Domino on Linux/Unix, Troubleshooting, Best Practices, Tips and more ...

alt

Daniel Nashed

Changed default Notes Client mailto: with attachment behavior in 11.0.1 FP1

Daniel Nashed – 19 August 2020 15:34:28

There is a changed behavior with mailto: links for Notes Clients.


Mailto Links:


Before this change Notes clients would allow attachments copied to the crafted mail message triggered by the mailto: link. With this change by default attachments are blocked.

Here is an example:  
mailto:badboy@umbrella.corp?attach=c:\noclist.txt

Changed behavior:

There is a new notes.ini parameter available in 11.0.1 FP1 which allows you to use the existing functionality MailToURL_Attach=1.

The SPR #ARUIBM4MYE is not listed in the fixlist, because some genius reported it as a security issue for many different mail applications ->
https://www.nds.ruhr-uni-bochum.de/media/nds/veroeffentlichungen/2020/08/15/mailto-paper.pdf

RFC Compliance

The functionality (including attachments) is RFC compliant as the report references and around for many years (
https://tools.ietf.org/html/rfc6068).

The resulting mail is a draft mail, which the user still needs to send. The URL schema does not allow to sent the message -- just to create it.

Windows specific considerations

There is one detail which isn't a nice behavior on Windows as discussed in the paper.
If the link references a remote file server, windows will use known NTLM hashes to try to connect automatically.
That alone should not cause a security issue with current NTLM configurations.  But this could still lead to some exposure in certain type of environments today.


Side note: Notes private key/cert protection

As outlined in the paper, many clients use keys and certificates on disk.

The Notes client uses a Notes.ID which is protected by a password supporting modern encryption standards like AES256 and contains all certificates, private keys including S/MIME keys inside the Notes.ID.
So replacing the Notes.id with something else or access to protected information is far more complex than what is described in the "security paper".


Conclusion

So in general if you are not using mailto: with attachments it is good that the feature is now disabled by default.

And it will be also disabled by default with the next scheduled 10.0.1 FP and also 9.0.1 FP10 IF.

Most customers are not leveraging mailto: with attachments. And it helps to protect against requests that could compromise your Windows security as outlined above.


Reference to CVE Report and Technote

Here is the official report for the security concern -->
https://nvd.nist.gov/vuln/detail/CVE-2020-4089
And it reference the current HCL technote which is progress of being updated right now -->
https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0080343
 

Links

    Archives


    • [HCL Domino]
    • [Domino on Linux]
    • [Nash!Com]
    • [Daniel Nashed]