*************************************************************************
************************** SECURITY ADVISORY 1 **************************
*************************************************************************
A security exposure has been discovered and fixed in LISTSERV and
LISTSERV Lite. L-Soft recommends that all affected users apply the 2000b
level set immediately.
Please note carefully that this exposure differs from the exposure fixed
by the 2000a level set released on 5 May 2000.
------------------------------- ABSTRACT --------------------------------
PRODUCTS AFFECTED:
- LISTSERV version 1.8d (confirmed), including LISTSERV Lite and Free
Edition.
- LISTSERV version 1.8c (inferred), including LISTSERV Lite betas and
Free Edition.
- LISTSERV version 1.8b and older are NOT affected.
- Note that support for version 1.8c (released January, 1997) was
discontinued as of March 1, 1999, when version 1.8d was released. No
patches are or will be available for version 1.8c.
OPERATING SYSTEMS AFFECTED:
- Windows NT/2000 (confirmed)
- unix (all vendors) (confirmed)
- OpenVMS AXP (confirmed).
- Windows 95/98, OpenVMS VAX (inferred).
- VM/ESA sites are NOT affected.
EXPOSURE:
Intruders may be able to gain non-interactive access to the system on
which LISTSERV is running. On a properly configured LISTSERV
installation, this access will be non-privileged. However it may be
possible for the intruder to gain root access if one of the following is
true:
- LISTSERV executables were granted privileges over and above those that
are required and/or recommended for the particular operating system.
- The operating system is not secure (for instance, key system files have
world write access because the system is installed on a FAT
partition).
SOLUTION:
- Apply 2000b level set (see below). The problem cannot be
circumvented.
- [Windows NT/2000] Make sure your boot/system drive is formatted for
NTFS with suitable access control lists.
- Reminder: L-Soft does not recommend running LISTSERV on Windows 95/98
because the OS and file system are fundamentally unsecure.
RISK RATING: HIGH
- Date the vulnerability appeared in code stream: January, 1996.
- Date of first reported exploit: July 13, 2000.
- Exploit widely known within hacker community since: No known incident.
INCIDENT CHRONOLOGY:
2000-07-13 Initial report, exposure 1 (one site)
2000-07-13 Emergency action initiated
2000-07-13 Patch A1 ready
2000-07-13 A1 delivered to reporting site
2000-07-13 A1 merged with 2000b level set
2000-07-13 A1 passed standard internal tests, ready for deployment
2000-07-15 Reporting site confirms A1 removes exposure
2000-07-15 Deployment held until 07/17 (weekend hold - exposure not leaked)
2000-07-15 2000b kit generation starting
2000-07-16 2000b kits ready for deployment
2000-07-17 2000b deployed
---------------------------- END OF ABSTRACT ----------------------------
THE 2000b LEVEL SET
-------------------
The security patch was developed on top of the 2000b level set code base,
which was scheduled for release around 01 August 2000. The 2000b code
base is identical to the previous (2000a) code base, with the addition of
new features specific to the Windows 2000 version (see below) and of the
following minor corrections:
18D-0027 00/06/08 [b] Fix typo in HPO recommendation message
18D-0029 00/07/15 [I] Report Tru64 variant along with version
The original purpose of the 2000b level set was to reassure Windows
customers that Windows 2000 is supported and certified for use with
LISTSERV. L-Soft had initially decided not to issue a level set only for
Windows 2000 support as LISTSERV required no changes to run on this
operating system, but customers were confused by messages in the LISTSERV
logs identifying the system as Windows NT 5.0. The 2000b level set
correctly identifies Windows 2000 and reports the operating system and
exact processor versions with more accuracy in benchmark reports.
LISTSERV is currently certified on Windows NT 4.0 SP3, SP4, SP5, SP6 and
SP6a, and on Windows 2000.
Note that the new installation program that was to be released together
with the 2000b level set for Windows is not ready. This expedited
release is based on the old installation program. The level set files
for Windows will be updated again once the new installation program is
ready.
APPLYING THE 2000b LEVEL SET
----------------------------
Level sets are standard installation kits that have replaced the previous
installation kits on L-Soft's FTP and web servers. They can be used to
install a new copy of LISTSERV or upgrade an existing installation. A
level set is similar to a Windows NT CD-ROM with the latest service pack
pre-applied.
To download the 2000b level set, simply go to L-Soft's web site (or to
FTP.LSOFT.COM) and download an evaluation copy of LISTSERV or LISTSERV
Lite, then follow the included installation instructions (which include
Update instructions) for your operating system. The kits can be found
at:
for LISTSERV (all platforms except VM/ESA):
http://www.lsoft.com/download/default.asp?item=listserveval
for LISTSERV-Lite (all platforms):
http://www.lsoft.com/products/default.asp?item=listserv_lite#download
Installation instructions for all platforms are always available from our
Documentation web site at http://www.lsoft.com/info/manuals.asp .
Remember that in ALL installations or updates you must MANUALLY copy the
wa* or wa.exe executable from the LISTSERV Main directory to wherever you
place your cgi-bin scripts on your webserver directory tree.
LICENSE KEY FOR THE 2000b LEVEL SET
-----------------------------------
The level set is a no-cost upgrade to customers already licensed for
version 1.8d and will work with your existing 1.8d license key. No new
key is necessary if your existing key is for Version 1.8d. (To see what
version your current license is for, issue the LISTSERV command SHOW
LICENSE by email to LISTSERV.)
The level set will NOT work with a 1.8c, 1.8b or older license key.
SPECIAL NOTES
-------------
1. Make sure to update ALL LISTSERV executables, including wa, lsv_amin,
lcmd, etc. Unix users MUST be sure to download the common.tar.Z file
as well!
2. The 2000b level set for VM/ESA will be made available at a later
date. VM/ESA sites are not affected by the security vulnerability and
do not need to apply 2000b to secure their systems.
3. The 2000b level set is ONLY available for operating systems currently
supported by L-Soft. When browsing FTP.LSOFT.COM, you may find
installation kits for other operating systems, such as Ultrix or SunOS
4.x, but these kits are based on older versions and/or code bases.
L-Soft no longer has development machines for unsupported operating
systems and is not in a position to compile the 2000b level set for
these systems. This means no patch is or will be available for such
systems.
VERIFYING A SUCCESSFUL INSTALLATION
-----------------------------------
At the end of your installation or update, restart LISTSERV and send the
command SHOW LICENSE to make sure the installation was successful.
1. If the output of the Build Date: value from the LISTSERV command SHOW
LICENSE is 16 July 2000 or later,
2. AND the file date of the wa* or wa.exe executable is 16 July 2000 or
later.
Note that BOTH of the above conditions must be met.
|