Vulnerabilities > CVE-2015-0135 - Numeric Errors vulnerability in IBM Domino
Attack vector
UNKNOWN Attack complexity
UNKNOWN Privileges required
UNKNOWN Confidentiality impact
UNKNOWN Integrity impact
UNKNOWN Availability impact
UNKNOWN Summary
IBM Domino 8.5 before 8.5.3 FP6 IF4 and 9.0 before 9.0.1 FP3 IF2 allows remote attackers to execute arbitrary code or cause a denial of service (integer truncation and application crash) via a crafted GIF image, aka SPR KLYH9T7NT9.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 4 |
Common Weakness Enumeration (CWE)
Nessus
NASL family Windows NASL id LOTUS_DOMINO_9_0_1_FP3_IF2.NASL description The version of IBM Domino (formerly IBM Lotus Domino) installed on the remote host is 9.0.x prior to 9.0.1 Fix Pack 3 (FP3) Interim Fix 2 (IF2). It is, therefore, potentially affected by an integer truncation error when processing GIF files. A remote attacker, using a crafted GIF file, could exploit this to execute arbitrary code or cause a denial of service. last seen 2020-06-01 modified 2020-06-02 plugin id 83116 published 2015-04-28 reporter This script is Copyright (C) 2015-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/83116 title IBM Domino 9.0.x < 9.0.1 Fix Pack 3 Interim Fix 2 GIF Code Execution (credentialed check) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(83116); script_version("1.3"); script_cvs_date("Date: 2018/07/14 1:59:37"); script_cve_id("CVE-2015-0135"); script_bugtraq_id(74194); script_name(english:"IBM Domino 9.0.x < 9.0.1 Fix Pack 3 Interim Fix 2 GIF Code Execution (credentialed check)"); script_summary(english:"Checks the version of IBM Domino."); script_set_attribute(attribute:"synopsis", value: "The remote server is affected by a remote code execution vulnerability."); script_set_attribute(attribute:"description", value: "The version of IBM Domino (formerly IBM Lotus Domino) installed on the remote host is 9.0.x prior to 9.0.1 Fix Pack 3 (FP3) Interim Fix 2 (IF2). It is, therefore, potentially affected by an integer truncation error when processing GIF files. A remote attacker, using a crafted GIF file, could exploit this to execute arbitrary code or cause a denial of service."); # Advisory script_set_attribute(attribute:"see_also", value:"http://www-01.ibm.com/support/docview.wss?uid=swg21701647"); # Patch script_set_attribute(attribute:"see_also", value:"http://www-01.ibm.com/support/docview.wss?uid=swg21657963"); script_set_attribute(attribute:"solution", value:"Upgrade to IBM Domino 9.0.1 FP3 IF2 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"vuln_publication_date", value:"2015/04/14"); script_set_attribute(attribute:"patch_publication_date", value:"2015/04/14"); script_set_attribute(attribute:"plugin_publication_date", value:"2015/04/28"); script_set_attribute(attribute:"potential_vulnerability", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:ibm:lotus_domino"); script_set_attribute(attribute:"cpe", value:"cpe:/a:ibm:domino"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows"); script_copyright(english:"This script is Copyright (C) 2015-2018 Tenable Network Security, Inc."); script_dependencies("lotus_domino_installed.nasl"); script_require_keys("installed_sw/IBM Domino", "Settings/ParanoidReport"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("install_func.inc"); # Paranoid as special fixes are unknown to us if (report_paranoia < 2) audit(AUDIT_PARANOID); app = "IBM Domino"; fixed_ver = "9.0.13.15078"; installs = get_single_install(app_name:app, exit_if_unknown_ver:TRUE); domino_ver = installs['version']; path = installs['path']; if (domino_ver !