Admin Security Tip: Internet Passwords Are Vulnerable
By Chuck Connell, DominoAdministration.com
This month's security newsletter addresses an old vulnerability in Domino Web services, but one which, unfortunately, administrators can still fall prey to. Credit for this information goes to Chad Loder at Rapid7.com (who gives credit to Kevin McPeake) and to Katherine Spanbauer, Security Product Manager at Lotus Software.
The problem arises when all of the following are true:
1. You are using Domino as a Web server (by enabling the HTTP task).
2. You have assigned Internet passwords to users in the Domino public address book (NAMES.NSF).
3. Users have chosen common, lowercase words as their passwords.
4. The access control list (ACL) in NAMES.NSF allows Reader access (or higher) to either Anonymous or Default.
5. The Domino administrator has not run the action Upgrade To More Secure Internet Password Format on all Person documents in NAMES.NSF (available in 4.6 or higher) or has not set the User More Secure Internet Passwords option within the Domino Directory Profile (available in 5.0.6 or higher).
When these conditions exist, an attacker quickly can discover users' passwords, and then log on using these account names and passwords. While this may seem like an unlikely set of conditions, it is actually fairly likely, since each piece is the common or default behavior. The key problem is that many Domino administrators are not aware of (or don't use) the advanced options mentioned in #5.
The exploit uses the fact that the $Users view in the public NAB contains a hashed copy of each user's Internet password. The hashed password normally is computed with the @Password function built into Domino. So an attacker simply takes a dictionary of common words, uses the @Password function to compute the hash of each common word, and then saves the resulting "hashed dictionary." The attacker then compares each hashed password found in $Users against the hashed dictionary. When the attacker finds a match, he/she knows that the user's password is the plaintext word corresponding to the hashed word.
(The More Secure Internet Password feature mentioned above applies additional hashing to the passwords, so they are not equal to the string obtained from @Password.)
Chad Loder demonstrated this attack to me. He asked me to construct a Domino public address book, put into it a few usernames and their Internet passwords, and then make the address book available on the Web. Within a few minutes, Chad sent me an email containing the passwords for some of the users listed in my address book.
What are the solutions to this problem? There are three.
1. The ACL for NAMES.NSF should be set to No Access for Default and Anonymous. This is good practice for all Domino servers.
2. Users should create pass phrases rather than pass words. The phrases should contain a mix of upper- and lower-case letters, or common words stuck together, or a mix of letters and numbers. The pass phrases in my address book that followed these rules were not cracked during Chad's test. Examples of unacceptable passwords are: pencil, water, and computer. Examples of acceptable pass phrases are: pencil*eraser, WaterBottLE, and computer12345. This is old advice, but even more valuable in light of this Domino vulnerability.
3. Domino administrators should use the action Upgrade To More Secure Internet Password Format and/or set the Directory Profile option User More Secure Internet Passwords. Both features are described in Domino R5 Admin Help. See Index / Internet Passwords / Security.
Chuck Connell is president of CHC-3 Consulting, which helps organizations with all aspects of Domino and Notes, especially administration and security. CHC-3 helps companies to outsource their Domino administration needs via the Web site DominoAdministration.com and runs the popular security site DominoSecurity.org.
Do you have questions, comments or suggestions on this tip that could benefit others? Bring them to the Administrator Discussion forum and get feedback from your peers.>>Enter our discussion thread on .vYUQaAR1eWm^3@.ee76ebc/5624!viewtype=threadDate&skip=&expand= >Internet passwords are vulnerable