Sense of Security – Security Advisory – SOS-09-004
| Release Date. | 09-Jul-2009 |
| Last Update. | 09-Jul-2009 |
| Vendor Notification Date. | 20-Jul-2009 |
| Product. | Lotus Sametime |
| Platform. | Windows (verified), possibly others. |
| Affected versions. | IBM Lotus Instant Messaging and Web Conferencing (Sametime) 6.5.1 (verified), possibly others. |
| Severity Rating. | Low |
| Impact. | Exposure of sensitive information |
| Attack Vector. | Remote without authentication |
| Solution Status. | Vendor patch not yet available |
| CVE reference. | CVE-Not yet assigned |
Details.
IBM Lotus Sametime is an enterprise instant messaging and web conferencing application. During an application penetration test Sense of Security identified a user enumeration vulnerability when trying to connect to the Sametime server using the Sametime Connect Client. This occurred as a result of varying response times depending on whether or not a valid user name is supplied.
The client takes significantly longer to display the ‘Invalid logon’ error message when a valid username (and invalid password) is provided (5-8 seconds). This is a result of additional information exchanges occurring between the server and client.
When an invalid username (and password) is supplied, the error is displayed almost instantaneously (1-3 seconds).
This can be used to enumerate valid user names.
Solution.
The vendor has advised that IBM is looking to eliminate this behaviour completely in a future release.
Discovered.
Karan Khosla from SOS Labs.