Potential Security Vulnerability in domino 8.0.x and 8.5.x »
CHRISTIAN DENCKER - MAR 3, 2011 (09:49:26 PM)
Under 1 specific Domino Configuration,"Deleted Users" gets deleted from the "Deny Access group", thus making it possible for "Terminated Users" with valid user.id's to gain access to you Domino Domain.
Domino or any program that runs as a part of the Domino server, must not delete names from the "Deny Access Groups", under any circumstance!
Only administrators should be allowed to
delete names from deny access groups.
Currently Domino can remove names from the Deny Access list groups automatically!
For example, it happens if the "Action" setting in the Domino Directory ACL is not set to "Do not modify names fields". When an user is deleted, at the end of the AdminP sequence of requests the name is removed from the group. (even if the "Add deleted user to Deny Access Group" option is set - the user is added, and then removed).
This leads to a security breache, as deleted users gain not authorized access to the server, with a valid user.id file.
Secondary aspects of the problem are administrators unaware of the security mis-configuration (missing names in the group and wrong "Action" setting in ACL), and the difficulty in restoring the names in the group once they have been deleted (for example if the problem is discovered after a long time, or backups are lost).
IBM should alter the Domino 8.x behavior so that names are never automatically removed from the deny access lists, whatever the configuration settings.
The SPR number is SSAI8EKC5N, and the corresponding APAR number is LO58885.