotus Sametime and Sametime
Attack vector
LOCAL Attack complexity
MEDIUM Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
NONE Availability impact
NONE Summary
The Connect client in IBM Sametime 8.5.1, 8.5.1.1, 8.5.1.2, 8.5.2, and 8.5.2.1, as used in the Lotus Notes client and separately, might allow local users to obtain sensitive information by leveraging the persistence of cleartext password strings within process memory.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 10 |
Common Weakness Enumeration (CWE)
Nessus
NASL family Windows NASL id LOTUS_NOTES_SWG21636154.NASL description The remote host has a version of Lotus Notes 8.5.x earlier than 8.5.3 Fix Pack 4 Interim Fix 2 or 9.0 earlier than Interim Fix 2. As such, it is potentially affected by an information disclosure vulnerability. IBM Notes may fail to zero the plaintext password within memory, leaving the plaintext password accessible to an attacker with the ability to access memory on the user last seen 2020-06-01 modified 2020-06-02 plugin id 66942 published 2013-06-20 reporter This script is Copyright (C) 2013-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/66942 title IBM Notes 8.5 < 8.5.3 IF4 HF2 / 9.0 < 9.0 IF2 Password Disclosure code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(66942); script_version("1.9"); script_cvs_date("Date: 2018/07/14 1:59:37"); script_cve_id("CVE-2013-0534"); script_bugtraq_id(60536); script_name(english:"IBM Notes 8.5 < 8.5.3 IF4 HF2 / 9.0 < 9.0 IF2 Password Disclosure"); script_summary(english:"Checks version of IBM Notes"); script_set_attribute(attribute:"synopsis", value: "The remote host has software installed that is affected by an information disclosure vulnerability."); script_set_attribute(attribute:"description", value: "The remote host has a version of Lotus Notes 8.5.x earlier than 8.5.3 Fix Pack 4 Interim Fix 2 or 9.0 earlier than Interim Fix 2. As such, it is potentially affected by an information disclosure vulnerability. IBM Notes may fail to zero the plaintext password within memory, leaving the plaintext password accessible to an attacker with the ability to access memory on the user's local workstation."); script_set_attribute(attribute:"solution", value: "Upgrade to IBM Notes 8.5.3 FP4 Interim Fix 2 / 9.0 Interim Fix 2 or later."); script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:P/I:N/A:N"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); # https://www.ibm.com/blogs/psirt/security-bulletin-ibm-notes-may-fail-to-zero-the-plaintext-password-within-memory-cve-2013-0534/ script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?9823bbd2"); script_set_attribute(attribute:"see_also", value:"https://www-304.ibm.com/support/docview.wss?uid=swg21636154"); script_set_attribute(attribute:"vuln_publication_date", value:"2013/06/12"); script_set_attribute(attribute:"patch_publication_date", value:"2013/06/12"); script_set_attribute(attribute:"plugin_publication_date", value:"2013/06/20"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:ibm:lotus_notes"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows"); script_copyright(english:"This script is Copyright (C) 2013-2018 Tenable Network Security, Inc."); script_dependencies("lotus_notes_installed.nasl"); script_require_keys("SMB/Lotus_Notes/Installed"); script_require_ports(139, 445); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("smb_func.inc"); include("smb_hotfixes_fcheck.inc"); appname = 'IBM Lotus Notes'; kb_base = 'SMB/Lotus_Notes/'; version = get_kb_item_or_exit(kb_base + 'Version'); path = get_kb_item_or_exit(kb_base + 'Path'); ver_ui = get_kb_item_or_exit(kb_base + 'Version_UI'); name = kb_smb_name(); port = kb_smb_transport(); login = kb_smb_login(); pass = kb_smb_password(); domain = kb_smb_domain(); # Try to connect to the server if(! smb_session_init()) audit(AUDIT_FN_FAIL, 'smb_session_init'); path = ereg_replace(pattern:"^(.+)\\$", replace:"\1", string:path); share = hotfix_path2share(path:path); rc = NetUseAdd(login:login, password:pass, domain:domain, share:share); if (rc != 1) { NetUseDel(); audit(AUDIT_SHARE_FAIL, share); } vuln = FALSE; fixver = ''; if (version =~ '^8\\.5\\.' && ver_compare(ver:version, fix:'8.5.34.13086') < 0) { vuln = TRUE; fixver = '8.5.34.13086'; } else if (version =~ '^9\\.' && ver_compare(ver:version, fix:'9.0.0.13067') < 0) { vuln = TRUE; fixver = '9.0.0.13067'; } fixtimestamp = ''; if (!vuln) { # If the version is FP4 or 9.0, we have to check the timestamp if (version == '8.5.34.13086' || version == '9.0.0.13067') { exe = ereg_replace(pattern:'^[A-Za-z]:(.