IBM has warned that bugs in its Notes auto-updater mean the service can be tricked into running malicious code.
In its advisory, IBM says the Notes Smart Updater service, which sees upgrades of Notes sent to users' desktops, “can be misguided into running malicious code from a DLL masquerading as a windows DLL in the temp directory.”
Compromising an auto-updater is serious business: users trust them to bring in safe code, in this case new versions of Notes. Flaws in such a service are therefore extraordinarily dangerous.
The bug, CVE-2017-1711, affects versions in the Notes 8.5 and 9.0 branches.
It's one of two turned up by Danish infosec company Improsec, which has made its disclosures here (you'll need Google translate).
Author Lasse Trolle Borup explains “the service simply copies itself to the TEMP directory and executes the copy, probably for when the update service must update its own executable. The problem here is, that though normal users are not allowed to list the contents of TEMP, they can still write files there.
“By executing a file from an uncontrolled location, the service is exposing itself to DLL Search Order Hijacking”, Borup continued.
All that's needed to reproduce the bug, Borup wrote, is to compile his proof-of-concept code and give it a static link as
MSIMG32.dll; copy that file to C:\windows\temp; and run
sc control lnsusvc 136 at the command line.
IBM made a second disclosure about the same bug here, since it also affects IBM Client Application Access.
Spectre and Meltdown POWERed down, and an AIX fix
Big Blue had a busy week last week, and on Saturday also updated security folk about its Meltdown/Spectre status here.
POWER-series users running Linux will get their patches from the distribution they use.
In a separate issue, AIX and VIOS also needed patching against CVE-2018-1383, which the company describes as “An unspecified vulnerability in AIX [which] could allow a user with root privileges on one system, to obtain root access on another machine.” ®