09 Jul Security Advisory – SOS-09-004 – Lotus Sametime User Enumeration Vulnerability
Release Date: 9-Jul-2009
Last Update: –
Vendor Notification Date: 2-Jun-2009
Product: IBM Lotus Instant Messaging and Web Conferencing (Sametime)
Platform: Windows (verified), possibly others
Affected versions: IBM Lotus Instant Messaging and Web Conferencing (Sametime) 6.5.1 (verified), possibly others
Severity Rating: Low
Impact: Exposure of sensitive information
Attack Vector: Remote with authentication
Solution Status: Vendor patch not yet available
CVE reference: Not yet allocated
IBM Lotus Sametime is an enterprise instant messaging and web conferencing application. During an application penetration test Sense of Security identified a user enumeration vulnerability when trying to connect to the Sametime server using the Sametime Connect Client. This occurred as a result of varying response times depending on whether or not a valid user name is supplied.
The client takes significantly longer to display the ‘Invalid logon’ error message when a valid username (and invalid password) is provided (5-8 seconds). This is a result of additional information exchanges occurring between the server and client.
When an invalid username (and password) is supplied, the error is displayed almost instantaneously (1-3 seconds).
This can be used to enumerate valid user names.
Please refer to the PDF version of this advisory for proof of concept code examples.
The vendor has advised that IBM is looking to eliminate this behaviour completely in a future release.
Karan Khosla from Sense of Security Labs.