NASIRC BULLETIN # 94-05                                      March 10,1994

           Password Vulnerability in Lotus cc:Mail for Windows
       ===========================================================
             __    __      __      ___   ___  ____     ____  
            /_/\  /_/|    /_/     / _/\ /_/| / __/ \  / __/\ 
            | |\ \| ||   /  \ \   | /\/ | || | /\ \/  | | \/ 
            | ||\ \ ||  / /\ \ \   \ \  | || |_\/ /\  | |    
            | || \ \|| / /--\ \ \ /\_\\ | || | |\ \ \ | \_/\ 
            |_|/  \_|//_/    \_\/ \/__/ |_|/ |_| \_\/ \___\/ 
           NASA Automated Systems Incident Response Capability
       ===========================================================

    NASIRC recently received notification of security vulnerabilities in
    Lotus cc:Mail for Windows  (versions 2.0  and 2.01) which could make
    users' passwords readable on their local hard drive. This could lead
    to accounts being compromised if another person is allowed access to
    a cc:Mail user's personal computer.

    This problem is fixed in version 2.02 of Lotus cc:Mail for Windows.

ACQUIRING THE FIX:

    Lotus has made  the cc:Mail v2.02 upgrade file,  called WINFIX.ZIP,
    available on-line  through a variety of methods: anonymous ftp, the
    Lotus cc:Mail BBS, and CompuServe.

    Via Anonymous FTP, the file is available ftp from ftp.ccmail.com in
    the /pub/windows directory. On the anonymous ftp server, WINFIX.ZIP
    is dated Feb 19 00:53 and is 279803 bytes long. 

    The Lotus cc:Mail BBS is available to everyone. The phone number is
    1-415-691-0401 (8 data bits, No Parity, 1 stop bit).  Once you have
    connected, go to the "File Area" by typing "F". Select the download
    option and download the file WINFIX.ZIP.  On the BBS, WINFIX.ZIP is
    279803 bytes long and is dated 2/18/94 at 2:02a.

    In CompuServe,  enter the Lotus Forum  by typing GO LOTUSC from any
    CompuServe prompt,  then enter Section 10  when prompted  for which
    section. From within Section 10, select "Download" and download the
    file WINFIX.ZIP.

INSTALLING THE FIX:

    After WINFIX.ZIP is unzipped, the following files become available:
    ccmail.exe (628,656 bytes)  and readme.now (1,062 bytes).  The next
    step is to install the upgrade. First, move into the directory that
    contains the old version of ccmail.exe (this directory is likely to
    be m:\ccmail). RENAME the old copy of ccmail.exe to ccmail.old, and
    then copy the new v2.02 ccmail.exe to the directory. If cc:Mail for
    Windows has been  installed on a network,  the system administrator
    only needs to change the network copy of ccmail.exe. If cc:Mail for
    Windows has been installed locally, ccmail.exe must be installed in
    the proper directory of every workstation. 

    Once installation of  the new v2.02 ccmail.exe  has been completed,
    all users should change their password.


   NASIRC will continue to monitor the situation and will post additional
   information as it becomes available.   If you have any questions about
   this bulletin, please contact NASIRC at any of the venues listed below.

     =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
      NASIRC ACKNOWLEDGES:  Karyn Pichnarczyk and the U.S. Department of
     Energy's Computer Incident Advisory Capability (CIAC) for forwarding
                this information in a rapid and timely manner.
     =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

      ===============================================================
        For further assistance, please contact the NASIRC Helpdesk:
           Phone: 1-800-7-NASIRC             Fax: 1-301-441-1853
                     Internet Email: nasirc@nasa.gov
            24 Hour/Emergency Pager: 1-800-759-7243/Pin:2023056
                        STU III: 1-301-982-5480
      ===============================================================
      This bulletin may be forwarded without restriction to sites and 
             system administrators within the NASA community.

      The NASIRC online archive system is available via anonymous ftp.
      Just ftp to nasirc.nasa.gov and login as anonymous.  You will be
      required to enter your valid e-mail address.  Once there you can
      access the following information:

          /toolkits           ! contains automated toolkit software
          /bulletins          ! contains NASIRC bulletins
       
      Information maintained in these directories is updated on a con-
      tinuous basis  with relevant software  and information.  Contact 
      the NASIRC Helpdesk for more information or assistance with tool
      kits or security measures.

                             -----------------

     PLEASE NOTE: Users outside of the NASA community  may receive NASIRC
     bulletins. If you are not part of the NASA community, please contact
     your agency's response team to report incidents.  Your agency's team
     will coordinate  with NASIRC,  who will  ensure the  proper internal
     NASA team(s)  are notified.   NASIRC is  a member  of  the  Forum of
     Incident Response and Security Teams (FIRST), a world-wide organiza-
     tion which provides for coordination between incident response teams
     in handling computer-security-related issues.  You can obtain a list
     of FIRST  member organizations  and their  constituencies by sending
     email to   docserver@first.org   with an empty  "subject" line and a
     message body containing the line "send first-contacts".