IBM has released a patch for Lotus Domino to plug a security flaw which was disclosed in the latest Shadow Broker revelations. Lotus Domino includes an IMAP server. IMAP or Internet Message Access Protocol is an Internet standard protocol used by e-mail clients to retrieve e-mail messages from the mail server over a TCP/IP connection. The server contains a stack buffer overflow in the handling of mailbox names. This vulnerability affects Domino server 9.0.1FP8 and earlier versions, and this exploit has been referred to by the “EMPHASISMINE” code name by Shadow Brokers. CVE-2017-1274 has been assigned to this issue.
The EXAMINE command selects a mailbox so that messages in the mailbox can be accessed. It is identical to SELECT command and returns the same output; however, the selected mailbox is identified as read-only. By specifying a large mailbox name, an attacker can trigger a stack-based buffer overflow. Because IMAP commands that refer to a mailbox name are used after authentication, this vulnerability appears to only be exploitable by authenticated attackers, i.e. attackers having correct credentials. If exploited, this could allow a remote authenticated attacker to execute code with the privileges of the Domino server.
64-bit platforms that leverage ASLR (Address Space Layout Randomization) can dramatically reduce the probability of code execution. Older Windows 32-bit Domino servers are at greater risk to this attack. This issue is addressed in IBM Domino 9.0.1 Fix Pack 8 Interim Fix 2, and 8.5.3 Fix Pack 6 Interim Fix 17. Please see the IBM Security Bulletin for more details.
After Oracle, IBM is the most recent vendor to release patches for the Shadow Brokers data dump revelations.