IBM Lotus Product IPS Signatures Summary

IBM Lotus series products were very popular years ago, and they are still some clients' favorite now. The products include Domino Web Server, Notes, Sametime Server/Client and so on.

Although the products are very useful to most of the clients, there are a lot of vulnerabilities in the products. For example, there was a HTTP Header Accept-Language Buffer Overflow vulnerability in IBM Lotus Domino Server products. Whenever a relatively long string following the Accept-Language header is sent to the server running products with the vulnerabilities, the stack buffer of the program will be overwritten, and the stack return addresses or exception handlers will be modified accordingly. This may allow an attack to inject and execute the malicious code.

SonicWALL UTM Research Team has spent quite long time researching and developing signatures for these vulnerabilities, and we are still doing the research continuously. Now we have 36 signatures related to these vulnerabilities, and they are listed below:

1044 IBM Lotus Sametime Server Multiplexer BO 1
1045 IBM Lotus Sametime Server Multiplexer BO 2
1393 IBM Lotus Domino Web Access (inotes6W.dll) ActiveX Control BO Exploit
1397 IBM Lotus Domino Web Access (dwa7W.dll) ActiveX Control BO PoC
1401 IBM Lotus Domino Web Access (dwa7W.dll) ActiveX Control BO Exploit
1555 IBM Lotus Notes DOC Attachment Viewer BO PoC
1560 IBM Lotus Notes MIF Attachment Viewer BO Attempt 1
1561 IBM Lotus Notes MIF Attachment Viewer BO Attempt 2
1562 IBM Lotus Notes MIF Attachment Viewer BO Attempt 3
1563 IBM Lotus Notes MIF Attachment Viewer BO Attempt 4
1566 IBM Lotus Notes MIF Attachment Viewer BO Attempt 5
1567 IBM Lotus Notes MIF Attachment Viewer BO Attempt 6
1568 IBM Lotus Notes HTML Message Handling BO PoC 1
1582 IBM Lotus Notes HTML Message Handling BO PoC 2
2015 IBM Lotus Expeditor cai URI Handler Command Execution Attempt 1
2016 IBM Lotus Expeditor cai URI Handler Command Execution Attempt 2
2017 IBM Lotus Expeditor cai URI Handler Command Execution Attempt 3
2026 IBM Lotus Expeditor cai URI Handler Command Execution Attempt 4
3121 Lotus Domino Server 7.0 Denial of Service
4025 IBM Lotus Domino LDAP Server Memory Exception PoC
4026 IBM Lotus Notes HTML Speed Reader Long URL BO Attempt
4327 IBM Lotus Notes UUE File Handling BO PoC
4351 IBM Lotus Domino LDAP Invalid DN BO PoC
4352 IBM Lotus Domino LDAP Invalid DN BO PoC 2
4436 IBM Lotus Domino Web Access Message Handling DoS
4438 IBM Lotus Domino Web Service DoS PoC
4439 IBM Lotus Notes Cross Site Scripting PoC
4463 Lotus Notes URI Handler Argument Injection PoC
4563 IBM Lotus Notes Cross Site Scripting PoC 2
4666 IBM Lotus Domino Web Access (dwa7W.dll) ActiveX Control BO Exploit 2
4779 IBM Lotus Domino Web Access (inotes6W.dll) ActiveX Control BO Exploit 2
4940 IBM Lotus Notes Applix Graphics Parsing BO PoC
4984 IBM Lotus Notes WPD Attachment BO PoC
5027 IBM Lotus Domino Web Server HTTP Header BO PoC
5157 IBM Lotus 1-2-3 Work Sheet File Viewer BO PoC
5192 IBM Lotus Domino Accept-Language BO

These signatures have well protected the SonicWALL clients from being attacked, and the following statistics show last 2 months of attack attempts blocked by SonicWALL.

Share This Article

An Article By

Security News

The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.