*************************************************************************
*************************** SECURITY ADVISORY ***************************
*************************************************************************
A security exposure has been discovered and fixed in LISTSERV and
LISTSERV Lite. L-Soft recommends that all affected users apply the 2000a
level set immediately.
------------------------------- ABSTRACT --------------------------------
PRODUCTS AFFECTED:
- LISTSERV version 1.8d (confirmed), including LISTSERV Lite.
- LISTSERV version 1.8c (inferred), including LISTSERV Lite betas.
- LISTSERV version 1.8b and older are NOT affected.
- Note that support for version 1.8c (released January, 1997) was
discontinued March, 1999. No patches are available for version 1.8c.
OPERATING SYSTEMS AFFECTED:
- Windows NT/2000, unix (all vendors), OpenVMS AXP (confirmed).
- Windows 95/98, OpenVMS VAX (inferred).
- VM/ESA sites are NOT affected.
EXPOSURE:
Intruders may be able to gain non-interactive access to the system on
which LISTSERV is running. On a properly configured LISTSERV
installation, this access will be non-privileged. It may be possible for
the intruder to gain root access if one of the following is true:
- LISTSERV executables were granted privileges over those that are
required and/or recommended for the particular operating system.
- The operating system is not secure (for instance, key system files have
world write access because the system is installed on a FAT partition).
SOLUTION:
- Apply 2000a level set (see below). The problem cannot be circumvented.
- [Windows NT/2000] Make sure your boot/system drive is formatted for
NTFS with suitable access control lists.
- Reminder: L-Soft does not recommend running LISTSERV on Windows 95/98.
RISK RATING: HIGH
- Date vulnerability appeared in code stream: January, 1996.
- Date of first reported exploit: April 29, 2000.
- Exploit widely known within hacker community since: May 4, 2000.
INCIDENT CHRONOLOGY:
2000-04-28 Initial report, exposure 1 (one site)
2000-04-28 Exposure 1 determined to be innocuous; no emergency action
2000-04-29 Initial report, exposure 2 (one site)
2000-04-29 Emergency action initiated
2000-04-29 Patch A1 ready (exposures 1 and 2)
2000-04-29 A1 delivered to reporting site
2000-04-30 A1 passed standard internal tests, ready for deployment
2000-04-30 Exposure 3 discovered by L-Soft; deployment of A1 cancelled
2000-05-01 Patch A2 ready (exposures 1, 2 and 3)
NOTE: A2 required rewrite of core routines, schedule full
live test before deployment!
2000-05-01 A2 delivered to reporting site
2000-05-02 A2 fails internal tests
2000-05-02 Patch A3 ready (exposures 1, 2 and 3)
2000-05-02 A3 delivered to reporting site
2000-05-02 A3 passed standard internal tests, ready for live test
2000-05-02 A3 live test starting [this is a 24h test]
2000-05-02 A3 merged with 2000a level set
2000-05-02 2000a kit generation starting
2000-05-03 2000a kits ready for deployment
2000-05-03 A3 passes live test, ready for deployment
2000-05-03 Deployment postponed to 05/04 due to time of day
2000-05-04 Deployment postponed to 05/05 due to I LOVE YOU virus emergency
2000-05-05 2000a deployed
---------------------------- END OF ABSTRACT ----------------------------
THE 2000a LEVEL SET
-------------------
The security patch was developed on top of the 2000a level set code base,
which was about to be released to customers. Merging the patch with 2000a
and expediting the release of the level set had the following advantages:
1. The patch did not need to be retrofitted to the 1999 code bases, which
shortened development time significantly given the size of the fix for
exposure 3.
2. L-Soft can perform live tests on the 2000a code base in house, but
would have had to enlist customer assistance for a 1999a live test,
which would have introduced additional delays.
3. The recent I LOVE YOU emergency makes it desirable to accelerate the
deployment of 2000a, which includes a new feature that can help fight
this kind of virus.
4. Being a level set, the patch is easier to fetch and install. There is
no risk of downloading a version of the patch for the wrong code base.
The only drawback is that you are required to apply unrelated changes to
secure your system. L-Soft has been using the 2000a level set in
production since March and estimates that about 350 million messages have
been successfully delivered through this code base.
The 2000a level set includes all known fixes up to March 3, 2000, and the
following between-release enhancements:
- Support for a new keyword, "Attachments=", allowing attachments to be
filtered from mailing lists. Documentation for this new feature will be
released shortly, along with practical guidelines for filtering the I
LOVE YOU virus and its derivatives.
- Support for multi-line substitutions in mail-merge jobs (previously
available from L-Soft support through a special patch).
- Miscellaneous performance improvements and new performance-related
features for LISTSERV HPO. Documentation will follow shortly.
APPLYING THE 2000a LEVEL SET
----------------------------
Level sets are standard installation kits that replace the previous
installation kits on L-Soft's FTP and web servers. They can be used to
install a new copy of LISTSERV or upgrade an existing installation. A
level set is similar to a Windows NT CD-ROM with the latest service pack
pre-applied.
To download the 2000a level set, simply go to L-Soft's web site (or to
FTP.LSOFT.COM) and download an evaluation copy of LISTSERV or LISTSERV
Lite, then follow the installation instructions for your operating
system. The kits can be found at:
http://www.lsoft.com/download/default.asp?item=listserveval
http://www.lsoft.com/products/default.asp?item=listserv_lite#download
LICENSE KEY FOR THE 2000a LEVEL SET
-----------------------------------
The level set is a no-cost upgrade to customers licensed for version 1.8d
and will work with your existing 1.8d license key.
The level set will NOT work with a 1.8c, 1.8b or older license key.
SPECIAL NOTES
-------------
1. Make sure to update ALL LISTSERV executables, including WA, lsv_amin,
lcmd, etc.
2. The 2000a level set for VM/ESA will be made available at a later date.
VM/ESA sites are not affected by the security vulnerability and do not
need to apply 2000a to secure their systems, so its delivery was not
rushed. The VM/ESA version uses a different software update mechanism,
which requires additional development work to release a level set.
3. The 2000a level set is only available for operating systems currently
supported by L-Soft. When browsing FTP.LSOFT.COM, you may find
installation kits for other operating systems, such as Ultrix or SunOS
4.x, but these kits will be based on older versions and/or code bases.
L-Soft no longer has development machines for unsupported operating
systems and is not in a position to compile the 2000a level set for
these systems.
|