J-Security Center

Title: Lotus Sametime Multiple Encryption Implementation Flaw Vulnerabilities

Severity: HIGH

Description:

Sametime is the Instant Message client distributed and maintained by Lotus. It is available for the Microsoft Windows operating system.

Several problems have been identified in Lotus Sametime that may make information encrypted through Sametime more prone to retrieval by a malicious party. This may result in an adversary gaining access to sensitive information.

One issue is the RC2/40 key being sent in the login message. Upon intercepting the login message, an adversary has a significantly greater chance of decrypting the user's password.

Next, the key is also transmitted with Instant Messages. This may also increase the liklihood of decrypting sensitive information.

Also, Encrypted Instant Messages contain six bytes of known characters at the beginning of each IM. It is theorized that by gathering Instant Messages over a period of time and cracking the six bytes of known text, it may be possible to reveal the encryption key used. This has not been confirmed.

Finally, the implementation of RC2/40 in Sametime uses a limited range of characters when generating encryption keys that significantly weakens generated keys. The implementation uses only ASCII representations of decimal numbers that weaken keyspace from 256^10 possibilities to 10^10 possibilities.

Affected Products:

  • Lotus Sametime 1.5.0
  • Lotus Sametime 3.0.0

References:

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.