Domino on Linux/Unix, Troubleshooting, Best Practices, Tips and more ...

Changed default Notes Client mailto: with attachment behavior in 11.0.1 FP1

Daniel Nashed  19 August 2020 17:34:28

There is a changed behavior with mailto: links for Notes Clients.


Mailto Links:


Before this change Notes clients would allow attachments copied to the crafted mail message triggered by the mailto: link. With this change by default attachments are blocked.

Here is an example:  
mailto:badboy@umbrella.corp?attach=c:\noclist.txt

Changed behavior:

There is a new notes.ini parameter available in 11.0.1 FP1 which allows you to use the existing functionality MailToURL_Attach=1.

The SPR #ARUIBM4MYE is not listed in the fixlist, because some genius reported it as a security issue for many different mail applications ->
https://www.nds.ruhr-uni-bochum.de/media/nds/veroeffentlichungen/2020/08/15/mailto-paper.pdf

RFC Compliance

The functionality (including attachments) is RFC compliant as the report references and around for many years (
https://tools.ietf.org/html/rfc6068).

The resulting mail is a draft mail, which the user still needs to send. The URL schema does not allow to sent the message -- just to create it.

Windows specific considerations

There is one detail which isn't a nice behavior on Windows as discussed in the paper.
If the link references a remote file server, windows will use known NTLM hashes to try to connect automatically.
That alone should not cause a security issue with current NTLM configurations.  But this could still lead to some exposure in certain type of environments today.


Side note: Notes private key/cert protection

As outlined in the paper, many clients use keys and certificates on disk.

The Notes client uses a Notes.ID which is protected by a password supporting modern encryption standards like AES256 and contains all certificates, private keys including S/MIME keys inside the Notes.ID.
So replacing the Notes.id with something else or access to protected information is far more complex than what is described in the "security paper".


Conclusion

So in general if you are not using mailto: with attachments it is good that the feature is now disabled by default.

And it will be also disabled by default with the next scheduled 10.0.1 FP and also 9.0.1 FP10 IF.

Most customers are not leveraging mailto: with attachments. And it helps to protect against requests that could compromise your Windows security as outlined above.


Reference to CVE Report and Technote

Here is the official report for the security concern -->
https://nvd.nist.gov/vuln/detail/CVE-2020-4089
And it reference the current HCL technote which is progress of being updated right now -->
https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0080343
 

Comments

1Christian Henseler  19.08.2020 18:46:49  Changed default Notes Client mailto: with attachment behavior in 11.0.1 FP1

Hi Daniel!

"... with the next scheduled 10.0.1 FP and also 9.0.1 10 IF."

Do you really think that there will be an additonal 9.0.1FP10 Interim Fix, or is it a typo?

Best Regards

Christian

2Daniel Nashed  19.08.2020 19:00:55  Changed default Notes Client mailto: with attachment behavior in 11.0.1 FP1

@Christian, that's what I understood. It's a supported product version and this is seen as a security fix..

3Remi Derasse  20.08.2020 1:50:38  Changed default Notes Client mailto: with attachment behavior in 11.0.1 FP1

Hello,

Yes, 9.0.1 FP10 IF6 is available for download !

Here's the fix list from HCL's KB article 73999 : https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0073999

RGAU9VLHT3 On the domino server set the following notes.ini (DISABLE_SAML_FLAG=1) to allow for an ID vault sync with a SAML user via the SecIdfget function.

MOBNBJ6Q3E Domino LDAP - Provided a debug INI to allow disabling of LSCHEMA loading as a way of avoiding a potential crash in LSchemaTerm. Schema loading is not essential if you have not extended the standard LDAP schema. Set DEBUG_DISABLE_LSCHEMA_LOADING=1.

SKUEB979RR iNotes - Fixed a problem where routing path was not being appended from the FromDomain. Routing domains will now remain if iNotes_WA_NoOptimizeLocalRouting is set.

XBYNBPC6GP iNotes - Fixed an issue where clicking on tabs in tables in a web browser would sometimes result in Error 400, Invalid URL Exception.

SPPPBMDGUF HTTP server - Classic Web Applications may no longer work because of the X-Content-Type-Options: nosniff http header that is always included in an http response for Domino NSF application urls for increased security. Added the following notes.ini to disable the sending of the http X-Content-Type-Options: nosniff header. If the following notes.ini is specified then the http header will not be included by default in the http response. HTTP_DISABLE_X_CONTENT_TYPE_OPTIONS_NOSNIFF=1.

ATHNAZ2H55 Fix to NSD to capture the callstacks for the Notes client on Windows 10.

RJTOBM6SRS Fixed an issue where the log file gets full due to an agent doing stampnotes.

Nothing for v10 for the moment...

RĂ©mi

4Daniel Nashed  20.08.2020 6:57:19  Changed default Notes Client mailto: with attachment behavior in 11.0.1 FP1

@Remi, thanks! This is the new server IF.

Christian is asking for a client IF. And from what I understood there is one planned too.

Note: the IF numbers are not the same on client and server. They are incremented when a IF is sent out.

There is no alignment between server and client IFs. There first time I was confused. But than I realized the IFs are completely independed.

Technically IFs are combo hotfixes, sent out once sufficient/important SPRs are fixed and reported to be stable in the field.

-- Daniel

Archives


  • [IBM Lotus Domino]
  • [Domino on Linux]
  • [Nash!Com]
  • [Daniel Nashed]