Release Date: 9-Jul-2009

Last Update: –

Vendor Notification Date: 2-Jun-2009

Product: IBM Lotus Instant Messaging and Web Conferencing (Sametime)

Platform: Windows (verified), possibly others

Affected versions: IBM Lotus Instant Messaging and Web Conferencing (Sametime) 6.5.1 (verified), possibly others

Severity Rating: Low

Impact: Exposure of sensitive information

Attack Vector: Remote with authentication

Solution Status: Vendor patch not yet available

CVE reference: Not yet allocated

Details

IBM Lotus Sametime is an enterprise instant messaging and web conferencing application. During an application penetration test Sense of Security identified a user enumeration vulnerability when trying to connect to the Sametime server using the Sametime Connect Client. This occurred as a result of varying response times depending on whether or not a valid user name is supplied.

The client takes significantly longer to display the ‘Invalid logon’ error message when a valid username (and invalid password) is provided (5-8 seconds). This is a result of additional information exchanges occurring between the server and client.

When an invalid username (and password) is supplied, the error is displayed almost instantaneously (1-3 seconds).

This can be used to enumerate valid user names.

Please refer to the PDF version of this advisory  for proof of concept code examples.

Solution

The vendor has advised that IBM is looking to eliminate this behaviour completely in a future release.

Discovered By

Karan Khosla from Sense of Security Labs.