-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Reference: CERT-EU Security Advisory 2011-0020 IBM Lotus Mobile Connect CVE-2011-4465 Cross Site Scripting Vulnerability [1] Version history: 23.11.2011 Initial publication Summary ======= IBM Lotus Mobile Connect is prone to a cross-site scripting vulnerability. Fixes are available. [2] An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. CVE-2011-4465(Candidate) Severity Level[3]: CVSS2 Base 5.8 Remote Yes Local No Credibility Vendor Confirmed Ease Exploit Available Authentication Not Required Potential impact ================ A successful exploit may allow the attacker to steal cookie-based authentication credentials and launch other attacks. 1. An attacker scans for and locates a site running the affected application. 2. The attacker crafts a URI that includes malicious script code to leverage this issue. 3. The attacker uses email or other means to distribute the malicious link and entices an unsuspecting user to follow it. 4. When the user follows the link, the attacker-specified script code runs in their browser in the context of the affected site. To exploit this issue, an attacker must entice an unsuspecting user to follow a malicious URL. Vulnerable Systems ================== IBM Lotus Mobile Connect 6.1.4 What can you do? ================ Solutions: Fixes are available [2]. Work-arounds: Block external access at the network boundary, unless external parties require service. Filter access to the affected computer at the network boundary if global access isn't needed. Restricting access to only trusted computers and networks might greatly reduce the likelihood of a successful exploit. Run all software as a nonprivileged user with minimal access rights. Attackers may successfully exploit client flaws in the browser through cross-site scripting vulnerabilities. When possible, run all software as a user with minimal privileges and limited access to system resources. Use additional precautions such as restrictive environments to insulate software that may potentially handle malicious content. Deploy network intrusion detection systems to monitor network traffic for malicious activity. Deploy NIDS to monitor network traffic for signs of anomalous or suspicious activity. This may indicate exploit attempts or activity that results from successful exploits. What to tell your users? ======================== Normal security best practices apply. Especially, inform your Web users to be cautious about following links to sites that are provided by unfamiliar or suspicious sources. Users are to be aware not to click on the link in suspicious emails; to immediately forward the suspicious email to the respective IT security officer / contact in your institution. More information ================ [1] Web Page:IBM Lotus Mobile Connect Homepage (IBM) IBM http://www-01.ibm.com/software/lotus/products/mobileconnect/ [2] Web Page:List of Fixes for Lotus Mobile Connect 6.1.4 (IBM) IBM http://www-01.ibm.com/support/docview.wss?uid=swg27020327 [3] CVSS details: CVSS Version 2 Scores CVSS2 Base 5.8 CVSS2 Temporal 4.8 CVSS2 Base Vector AV:N/AC:M/Au:N/C:P/I:P/A:N CVSS2 Temporal VectorE:F/RL:OF/RC:C More information about CVSS is available at: http://www.first.org/cvss/cvss-guide.html Best regards, CERT-EU Pre-configuration Team (http://cert.europa.eu) Phone: +32.2.2990005 / e-mail: cert-eu@ec.europa.eu PGP KeyID 0x46AC4383 FP: 9011 6BE9 D642 DD93 8348 DAFA 27A4 06CA 46AC 4383 -----BEGIN PGP SIGNATURE----- Version: BCPG v1.39 iQJXBAEBAgBBBQJOzMzPOhxDRVJUIGZvciB0aGUgRXVyb3BlYW4gSW5zdGl0dXRp b25zIDxjZXJ0LWV1QGVjLmV1cm9wYS5ldT4ACgkQJ6QGykasQ4N3yg/+K7ewLW/6 LGLB/xoU5o0QDcavb+JrpucBWYfJlZZPQ2Khl6kICYbiKNcZJbe5CfxKBAnaCs4Q 9rmMtzNreLTaevfAu8XtCGuSkybxxwIqzp0dSBZmLm4v6pCcAWTunCo4OLuBW5yO AudZN73Ahj4tVZiZnSmg9jXz9j3IdYnmvdcfsgn/YZjV+wkMOh5nhdSOERU08urm Pg7PHlanSkC3/q2w0pVvLrLSYqbmB3vpk4yYrDQ/Y2QrMoBfP5/B60T5OTZROADD 04aeTzAxtpeq1dD/hFJEH+ujz/fzbwq1F7sR2b+yBvDYZ2emXE1ZRDH2Lom6wJv5 O4nqzlss71uOK9aLZVL0lYgQr3/mCZgcdoYNPEp25bbSoOIQIR47cmLw+AXpPIxd /70CGbj8CmPn7o/LyGcoerANGbWzOBFmbz2lZeDOIkCCupy/gAZr9oaHseMwvdyh 83BPzZ2ZHAhZ5MqwTcgSiT2gDyKjio5HGHLq3NxzxvbuyVDq9HFaFE3yolQXLV5o B8iu6f8uOoyCiVo8HVsP4X3nKD9SpR8NiHj1PmhVhvAqyc+BQi7dccOve5tqjqDb qgude8r2h1m6X9Ad2rnCoheTv5hb+kKOA9HGmnW1SNXZTVp6/LaAiIsNeBr2Yfd2 ARHypxO64mVV8Lukr3wn/5WiXrTUckLIjz0= =G5KV -----END PGP SIGNATURE-----