Home. |
About us. |
IT security services. |
Risk management. |
Compliance. |
Research. |
Training. |
Engagement methods. |
Contact details.
The innovations for the future need
secure foundations today.
secure foundations today.
With information technology now embedded in all business activities, security is an enterprise concern.
Home » Research Papers
Lotus Sametime User Enumeration Vulnerability
Sense of Security - Security Advisory - SOS-09-004 
Release Date. 09-Jul-2009
Last Update. 09-Jul-2009
Vendor Notification Date. 20-Jul-2009
Product. Lotus Sametime User Enumeration
Platform. Windows (verified), possibly others
Affected versions. IBM Lotus Instant Messaging and
Web Conferencing (Sametime) 6.5.1
(verified), possibly others.
Severity Rating. Low
Impact. Exposure of sensitive information
Attack Vector. Remote without authentication
Solution Status. Vendor patch not yet available
CVE reference. Not yet allocated
Details.
IBM Lotus Sametime is an enterprise instant messaging and web
conferencing application. During an application penetration test
Sense of Security identified a user enumeration vulnerability when
trying to connect to the Sametime server using the Sametime
Connect Client. This occurred as a result of varying response
times depending on whether or not a valid user name is supplied.
The client takes significantly longer to display the 'Invalid logon'
error message when a valid username (and invalid password) is
provided (5-8 seconds). This is a result of additional information
exchanges occurring between the server and client.
When an invalid username (and password) is supplied, the error is
displayed almost instantaneously (1-3 seconds).
This can be used to enumerate valid user names.
Solution.
The vendor has advised that IBM is looking to eliminate this
behaviour completely in a future release.
Discovered.
Karan Khosla from SOS Labs.