Security bulletin: Passwords of Domino Internet users are vulnerable

The official title of the security bulletin is: “HCL Domino is susceptible to a weak cryptography vulnerability (CVE-2023-37495).” The problem is with person documents that were created using the “Add Person” button in the Domino Directory. For people less savvy in Domino: that’s not the usual way to add users to Domino. In Domino, we register users using a certifier file. The only time we add persons to the Domino Directory using the “Add person” button, is when we know that these users will only ever access a Domino application through a web browser.

The problem with these “internet users” is that the hash in the Domino Directory for the HTTP password uses a cryptographically weak hash algorithm. If an attacker has access to these hashes, he could determine the user’s password through a brute force attack. You can’t see these hashes from a browser, so the attacker needs to have access to the Domino Directory through a Notes or Nomad client. That limits the potential attackers to all users who are registered as Notes users inside the company.

The solution is already provided by HCL and consists of upgrading the design of your Domino Directory if you’re on a Domino version below Domino 14. You can find the templates here. Next to that, it’s necessary to update the potentially affected person documents (also if you’re on Domino 14, but created users in previous versions of Domino). This has no impact on the user and can be done any moment of the day.

1. From the Domino® Administrator, click People & Groups, and select the Person documents that you want to upgrade to a more secure password format.
2. Choose Actions > Upgrade to More Secure Internet Password Format.