~ "^9\.0($|[^0-9])") audit(AUDIT_NOT_INST, app + " 9.0.x"); if (ver_compare(ver:domino_ver, fix:fixed_ver, strict:FALSE) == -1) { port = get_kb_item('SMB/transport'); if (isnull(port)) port = 445; if (report_verbosity > 0) { report = '\n Path : ' + path + '\n Installed Version : ' + domino_ver + '\n Fixed Version : ' + fixed_ver + '\n'; security_hole(port:port, extra:report); } else security_hole(port); exit(0); } else audit(AUDIT_INST_PATH_NOT_VULN, app, domino_ver, path);NASL family Misc. NASL id DOMINO_8_5_3_FP6_IF4.NASL description According to its banner, the version of IBM Domino (formerly IBM Lotus Domino) running on the remote host is 8.5.x prior to 8.5.3 Fix Pack 6 (FP6) Interim Fix 4 (IF4). It is, therefore, potentially affected by an integer truncation error when processing GIF files. A remote attacker, using a crafted GIF file, could exploit this to execute arbitrary code or cause a denial of service. last seen 2020-06-01 modified 2020-06-02 plugin id 83113 published 2015-04-28 reporter This script is Copyright (C) 2015-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/83113 title IBM Domino 8.5.x < 8.5.3 Fix Pack 6 Interim Fix 4 GIF Code Execution code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(83113); script_version("1.3"); script_cvs_date("Date: 2018/07/10 14:27:33"); script_cve_id("CVE-2015-0135"); script_bugtraq_id(74194); script_name(english:"IBM Domino 8.5.x < 8.5.3 Fix Pack 6 Interim Fix 4 GIF Code Execution"); script_summary(english:"Checks the version of IBM Domino."); script_set_attribute(attribute:"synopsis", value: "The remote server is affected by a remote code execution vulnerability."); script_set_attribute(attribute:"description", value: "According to its banner, the version of IBM Domino (formerly IBM Lotus Domino) running on the remote host is 8.5.x prior to 8.5.3 Fix Pack 6 (FP6) Interim Fix 4 (IF4). It is, therefore, potentially affected by an integer truncation error when processing GIF files. A remote attacker, using a crafted GIF file, could exploit this to execute arbitrary code or cause a denial of service."); # Advisory script_set_attribute(attribute:"see_also", value:"http://www-01.ibm.com/support/docview.wss?uid=swg21701647"); # Patch script_set_attribute(attribute:"see_also", value:"http://www-01.ibm.com/support/docview.wss?uid=swg21663874"); script_set_attribute(attribute:"solution", value:"Upgrade to IBM Domino 8.5.3 FP6 IF4 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"vuln_publication_date", value:"2015/04/14"); script_set_attribute(attribute:"patch_publication_date", value:"2014/11/01"); script_set_attribute(attribute:"plugin_publication_date", value:"2015/04/28"); script_set_attribute(attribute:"potential_vulnerability", value:"true"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:ibm:lotus_domino"); script_set_attribute(attribute:"cpe", value:"cpe:/a:ibm:domino"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Misc."); script_copyright(english:"This script is Copyright (C) 2015-2018 Tenable Network Security, Inc."); script_dependencies("domino_installed.nasl"); script_require_keys("Domino/Version", "Settings/ParanoidReport"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); # Paranoid as special fixes are unknown to us if (report_paranoia < 2) audit(AUDIT_PARANOID); app_name = "IBM Domino"; ver = get_kb_item_or_exit("Domino/Version"); port = get_kb_item("Domino/Version_provided_by_port"); if (!port) port = 0; version = NULL; fix = NULL; fix_ver = NULL; fix_pack = NULL; hotfix = NULL; # Ensure sufficient granularity if (ver !~ "^(\d+\.){1,}\d+.*$") audit(AUDIT_VER_NOT_GRANULAR, app_name, port, ver); # Only check for 8.5.x versions if (ver =~ "^8\.5($|[^0-9])") { fix = "8.5.3 FP 6 IF 4"; fix_ver = "8.5.3"; fix_pack = 6; hotfix = 1015; # Lowest HF value from http://www-01.ibm.com/support/docview.wss?uid=swg21663874 } else audit(AUDIT_NOT_LISTEN, app_name + ' 8.5.x.x', port); # Breakdown the version into components. version = eregmatch(string:ver, pattern:"^((?:\d+\.){1,}\d+)(?: FP(\d+))?(?: ?HF(\d+))?