The denial-of-service vulnerability appears in versions 6.5.1 and 6.0.3 of the e-mail and calendar server software, security company iDefense said in an advisory released on Wednesday.
"Exploitation of this vulnerability allows unauthenticated remote attackers to crash the Web service, thereby preventing legitimate usage," iDefense said in the advisory. "This attack requires minimal resources to launch and can be repeated to ensure that an unpatched computer is unable to recover."
IBM could not be immediately reached to comment on the flaw report. In a posting to its tech support site, the company said that it has thoroughly investigated the issue and has not been able to verify the vulnerability.
"We worked forever with IBM on this and we think they're wrong," said Michael Sutton, director of iDefense Labs. "In my opinion, this is not a difficult vulnerability to recreate."
In the past, IBM and iDefense have had a good working relationship, Sutton said. iDefense would notify Big Blue of vulnerabilities it found in IBM's products before publicly releasing the details of the flaw, he said. IBM in turn would work with iDefense in identifying the problem and developing a patch, so that an update would be ready when iDefense publicly announced the flaw.
"We ultimately agreed to disagree on the vulnerability," Sutton said. "And as we were trying to figure out how to handle the disclosure of this information, IBM posted their technical advisory on this without coordinating with us."
Sutton said iDefense first notified IBM of the problem in the Lotus Domino Server software in February and added that the companies had been working together on the issue for the past couple of months. The software, which runs on a number of operating systems, is a rival to Microsoft Exchange that underpins message, calendar and schedule features.
The vulnerability allows people to launch a remote attack by sending a long string of Unicode 430 characters with a /cgi-bin/ prefix to the vulnerable server, according to iDefense. The resulting stack overflow eats up computing resources and can be used in a denial-of-service attack, iDefense said.
In absence of a patch, iDefense has outlined a workaround. It is advising companies to use firewalls, access control lists or other TCP/UDP restriction mechanisms to limit access to systems and services.
