Sense of Security – Security Advisory – SOS-09-004
Release Date. | 09-Jul-2009 |
Last Update. | 09-Jul-2009 |
Vendor Notification Date. | 20-Jul-2009 |
Product. | Lotus Sametime |
Platform. | Windows (verified), possibly others. |
Affected versions. | IBM Lotus Instant Messaging and Web Conferencing (Sametime) 6.5.1 (verified), possibly others. |
Severity Rating. | Low |
Impact. | Exposure of sensitive information |
Attack Vector. | Remote without authentication |
Solution Status. | Vendor patch not yet available |
CVE reference. | CVE-Not yet assigned |
Details.
IBM Lotus Sametime is an enterprise instant messaging and web conferencing application. During an application penetration test Sense of Security identified a user enumeration vulnerability when trying to connect to the Sametime server using the Sametime Connect Client. This occurred as a result of varying response times depending on whether or not a valid user name is supplied.
The client takes significantly longer to display the ‘Invalid logon’ error message when a valid username (and invalid password) is provided (5-8 seconds). This is a result of additional information exchanges occurring between the server and client.
When an invalid username (and password) is supplied, the error is displayed almost instantaneously (1-3 seconds).
This can be used to enumerate valid user names.
Solution.
The vendor has advised that IBM is looking to eliminate this behaviour completely in a future release.
Discovered.
Karan Khosla from SOS Labs.