_____________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | / \ / \___ __|__ /___\ \___ _____________________________________________________ Information Bulletin Lotus cc:Mail Security Upgrade Available March 7, 1994 900 PST Number E-11 ______________________________________________________________________________ PROBLEM: Passwords are vulnerable on local hard drives PLATFORM: Lotus cc:Mail Windows 2.0 and 2.01 DAMAGE: Accounts could be compromised if another person is allowed access to a cc:Mail user's personal computer SOLUTION: Retrieve and install cc:Mail 2.02 for Windows, then have all users change their passwords. ______________________________________________________________________________ Critical Information about Lotus CCMAIL Security Upgrade CIAC has received information from Lotus regarding a vulnerability in cc:Mail for Windows. Under certain circumstances, the user's password can be viewed on their local hard drive. This vulnerability exists only in cc:Mail Windows 2.0 and 2.01. To correct the problem, a software upgrade, cc:Mail for Windows 2.02, has been made available. This upgrade is contained in the file WINFIX.ZIP. WINFIX.ZIP can be downloaded from three sources: anonymous ftp, CompuServe, or the Lotus cc:Mail BBS. The file is available via anonymous ftp from ftp.ccmail.com in the /pub/windows directory. On the anonymous ftp server, WINFIX.ZIP is dated Feb 19 00:53 and is 279803 bytes long. In CompuServe, perform the following commands: a. Enter the Lotus forum by typing GO LOTUSC from any CompuServe prompt. b. Enter Section 10 when prompted for which section. c. From within Section 10, select "Download" and download the file WINFIX.ZIP. The Lotus cc:Mail BBS is available to everyone via modem. The telephone number is (415) 691-0401. Your modem setting should be: 8 data bits, No Parity, 1 stop bit. Once connected, go to the "File Area" by typing "F". Select the download option and download the file WINFIX.ZIP. On the BBS, WINFIX.ZIP is 279803 bytes long and is dated 2/18/94 at 2:02a. After unzipping WINFIX.ZIP, the following files are available: ccmail.exe 628656 bytes readme.now 1062 bytes Your next step is to install this upgrade. Change to the directory (which is likely to be m:\ccmail) that contains the old version of ccmail.exe. Rename the old copy of ccmail.exe to ccmail.old, and then copy the new ccmail.exe to the directory. If cc:Mail for Windows has been installed on a network, the system administrator only needs to change the network copy of ccmail.exe. If cc:Mail for Windows has been installed locally, ccmail.exe must be installed in the proper directory of every workstation. After installation of ccmail.exe, all users should change their password. ______________________________________________________________________________ CIAC would like to thank Lally Thomas and Gary Schuppert of CDSI for bringing this problem to our attention. ______________________________________________________________________________ For additional information or assistance, please contact CIAC: Voice: (510) 422-8193 FAX: (510) 423-8002 STU-III: (510) 423-2604 E-mail: ciac@llnl.gov Previous CIAC Bulletins and other information are available via anonymous FTP from irbis.llnl.gov (IP address 128.115.19.60). ______________________________________________________________________________ PLEASE NOTE: Many users outside of the DOE and ESnet computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained by sending email to docserver@first.org with an empty subject line and a message body containing the line: send first-contacts. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, expressed or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government nor the University of California, and shall not be used for advertising or product endorsement purposes. ______________________________________________________________________________