The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of IBM Lotus Notes

weakness alert CVE-2017-17688 CVE-2017-17689

Outlook Gpg4win, Thunderbird Enigmail: PGP and S/MIME decryption

Synthesis of the vulnerability

An attacker can use Outlook Gpg4win or Thunderbird Enigmail, in order to obtain sensitive information.
Severity: 3/4.
Number of vulnerabilities in this bulletin: 2.
Creation date: 14/05/2018.
Revision date: 14/05/2018.
Identifiers: CERTFR-2018-ALE-007, CVE-2017-17688, CVE-2017-17689, DSA-4244-1, FEDORA-2018-1f651350de, FEDORA-2018-25525a9346, FEDORA-2018-6020628437, FEDORA-2018-73e30969a4, FEDORA-2018-77fe2e20ad, FEDORA-2018-e6ee09fc50, openSUSE-SU-2018:1329-1, openSUSE-SU-2018:1330-1, openSUSE-SU-2018:1347-1, openSUSE-SU-2018:1392-1, openSUSE-SU-2018:1393-1, openSUSE-SU-2018:1451-1, openSUSE-SU-2018:1454-1, SSA:2018-191-01, VIGILANCE-VUL-26123, VU#122919.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

Plugins can be installed to automatically decrypt received emails encrypted with PGP or S/MIME:
 - Apple Mail : GPGTools
 - IBM Notes : PGP Lotus Notes Plug-In
 - Outlook : Gpg4win
 - Thunderbird : Enigmail
 - etc.

However, an attacker who has an encrypted email can use these plugins in order to decrypt it, for example using an image in an HTML email.

An attacker can therefore use Outlook Gpg4win or Thunderbird Enigmail, in order to obtain sensitive information.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability note CVE-2018-1437

IBM Notes: executing DLL code via System Diagnostics

Synthesis of the vulnerability

An attacker can create a malicious System Diagnostics DLL, and then put it in the current directory of IBM Notes, in order to execute code.
Severity: 2/4.
Creation date: 09/03/2018.
Identifiers: 2014201, CVE-2018-1437, VIGILANCE-VUL-25510.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The IBM Notes product uses external shared libraries (DLL).

However, if the working directory contains a malicious System Diagnostics DLL, it is automatically loaded.

An attacker can therefore create a malicious System Diagnostics DLL, and then put it in the current directory of IBM Notes, in order to execute code.
Full Vigil@nce bulletin... (Free trial)

security threat CVE-2018-1435

IBM Notes: executing DLL code

Synthesis of the vulnerability

An attacker can create a malicious DLL, and then put it in the current directory of IBM Notes, in order to execute code.
Severity: 2/4.
Creation date: 09/03/2018.
Identifiers: 2014198, CVE-2018-1435, VIGILANCE-VUL-25509.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The IBM Notes product uses external shared libraries (DLL).

However, if the working directory contains a malicious DLL, it is automatically loaded.

An attacker can therefore create a malicious DLL, and then put it in the current directory of IBM Notes, in order to execute code.
Full Vigil@nce bulletin... (Free trial)

computer threat announce CVE-2017-1720 CVE-2018-1409 CVE-2018-1410

IBM Notes: privilege escalation

Synthesis of the vulnerability

An attacker can bypass restrictions of IBM Notes, in order to escalate his privileges.
Severity: 3/4.
Number of vulnerabilities in this bulletin: 4.
Creation date: 09/02/2018.
Revision date: 14/02/2018.
Identifiers: 2010767, 2010777, CVE-2017-1720, CVE-2018-1409, CVE-2018-1410, CVE-2018-1411, VIGILANCE-VUL-25264.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

An attacker can bypass restrictions of IBM Notes, in order to escalate his privileges.
Full Vigil@nce bulletin... (Free trial)

vulnerability bulletin CVE-2017-1714

IBM Notes: privilege escalation via NSD

Synthesis of the vulnerability

An attacker can bypass restrictions via NSD of IBM Notes, in order to escalate his privileges.
Severity: 3/4.
Creation date: 09/02/2018.
Identifiers: 2010767, 2010777, CVE-2017-1714, VIGILANCE-VUL-25263.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

