IBM Lotus Notes LZH Attachment Viewer Stack Buffer Overflow

Vulnerability
Protection

Check Point Reference:	CPAI-2011-109
Date Published:
Severity:
Source:
Industry Reference(s):	CVE-2011-1213
Protection Provided by:	IPS-1 IPS-1 IPS-1 NGX R65
Who is Vulnerable? IBM Lotus Notes 8.0.x IBM Lotus Notes 8.5.1.x IBM Lotus Notes Prior to 8.5.2
Vulnerability Description There exists a buffer overflow in IBM Lotus Notes, when opening an LZH file whose LZH header is too short.

Vulnerability Details
There exists a buffer overflow in IBM Lotus Notes prior to version 8.5.2, when opening an LZH file whose LZH header is too short. This vulnerability may be used to create a buffer overflow, and enable non-privileged code execution (in the context of the currently logged-on user).

Protection Overview
The protection will block the transfer of IBM Lotus Notes LZH files with overly short headers.

To configure the defense, select your product from the list below and follow the related protection steps.

IPS-1 & IPS-1 NGX R65

How Can I Protect My Network?
1. In the IPS-1 Policy Manager, click on the Protection tab.
2. In the Protection tree, click Application Intelligence > Badfiles, and select the LZH Parser protection group.
3. Click IBM Lotus Notes LZH Attachment Viewer Stack Buffer Overflow (IPS-1 NGX R65 only).
4. In the configuration pane, under Settings, check Active.
5. Click on Install Policy.

How Do I Know if My Network is Under Attack?
Upon attack, the following entries will be logged:

Alert Name: Badfiles LZH file Alert/Filter
Description: IBM Lotus Notes LZH Attachment Viewer Stack Buffer Overflow

Legal Notice for Threat Center Advisories