************************************************************************* ************************** SECURITY ADVISORY 1 ************************** ************************************************************************* A security exposure has been discovered and fixed in LISTSERV and LISTSERV Lite. L-Soft recommends that all affected users apply the 2000b level set immediately. Please note carefully that this exposure differs from the exposure fixed by the 2000a level set released on 5 May 2000. ------------------------------- ABSTRACT -------------------------------- PRODUCTS AFFECTED: - LISTSERV version 1.8d (confirmed), including LISTSERV Lite and Free Edition. - LISTSERV version 1.8c (inferred), including LISTSERV Lite betas and Free Edition. - LISTSERV version 1.8b and older are NOT affected. - Note that support for version 1.8c (released January, 1997) was discontinued as of March 1, 1999, when version 1.8d was released. No patches are or will be available for version 1.8c. OPERATING SYSTEMS AFFECTED: - Windows NT/2000 (confirmed) - unix (all vendors) (confirmed) - OpenVMS AXP (confirmed). - Windows 95/98, OpenVMS VAX (inferred). - VM/ESA sites are NOT affected. EXPOSURE: Intruders may be able to gain non-interactive access to the system on which LISTSERV is running. On a properly configured LISTSERV installation, this access will be non-privileged. However it may be possible for the intruder to gain root access if one of the following is true: - LISTSERV executables were granted privileges over and above those that are required and/or recommended for the particular operating system. - The operating system is not secure (for instance, key system files have world write access because the system is installed on a FAT partition). SOLUTION: - Apply 2000b level set (see below). The problem cannot be circumvented. - [Windows NT/2000] Make sure your boot/system drive is formatted for NTFS with suitable access control lists. - Reminder: L-Soft does not recommend running LISTSERV on Windows 95/98 because the OS and file system are fundamentally unsecure. RISK RATING: HIGH - Date the vulnerability appeared in code stream: January, 1996. - Date of first reported exploit: July 13, 2000. - Exploit widely known within hacker community since: No known incident. INCIDENT CHRONOLOGY: 2000-07-13 Initial report, exposure 1 (one site) 2000-07-13 Emergency action initiated 2000-07-13 Patch A1 ready 2000-07-13 A1 delivered to reporting site 2000-07-13 A1 merged with 2000b level set 2000-07-13 A1 passed standard internal tests, ready for deployment 2000-07-15 Reporting site confirms A1 removes exposure 2000-07-15 Deployment held until 07/17 (weekend hold - exposure not leaked) 2000-07-15 2000b kit generation starting 2000-07-16 2000b kits ready for deployment 2000-07-17 2000b deployed ---------------------------- END OF ABSTRACT ---------------------------- THE 2000b LEVEL SET ------------------- The security patch was developed on top of the 2000b level set code base, which was scheduled for release around 01 August 2000. The 2000b code base is identical to the previous (2000a) code base, with the addition of new features specific to the Windows 2000 version (see below) and of the following minor corrections: 18D-0027 00/06/08 [b] Fix typo in HPO recommendation message 18D-0029 00/07/15 [I] Report Tru64 variant along with version The original purpose of the 2000b level set was to reassure Windows customers that Windows 2000 is supported and certified for use with LISTSERV. L-Soft had initially decided not to issue a level set only for Windows 2000 support as LISTSERV required no changes to run on this operating system, but customers were confused by messages in the LISTSERV logs identifying the system as Windows NT 5.0. The 2000b level set correctly identifies Windows 2000 and reports the operating system and exact processor versions with more accuracy in benchmark reports. LISTSERV is currently certified on Windows NT 4.0 SP3, SP4, SP5, SP6 and SP6a, and on Windows 2000. Note that the new installation program that was to be released together with the 2000b level set for Windows is not ready. This expedited release is based on the old installation program. The level set files for Windows will be updated again once the new installation program is ready. APPLYING THE 2000b LEVEL SET ---------------------------- Level sets are standard installation kits that have replaced the previous installation kits on L-Soft's FTP and web servers. They can be used to install a new copy of LISTSERV or upgrade an existing installation. A level set is similar to a Windows NT CD-ROM with the latest service pack pre-applied. To download the 2000b level set, simply go to L-Soft's web site (or to FTP.LSOFT.COM) and download an evaluation copy of LISTSERV or LISTSERV Lite, then follow the included installation instructions (which include Update instructions) for your operating system. The kits can be found at: for LISTSERV (all platforms except VM/ESA): http://www.lsoft.com/download/default.asp?item=listserveval for LISTSERV-Lite (all platforms): http://www.lsoft.com/products/default.asp?item=listserv_lite#download Installation instructions for all platforms are always available from our Documentation web site at http://www.lsoft.com/info/manuals.asp . Remember that in ALL installations or updates you must MANUALLY copy the wa* or wa.exe executable from the LISTSERV Main directory to wherever you place your cgi-bin scripts on your webserver directory tree. LICENSE KEY FOR THE 2000b LEVEL SET ----------------------------------- The level set is a no-cost upgrade to customers already licensed for version 1.8d and will work with your existing 1.8d license key. No new key is necessary if your existing key is for Version 1.8d. (To see what version your current license is for, issue the LISTSERV command SHOW LICENSE by email to LISTSERV.) The level set will NOT work with a 1.8c, 1.8b or older license key. SPECIAL NOTES ------------- 1. Make sure to update ALL LISTSERV executables, including wa, lsv_amin, lcmd, etc. Unix users MUST be sure to download the common.tar.Z file as well! 2. The 2000b level set for VM/ESA will be made available at a later date. VM/ESA sites are not affected by the security vulnerability and do not need to apply 2000b to secure their systems. 3. The 2000b level set is ONLY available for operating systems currently supported by L-Soft. When browsing FTP.LSOFT.COM, you may find installation kits for other operating systems, such as Ultrix or SunOS 4.x, but these kits are based on older versions and/or code bases. L-Soft no longer has development machines for unsupported operating systems and is not in a position to compile the 2000b level set for these systems. This means no patch is or will be available for such systems. VERIFYING A SUCCESSFUL INSTALLATION ----------------------------------- At the end of your installation or update, restart LISTSERV and send the command SHOW LICENSE to make sure the installation was successful. 1. If the output of the Build Date: value from the LISTSERV command SHOW LICENSE is 16 July 2000 or later, 2. AND the file date of the wa* or wa.exe executable is 16 July 2000 or later. Note that BOTH of the above conditions must be met.