LSTSRV-L Archives

LISTSERV Site Administrators' Forum

LSTSRV-L
Options: Use Monospaced Font
Show Text Part by Default
Show All Mail Headers

Topic: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
SECURITY ADVISORY FROM L-SOFT (2000-07-17)
Nathan Brindle <[log in to unmask]>
Mon, 17 Jul 2000 16:23:13 EDT
text/plain (190 lines) 
*************************************************************************
************************** SECURITY ADVISORY 1 **************************
*************************************************************************

A  security  exposure has  been  discovered  and  fixed in  LISTSERV  and
LISTSERV Lite. L-Soft recommends that  all affected users apply the 2000b
level set immediately.

Please note carefully that this  exposure differs from the exposure fixed
by the 2000a level set released on 5 May 2000.

------------------------------- ABSTRACT --------------------------------
PRODUCTS AFFECTED:

- LISTSERV  version 1.8d  (confirmed), including  LISTSERV Lite  and Free
  Edition.

- LISTSERV  version 1.8c  (inferred), including  LISTSERV Lite  betas and
  Free Edition.

- LISTSERV version 1.8b and older are NOT affected.

- Note  that  support  for  version 1.8c  (released  January,  1997)  was
  discontinued as  of March 1, 1999,  when version 1.8d was  released. No
  patches are or will be available for version 1.8c.

OPERATING SYSTEMS AFFECTED:

- Windows NT/2000 (confirmed)

- unix (all vendors) (confirmed)

- OpenVMS AXP (confirmed).

- Windows 95/98, OpenVMS VAX (inferred).

- VM/ESA sites are NOT affected.

EXPOSURE:

Intruders may  be able to  gain non-interactive  access to the  system on
which   LISTSERV  is   running.   On  a   properly  configured   LISTSERV
installation,  this access  will  be non-privileged.  However  it may  be
possible for the intruder to gain root  access if one of the following is
true:

- LISTSERV executables were granted privileges  over and above those that
  are required  and/or recommended  for the particular  operating system.

- The operating system is not secure (for instance, key system files have
  world  write  access   because  the  system  is  installed   on  a  FAT
  partition).

SOLUTION:

- Apply   2000b  level   set   (see  below).   The   problem  cannot   be
  circumvented.

- [Windows NT/2000]  Make sure  your boot/system  drive is  formatted for
  NTFS with suitable access control lists.

- Reminder: L-Soft does  not recommend running LISTSERV  on Windows 95/98
  because the OS and file system are fundamentally unsecure.

RISK RATING: HIGH

- Date the vulnerability appeared in code stream: January, 1996.

- Date of first reported exploit: July 13, 2000.

- Exploit widely known within hacker community since: No known incident.

INCIDENT CHRONOLOGY:

2000-07-13 Initial report, exposure 1 (one site)
2000-07-13 Emergency action initiated
2000-07-13 Patch A1 ready
2000-07-13 A1 delivered to reporting site
2000-07-13 A1 merged with 2000b level set
2000-07-13 A1 passed standard internal tests, ready for deployment
2000-07-15 Reporting site confirms A1 removes exposure
2000-07-15 Deployment held until 07/17 (weekend hold - exposure not leaked)
2000-07-15 2000b kit generation starting
2000-07-16 2000b kits ready for deployment
2000-07-17 2000b deployed

---------------------------- END OF ABSTRACT ----------------------------

THE 2000b LEVEL SET
-------------------

The security patch was developed on top of the 2000b level set code base,
which was  scheduled for release  around 01  August 2000. The  2000b code
base is identical to the previous (2000a) code base, with the addition of
new features specific to the Windows  2000 version (see below) and of the
following minor corrections:

18D-0027 00/06/08 [b] Fix typo in HPO recommendation message
18D-0029 00/07/15 [I] Report Tru64 variant along with version

