• Product Information
• Security Products Overview
• Juniper Networks ISG Series
• IDP Demo
• Product Poster & Z-Card 

Title: IBM Lotus Domino Password Encryption Weakness

Severity: HIGH

Description:

IBM Lotus Domino is affected by a password encryption weakness. This issue arises due to a design error.

Reportedly, the algorithm used by Lotus Domino to encrypt user passwords does not use a salt value. This can cause the hash for a password value to be static; always hashing to the same value. The values of hashed strings of two identical passwords will be identical as well.

This can aid in brute force attacks by significantly reducing the time needed to crack a password. This issue could aid in other attacks such as BID 14388 (IBM Lotus Domino WebMail Information Disclosure Vulnerability) to compromise a user's account. It should be noted that attackers may also pre-compute password hashes before targeting a vulnerable computer.

All versions of Lotus Domino are considered to be affected by this weakness.

Affected Products:

• IBM Lotus Domino 5.0.13
• IBM Lotus Domino 6.0.0
• IBM Lotus Domino 6.0.1
• IBM Lotus Domino 6.0.2
• IBM Lotus Domino 6.0.2 CF2
• IBM Lotus Domino 6.0.3
• IBM Lotus Domino 6.0.4
• IBM Lotus Domino 6.0.4
• IBM Lotus Domino 6.0.5
• IBM Lotus Domino 6.5.0 .0
• IBM Lotus Domino 6.5.1
• IBM Lotus Domino 6.5.2
• IBM Lotus Domino 6.5.3
• IBM Lotus Domino 6.5.4
• IBM Lotus Domino Enterprise Server 5.0.12
• IBM Lotus Domino Enterprise Server 5.0.13
• IBM Lotus Domino Enterprise Server 5.0.3
• IBM Lotus Domino Enterprise Server 5.0.9
• IBM Lotus Domino Enterprise Server 6.0.1
• IBM Lotus Domino Enterprise Server 6.0.5
• IBM Lotus Domino Enterprise Server 6.5.2
• IBM Lotus Domino Enterprise Server 6.5.4

References:

• IBM: Lotus Domino Product Homepage

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.