LISTSERV - LSTSRV-L Archives - COMMUNITY.EMAILOGY.COM

LSTSRV-L Archives

LISTSERV Site Administrators' Forum

LSTSRV-L

	LISTSERV Archives
	LSTSRV-L Home

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives
Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Topic:	[<< First] [< Prev] [Next >] [Last >>]
SECURITY ADVISORY FROM L-SOFT
Eric Thomas <[log in to unmask]>
Fri, 5 May 2000 19:33:58 +0200
text/plain (173 lines)
*************************************************************************
*************************** SECURITY ADVISORY ***************************
*************************************************************************

A  security  exposure has  been  discovered  and  fixed in  LISTSERV  and
LISTSERV Lite. L-Soft recommends that  all affected users apply the 2000a
level set immediately.

------------------------------- ABSTRACT --------------------------------
PRODUCTS AFFECTED:

- LISTSERV version 1.8d (confirmed), including LISTSERV Lite.

- LISTSERV version 1.8c (inferred), including LISTSERV Lite betas.

- LISTSERV version 1.8b and older are NOT affected.

- Note  that  support  for  version 1.8c  (released  January,  1997)  was
  discontinued March, 1999. No patches are available for version 1.8c.

OPERATING SYSTEMS AFFECTED:

- Windows NT/2000, unix (all vendors), OpenVMS AXP (confirmed).

- Windows 95/98, OpenVMS VAX (inferred).

- VM/ESA sites are NOT affected.

EXPOSURE:

Intruders may  be able to  gain non-interactive  access to the  system on
which   LISTSERV  is   running.   On  a   properly  configured   LISTSERV
installation, this access will be  non-privileged. It may be possible for
the intruder to gain root access if one of the following is true:

- LISTSERV  executables  were  granted  privileges over  those  that  are
  required and/or recommended for the particular operating system.

- The operating system is not secure (for instance, key system files have
  world write access because the system is installed on a FAT partition).

SOLUTION:

- Apply 2000a level set (see below). The problem cannot be circumvented.

- [Windows NT/2000]  Make sure  your boot/system  drive is  formatted for
  NTFS with suitable access control lists.

- Reminder: L-Soft does not recommend running LISTSERV on Windows 95/98.

RISK RATING: HIGH

- Date vulnerability appeared in code stream: January, 1996.

- Date of first reported exploit: April 29, 2000.

- Exploit widely known within hacker community since: May 4, 2000.

INCIDENT CHRONOLOGY:

2000-04-28 Initial report, exposure 1 (one site)
2000-04-28 Exposure 1 determined to be innocuous; no emergency action
2000-04-29 Initial report, exposure 2 (one site)
2000-04-29 Emergency action initiated
2000-04-29 Patch A1 ready (exposures 1 and 2)
2000-04-29 A1 delivered to reporting site
2000-04-30 A1 passed standard internal tests, ready for deployment
2000-04-30 Exposure 3 discovered by L-Soft; deployment of A1 cancelled
2000-05-01 Patch A2 ready (exposures 1, 2 and 3)
           NOTE: A2 required rewrite of core routines, schedule full
           live test before deployment!
2000-05-01 A2 delivered to reporting site
2000-05-02 A2 fails internal tests
2000-05-02 Patch A3 ready (exposures 1, 2 and 3)
2000-05-02 A3 delivered to reporting site
2000-05-02 A3 passed standard internal tests, ready for live test
2000-05-02 A3 live test starting [this is a 24h test]
2000-05-02 A3 merged with 2000a level set
2000-05-02 2000a kit generation starting
2000-05-03 2000a kits ready for deployment
2000-05-03 A3 passes live test, ready for deployment
2000-05-03 Deployment postponed to 05/04 due to time of day
2000-05-04 Deployment postponed to 05/05 due to I LOVE YOU virus emergency
2000-05-05 2000a deployed
---------------------------- END OF ABSTRACT ----------------------------

THE 2000a LEVEL SET
-------------------

The security patch was developed on top of the 2000a level set code base,
which was about to be released to customers. Merging the patch with 2000a
and expediting the release of the level set had the following advantages:

1. The patch did not need to be retrofitted to the 1999 code bases, which
   shortened development time significantly given the size of the fix for
   exposure 3.

2. L-Soft  can perform live  tests on the 2000a  code base in  house, but
   would have  had to enlist customer  assistance for a 1999a  live test,
   which would have introduced additional delays.

3. The recent  I LOVE YOU emergency makes it  desirable to accelerate the
   deployment of 2000a, which includes a  new feature that can help fight
   this kind of virus.

4. Being a level set, the patch  is easier to fetch and install. There is
   no risk of downloading a version of the patch for the wrong code base.

The only drawback is that you  are required to apply unrelated changes to
secure  your  system. L-Soft  has  been  using  the  2000a level  set  in
production since March and estimates that about 350 million messages have
been successfully delivered through this code base.

The 2000a level set includes all known fixes up to March 3, 2000, and the
following between-release enhancements:

- Support for a  new keyword, "Attachments=", allowing  attachments to be
  filtered from mailing lists. Documentation for this new feature will be
  released shortly, along  with practical guidelines for  filtering the I
  LOVE YOU virus and its derivatives.

- Support  for multi-line  substitutions in  mail-merge jobs  (previously
  available from L-Soft support through a special patch).

- Miscellaneous  performance  improvements  and  new  performance-related
  features for LISTSERV HPO. Documentation will follow shortly.

APPLYING THE 2000a LEVEL SET
----------------------------

Level  sets are  standard  installation kits  that  replace the  previous
installation kits  on L-Soft's FTP and  web servers. They can  be used to
install a  new copy of  LISTSERV or  upgrade an existing  installation. A
level set is similar to a Windows  NT CD-ROM with the latest service pack
pre-applied.

To download the  2000a level set, simply  go to L-Soft's web  site (or to
FTP.LSOFT.COM) and  download an evaluation  copy of LISTSERV  or LISTSERV
Lite,  then  follow  the  installation instructions  for  your  operating
system. The kits can be found at:

http://www.lsoft.com/download/default.asp?item=listserveval

http://www.lsoft.com/products/default.asp?item=listserv_lite#download

LICENSE KEY FOR THE 2000a LEVEL SET
-----------------------------------

The level set is a no-cost upgrade to customers licensed for version 1.8d
and will work with your existing 1.8d license key.

The level set will NOT work with a 1.8c, 1.8b or older license key.

SPECIAL NOTES
-------------

1. Make sure to update  ALL LISTSERV executables, including WA, lsv_amin,
   lcmd, etc.

2. The 2000a level set for VM/ESA will be made available at a later date.
   VM/ESA sites are not affected by the security vulnerability and do not
   need to apply  2000a to secure their systems, so  its delivery was not
   rushed. The VM/ESA version uses a different software update mechanism,
   which requires additional development work to release a level set.

3. The 2000a level set is  only available for operating systems currently
   supported  by  L-Soft.  When  browsing  FTP.LSOFT.COM,  you  may  find
   installation kits for other operating systems, such as Ultrix or SunOS
   4.x, but these kits will be based on older versions and/or code bases.
   L-Soft no  longer has  development machines for  unsupported operating
   systems and is  not in a position  to compile the 2000a  level set for
   these systems.
ATOM RSS1 RSS2
COMMUNITY.EMAILOGY.COM