*)', replace:"\1\notes.exe", string:path); fh = CreateFile( file:exe, desired_access:GENERIC_READ, file_attributes:FILE_ATTRIBUTE_NORMAL, share_mode:FILE_SHARE_READ, create_disposition:OPEN_EXISTING ); if (isnull(fh)) { NetUseDel(); audit(AUDIT_VER_FAIL, exe); } ret = GetFileVersionEx(handle:fh); CloseFile(handle:fh); if (!isnull(ret)) { timestamp = ret['dwTimeDateStamp']; } if (isnull(timestamp)) { NetUseDel(); exit(1, 'Failed to get the timestamp of ' + path + "\notes.exe"); } if (version =~ '^8\\.' && int(timestamp) < 1364459259) { fixtimestamp = '1364459259'; vuln = TRUE; } else if (version =~ '^9\\.' && int(timestamp) < 1362817062) { fixtimestamp = '1362817062'; vuln = TRUE; } } } NetUseDel(); if (vuln) { if (report_verbosity > 0) { report = '\n Path : ' + path + '\n Installed version : ' + version; if (fixtimestamp) { report += '\n File : ' + path + "\notes.exe" + '\n File Timestamp : ' + timestamp + '\n Fixed Timestamp : ' + fixtimestamp + '\n'; } else { report += '\n Fixed version : ' + fixver + '\n'; } security_note(port:port, extra:report); } else security_note(port); exit(0); } else audit(AUDIT_INST_PATH_NOT_VULN, appname, ver_ui, path);NASL family Windows NASL id LOTUS_SAMETIME_CONNECT_SWG21635218.NASL description The version of IBM Lotus Sametime Connect installed on the remote Windows host is potentially affected by an information disclosure vulnerability. A flaw in the application causes client passwords to be stored in the clear on the client last seen 2020-06-01 modified 2020-06-02 plugin id 70260 published 2013-10-01 reporter This script is Copyright (C) 2013-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/70260 title IBM Lotus Sametime Connect Client Password Disclosure code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(70260); script_version("1.3"); script_cvs_date("Date: 2018/07/14 1:59:37"); script_cve_id("CVE-2013-0534"); script_bugtraq_id(60536); script_name(english:"IBM Lotus Sametime Connect Client Password Disclosure"); script_summary(english:"Checks version of IBM Lotus Sametime Connect Client"); script_set_attribute(attribute:"synopsis", value: "The remote Windows host has a chat client installed that is affected by an information disclosure vulnerability."); script_set_attribute(attribute:"description", value: "The version of IBM Lotus Sametime Connect installed on the remote Windows host is potentially affected by an information disclosure vulnerability. A flaw in the application causes client passwords to be stored in the clear on the client's memory."); script_set_attribute(attribute:"see_also", value:"https://www-304.ibm.com/support/docview.wss?uid=swg21635218"); script_set_attribute(attribute:"solution", value:"Apply the patch referenced in the advisory."); script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:P/I:N/A:N"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"vuln_publication_date", value:"2013/06/12"); script_set_attribute(attribute:"patch_publication_date", value:"2013/06/12"); script_set_attribute(attribute:"plugin_publication_date", value:"2013/10/01"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:ibm:lotus_sametime"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows"); script_copyright(english:"This script is Copyright (C) 2013-2018 Tenable Network Security, Inc."); script_dependencies("lotus_sametime_connect_installed.nasl"); script_require_keys("SMB/IBM Lotus Sametime Client/Path", "SMB/IBM Lotus Sametime Client/Version"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); version = get_kb_item_or_exit('SMB/IBM Lotus Sametime Client/Version'); path = get_kb_item_or_exit('SMB/IBM Lotus Sametime Client/Path'); fixpackdate = get_kb_item('SMB/IBM Lotus Sametime Client/fixpackdate'); # 8.5.1 and 8.5.2 are affected vuln = FALSE; fixdate = 20130616; if (version =~ '^8\\.5\\.[12][^0-9]') { # Check the fixpack timestamp if (isnull(fixpackdate)) vuln = TRUE; else { fixpackdate = ereg_replace(pattern:'^([0-9]+)-[0-9]+$', replace:"\1", string:fixpackdate); if (int(fixpackdate) < fixdate) vuln = TRUE; } if (vuln) { port = get_kb_item('SMB/transport'); if (!port) port = 445; if (report_verbosity > 0) { report = '\n Path : ' + path + '\n Installed version : ' + version; if (fixpackdate) { report += '\n Installed Fix Pack date : ' + fixpackdate + '\n Fixed Fix Pack date : 20130616\n'; } else report += '\n No Fix Packs have been applied.\n'; security_note(port:port, extra:report); } else security_note(port); exit(0); } } audit(AUDIT_INST_PATH_NOT_VULN, 'IBM Lotus Sametime Connect', version, path);