The  original purpose  of the  2000b level  set was  to reassure  Windows
customers  that Windows  2000 is  supported  and certified  for use  with
LISTSERV. L-Soft had initially decided not  to issue a level set only for
Windows  2000 support  as LISTSERV  required no  changes to  run on  this
operating system, but customers were confused by messages in the LISTSERV
logs  identifying the  system  as Windows  NT 5.0.  The  2000b level  set
correctly identifies  Windows 2000 and  reports the operating  system and
exact  processor  versions  with  more  accuracy  in  benchmark  reports.
LISTSERV is currently certified on Windows  NT 4.0 SP3, SP4, SP5, SP6 and
SP6a, and on Windows 2000.

Note that the  new installation program that was to  be released together
with  the 2000b  level  set  for Windows  is  not  ready. This  expedited
release is  based on the  old installation  program. The level  set files
for Windows  will be updated again  once the new installation  program is
ready.

APPLYING THE 2000b LEVEL SET
----------------------------

Level sets are standard installation kits that have replaced the previous
installation kits  on L-Soft's FTP and  web servers. They can  be used to
install a  new copy of  LISTSERV or  upgrade an existing  installation. A
level set is similar to a Windows  NT CD-ROM with the latest service pack
pre-applied.

To download the  2000b level set, simply  go to L-Soft's web  site (or to
FTP.LSOFT.COM) and  download an evaluation  copy of LISTSERV  or LISTSERV
Lite, then  follow the included installation  instructions (which include
Update instructions)  for your  operating system. The  kits can  be found
at:

for LISTSERV (all platforms except VM/ESA):
http://www.lsoft.com/download/default.asp?item=listserveval

for LISTSERV-Lite (all platforms):
http://www.lsoft.com/products/default.asp?item=listserv_lite#download

Installation instructions for all platforms are always available from our
Documentation web site at http://www.lsoft.com/info/manuals.asp .

Remember that in ALL installations or  updates you must MANUALLY copy the
wa* or wa.exe executable from the LISTSERV Main directory to wherever you
place your cgi-bin scripts on your webserver directory tree.

LICENSE KEY FOR THE 2000b LEVEL SET
-----------------------------------

The level  set is  a no-cost  upgrade to  customers already  licensed for
version 1.8d  and will work with  your existing 1.8d license  key. No new
key is necessary if  your existing key is for Version  1.8d. (To see what
version  your current  license is  for, issue  the LISTSERV  command SHOW
LICENSE by email to LISTSERV.)

The level set will NOT work with a 1.8c, 1.8b or older license key.

SPECIAL NOTES
-------------

1. Make sure to update ALL  LISTSERV executables, including wa, lsv_amin,
   lcmd, etc. Unix  users MUST be sure to download  the common.tar.Z file
   as well!

2. The  2000b level  set for  VM/ESA will  be made  available at  a later
   date. VM/ESA sites are not  affected by the security vulnerability and
   do not need to apply 2000b to secure their systems.

3. The 2000b level set is  ONLY available for operating systems currently
   supported  by  L-Soft.  When  browsing  FTP.LSOFT.COM,  you  may  find
   installation kits for other operating systems, such as Ultrix or SunOS
   4.x, but  these kits are  based on  older versions and/or  code bases.
   L-Soft no  longer has  development machines for  unsupported operating
   systems and is  not in a position  to compile the 2000b  level set for
   these systems.  This means no patch  is or will be  available for such
   systems.

VERIFYING A SUCCESSFUL INSTALLATION
-----------------------------------

At the end of your installation  or update, restart LISTSERV and send the
command  SHOW  LICENSE to  make  sure  the installation  was  successful.

1. If the output of the Build  Date: value from the LISTSERV command SHOW
   LICENSE is 16 July 2000 or later,

2. AND the file date  of the wa* or wa.exe executable is  16 July 2000 or
   later.

Note that BOTH of the above conditions must be met.

ATOM RSS1 RSS2