$"); if (isnull(version)) audit(AUDIT_UNKNOWN_APP_VER, app_name); # Use 0 as a placeholder if no FP or HF. Version number itself was # checked for in the granularity check. if (!version[2]) version[2] = 0; else version[2] = int(version[2]); if (!version[3]) version[3] = 0; else version[3] = int(version[3]); # Compare current to fix and report as needed. if ( ver_compare(ver:version[1], fix:fix_ver, strict:FALSE) == -1 || (ver_compare(ver:version[1], fix:fix_ver, strict:FALSE) == 0 && version[2] < fix_pack) || (ver_compare(ver:version[1], fix:fix_ver, strict:FALSE) == 0 && version[2] == fix_pack && version[3] < hotfix) ) { if (report_verbosity > 0) { report = '\n' + '\n Installed version : ' + ver + '\n Fixed version : ' + fix + '\n'; security_hole(port:port, extra:report); } else security_hole(port); } else audit(AUDIT_LISTEN_NOT_VULN, app_name, port, ver);NASL family Windows NASL id LOTUS_DOMINO_8_5_3_FP6_IF4.NASL description The version of IBM Domino (formerly IBM Lotus Domino) installed on the remote host is 8.5.x prior to 8.5.3 Fix Pack 6 (FP6) Interim Fix 4 (IF4). It is, therefore, potentially affected by an integer truncation error when processing GIF files. A remote attacker, using a crafted GIF file, could exploit this to execute arbitrary code or cause a denial of service. last seen 2020-06-01 modified 2020-06-02 plugin id 83115 published 2015-04-28 reporter This script is Copyright (C) 2015-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/83115 title IBM Domino 8.5.x < 8.5.3 Fix Pack 6 Interim Fix 4 GIF Code Execution (credentialed check) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(83115); script_version("1.3"); script_cvs_date("Date: 2018/07/14 1:59:37"); script_cve_id("CVE-2015-0135"); script_bugtraq_id(74194); script_name(english:"IBM Domino 8.5.x < 8.5.3 Fix Pack 6 Interim Fix 4 GIF Code Execution (credentialed check)"); script_summary(english:"Checks the version of IBM Domino."); script_set_attribute(attribute:"synopsis", value: "The remote server is affected by a remote code execution vulnerability."); script_set_attribute(attribute:"description", value: "The version of IBM Domino (formerly IBM Lotus Domino) installed on the remote host is 8.5.x prior to 8.5.3 Fix Pack 6 (FP6) Interim Fix 4 (IF4). It is, therefore, potentially affected by an integer truncation error when processing GIF files. A remote attacker, using a crafted GIF file, could exploit this to execute arbitrary code or cause a denial of service."); # Advisory script_set_attribute(attribute:"see_also", value:"http://www-01.ibm.com/support/docview.wss?uid=swg21701647"); # Patch script_set_attribute(attribute:"see_also", value:"http://www-01.ibm.com/support/docview.wss?uid=swg21663874"); script_set_attribute(attribute:"solution", value:"Upgrade to IBM Domino 8.5.3 FP6 IF4 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"vuln_publication_date", value:"2015/04/14"); script_set_attribute(attribute:"patch_publication_date", value:"2014/11/01"); script_set_attribute(attribute:"plugin_publication_date", value:"2015/04/28"); script_set_attribute(attribute:"potential_vulnerability", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:ibm:lotus_domino"); script_set_attribute(attribute:"cpe", value:"cpe:/a:ibm:domino"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows"); script_copyright(english:"This script is Copyright (C) 2015-2018 Tenable Network Security, Inc."); script_dependencies("lotus_domino_installed.nasl"); script_require_keys("installed_sw/IBM Domino", "Settings/ParanoidReport"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("install_func.inc"); # Paranoid as special fixes are unknown to us if (report_paranoia < 2) audit(AUDIT_PARANOID); app = "IBM Domino"; fixed_ver = "8.5.36.14304"; installs = get_single_install(app_name:app, exit_if_unknown_ver:TRUE); domino_ver = installs['version']; path = installs['path']; if (domino_ver !~ "^8\.5($|[^0-9])") audit(AUDIT_NOT_INST, app + " 8.5.x"); if (ver_compare(ver:domino_ver, fix:fixed_ver, strict:FALSE) == -1) { port = get_kb_item('SMB/transport'); if (isnull(port)) port = 445; if (report_verbosity > 0) { report = '\n Path : ' + path + '\n Installed Version : ' + domino_ver + '\n Fixed Version : ' + fixed_ver + '\n'; security_hole(port:port, extra:report); } else security_hole(port); exit(0); } else audit(AUDIT_INST_PATH_NOT_VULN, app, domino_ver, path);NASL family Misc. NASL id DOMINO_9_0_1_FP3_IF2.NASL description According to its banner, the version of IBM Domino (formerly IBM Lotus Domino) running on the remote host is 9.0.x prior to 9.0.1 Fix Pack 3 (FP3) Interim Fix 2 (IF2). It is, therefore, potentially affected by an integer truncation error when processing GIF files. A remote attacker, using a crafted GIF file, could exploit this to execute arbitrary code or cause a denial of service. last seen 2020-06-01 modified 2020-06-02 plugin id 83114 published 2015-04-28 reporter This script is Copyright (C) 2015-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/83114 title IBM Domino 9.0.x < 9.0.1 Fix Pack 3 Interim Fix 2 GIF Code Execution code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(83114); script_version("1.3"); script_cvs_date("Date: 2018/07/10 14:27:33"); script_cve_id("CVE-2015-0135"); script_bugtraq_id(74194); script_name(english:"IBM Domino 9.0.x < 9.0.1 Fix Pack 3 Interim Fix 2 GIF Code Execution"); script_summary(english:"Checks the version of IBM Domino."); script_set_attribute(attribute:"synopsis", value: "The remote server is affected by a remote code execution vulnerability."); script_set_attribute(attribute:"description", value: "According to its banner, the version of IBM Domino (formerly IBM Lotus Domino) running on the remote host is 9.0.x prior to 9.0.1 Fix Pack 3 (FP3) Interim Fix 2 (IF2). It is, therefore, potentially affected by an integer truncation error when processing GIF files. A remote attacker, using a crafted GIF file, could exploit this to execute arbitrary code or cause a denial of service."); # Advisory script_set_attribute(attribute:"see_also", value:"http://www-01.ibm.com/support/docview.wss?uid=swg21701647"); # Patch script_set_attribute(attribute:"see_also", value:"http://www-01.ibm.com/support/docview.wss?uid=swg21657963"); script_set_attribute(attribute:"solution", value:"Upgrade to IBM Domino 9.0.1 FP3 IF2 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"vuln_publication_date", value:"2015/04/14"); script_set_attribute(attribute:"patch_publication_date", value:"2015/04/14"); script_set_attribute(attribute:"plugin_publication_date", value:"2015/04/28"); script_set_attribute(attribute:"potential_vulnerability", value:"true"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:ibm:lotus_domino"); script_set_attribute(attribute:"cpe", value:"cpe:/a:ibm:domino"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Misc."); script_copyright(english:"This script is Copyright (C) 2015-2018 Tenable Network Security, Inc."); script_dependencies("domino_installed.nasl"); script_require_keys("Domino/Version", "Settings/ParanoidReport"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); # Paranoid as special fixes are unknown to us if (report_paranoia < 2) audit(AUDIT_PARANOID); app_name = "IBM Domino"; ver = get_kb_item_or_exit("Domino/Version"); port = get_kb_item("Domino/Version_provided_by_port"); if (!port) port = 0; version = NULL; fix = NULL; fix_ver = NULL; fix_pack = NULL; hotfix = NULL; # Ensure sufficient granularity if (ver !~ "^(\d+\.){1,}\d+.*$") audit(AUDIT_VER_NOT_GRANULAR, app_name, port, ver); # Only check for 9.0.0.x / 9.0.1.x versions if (ver =~ "^9\.0\.[01]($|[^0-9])") { fix = "9.0.1 FP 3 IF 2"; fix_ver = "9.0.1"; fix_pack = 3; hotfix = 236; # Lowest HF value from http://www-01.ibm.com/support/docview.wss?uid=swg21657963 } else audit(AUDIT_NOT_LISTEN, app_name + ' 9.0.0.x / 9.0.1.x', port); # Breakdown the version into components. version = eregmatch(string:ver, pattern:"^((?:\d+\.){1,}\d+)(?: FP(\d+))?(?: ?HF(\d+))?$"); if (isnull(version)) audit(AUDIT_UNKNOWN_APP_VER, app_name); # Use 0 as a placeholder if no FP or HF. Version number itself was # checked for in the granularity check. if (!version[2]) version[2] = 0; else version[2] = int(version[2]); if (!version[3]) version[3] = 0; else version[3] = int(version[3]); # Compare current to fix and report as needed. if ( ver_compare(ver:version[1], fix:fix_ver, strict:FALSE) == -1 || (ver_compare(ver:version[1], fix:fix_ver, strict:FALSE) == 0 && version[2] < fix_pack) || (ver_compare(ver:version[1], fix:fix_ver, strict:FALSE) == 0 && version[2] == fix_pack && version[3] < hotfix) ) { if (report_verbosity > 0) { report = '\n' + '\n Installed version : ' + ver + '\n Fixed version : ' + fix + '\n'; security_hole(port:port, extra:report); } else security_hole(port); } else audit(AUDIT_LISTEN_NOT_VULN, app_name, port, ver);