An attacker can bypass restrictions via NSD of IBM Notes, in order to escalate his privileges.
Full Vigil@nce bulletin... (Free trial)

computer weakness alert CVE-2017-1711

IBM Notes: executing DLL code via Smart Update

Synthesis of the vulnerability

A local attacker can create a malicious DLL, and then put it in the temporary folder of IBM Notes, in order to make Smart Update run it.
Severity: 2/4.
Creation date: 09/02/2018.
Identifiers: 2010775, CVE-2017-1711, VIGILANCE-VUL-25262.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

A local attacker can create a malicious DLL, and then put it in the temporary folder of IBM Notes, in order to make Smart Update run it.
Full Vigil@nce bulletin... (Free trial)

security weakness 24664

Mail client: sender spoofing via Mailsploit

Synthesis of the vulnerability

An attacker can send an email with a special From header, which is truncated by some mail clients, in order to deceive the victim.
Severity: 3/4.
Creation date: 06/12/2017.
Identifiers: CERTFR-2017-ALE-019, Mailsploit, MFSA-2017-30, Synology-SA-17:82, VIGILANCE-VUL-24664.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

Messaging clients interpret the From header to display the sender name.

However, using a Base64 or Quoted Printable encoding, and '\0' or '\n' characters, an attacker can force the displayed email address to be truncated.

An attacker can therefore send an email with a special From header, which is truncated by some mail clients, in order to deceive the victim.
Full Vigil@nce bulletin... (Free trial)

security threat CVE-2017-1130

IBM Notes: denial of service via Many File Select Dialog

Synthesis of the vulnerability

An attacker can generate a fatal error via Many File Select Dialog of IBM Notes, in order to trigger a denial of service.
Severity: 2/4.
Creation date: 01/09/2017.
Revision date: 08/11/2017.
Identifiers: 1999384, CVE-2017-1130, VIGILANCE-VUL-23705.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

An attacker can generate a fatal error via Many File Select Dialog of IBM Notes, in order to trigger a denial of service.
Full Vigil@nce bulletin... (Free trial)

computer threat note CVE-2017-3736

OpenSSL: Man-in-the-Middle via bn_sqrx8x_internal

Synthesis of the vulnerability

An attacker can act as a Man-in-the-Middle and use a carry error of bn_sqrx8x_internal() on OpenSSL, in order to read or write data in the session.
Severity: 1/4.
Creation date: 02/11/2017.
Identifiers: 2012827, 2013025, 2014202, 2014651, 2014669, 2015080, bulletinapr2018, bulletinjan2018, CERTFR-2017-AVI-391, cpuapr2018, cpuapr2019, cpujan2018, cpujan2019, cpujul2018, cpujul2019, cpuoct2018, CVE-2017-3736, DSA-4017-1, DSA-4018-1, FEDORA-2017-4cf72e2c11, FEDORA-2017-512a6c5aae, FEDORA-2017-55a3247cfd, FEDORA-2017-7f30914972, FEDORA-2017-dbec196dd8, FreeBSD-SA-17:11.openssl, ibm10715641, ibm10719113, ibm10732391, ibm10733905, ibm10738249, ibm10738401, JSA10851, K14363514, openSUSE-SU-2017:3192-1, openSUSE-SU-2018:0029-1, openSUSE-SU-2018:0315-1, RHSA-2018:0998-01, RHSA-2018:2568-01, RHSA-2018:2575-01, SA157, SB10211, SB10220, SSA:2017-306-02, STORM-2017-006, SUSE-SU-2018:2839-1, SUSE-SU-2018:3082-1, TNS-2017-15, USN-3475-1, VIGILANCE-VUL-24316.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

An attacker can act as a Man-in-the-Middle and use a carry error of bn_sqrx8x_internal() on OpenSSL, in order to read or write data in the session.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability note CVE-2017-1129

IBM Notes: denial of service via Malicious Link

Synthesis of the vulnerability

An attacker can generate a fatal error via Malicious Link of IBM Notes, in order to trigger a denial of service.
Severity: 2/4.
Creation date: 01/09/2017.
Identifiers: 1999385, CVE-2017-1129, VIGILANCE-VUL-23706.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

An attacker can generate a fatal error via Malicious Link of IBM Notes, in order to trigger a denial of service.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about IBM Lotus Notes: