************************************************************************* *************************** SECURITY ADVISORY *************************** ************************************************************************* A security exposure has been discovered and fixed in LISTSERV and LISTSERV Lite. L-Soft recommends that all affected users apply the 2000a level set immediately. ------------------------------- ABSTRACT -------------------------------- PRODUCTS AFFECTED: - LISTSERV version 1.8d (confirmed), including LISTSERV Lite. - LISTSERV version 1.8c (inferred), including LISTSERV Lite betas. - LISTSERV version 1.8b and older are NOT affected. - Note that support for version 1.8c (released January, 1997) was discontinued March, 1999. No patches are available for version 1.8c. OPERATING SYSTEMS AFFECTED: - Windows NT/2000, unix (all vendors), OpenVMS AXP (confirmed). - Windows 95/98, OpenVMS VAX (inferred). - VM/ESA sites are NOT affected. EXPOSURE: Intruders may be able to gain non-interactive access to the system on which LISTSERV is running. On a properly configured LISTSERV installation, this access will be non-privileged. It may be possible for the intruder to gain root access if one of the following is true: - LISTSERV executables were granted privileges over those that are required and/or recommended for the particular operating system. - The operating system is not secure (for instance, key system files have world write access because the system is installed on a FAT partition). SOLUTION: - Apply 2000a level set (see below). The problem cannot be circumvented. - [Windows NT/2000] Make sure your boot/system drive is formatted for NTFS with suitable access control lists. - Reminder: L-Soft does not recommend running LISTSERV on Windows 95/98. RISK RATING: HIGH - Date vulnerability appeared in code stream: January, 1996. - Date of first reported exploit: April 29, 2000. - Exploit widely known within hacker community since: May 4, 2000. INCIDENT CHRONOLOGY: 2000-04-28 Initial report, exposure 1 (one site) 2000-04-28 Exposure 1 determined to be innocuous; no emergency action 2000-04-29 Initial report, exposure 2 (one site) 2000-04-29 Emergency action initiated 2000-04-29 Patch A1 ready (exposures 1 and 2) 2000-04-29 A1 delivered to reporting site 2000-04-30 A1 passed standard internal tests, ready for deployment 2000-04-30 Exposure 3 discovered by L-Soft; deployment of A1 cancelled 2000-05-01 Patch A2 ready (exposures 1, 2 and 3) NOTE: A2 required rewrite of core routines, schedule full live test before deployment! 2000-05-01 A2 delivered to reporting site 2000-05-02 A2 fails internal tests 2000-05-02 Patch A3 ready (exposures 1, 2 and 3) 2000-05-02 A3 delivered to reporting site 2000-05-02 A3 passed standard internal tests, ready for live test 2000-05-02 A3 live test starting [this is a 24h test] 2000-05-02 A3 merged with 2000a level set 2000-05-02 2000a kit generation starting 2000-05-03 2000a kits ready for deployment 2000-05-03 A3 passes live test, ready for deployment 2000-05-03 Deployment postponed to 05/04 due to time of day 2000-05-04 Deployment postponed to 05/05 due to I LOVE YOU virus emergency 2000-05-05 2000a deployed ---------------------------- END OF ABSTRACT ---------------------------- THE 2000a LEVEL SET ------------------- The security patch was developed on top of the 2000a level set code base, which was about to be released to customers. Merging the patch with 2000a and expediting the release of the level set had the following advantages: 1. The patch did not need to be retrofitted to the 1999 code bases, which shortened development time significantly given the size of the fix for exposure 3. 2. L-Soft can perform live tests on the 2000a code base in house, but would have had to enlist customer assistance for a 1999a live test, which would have introduced additional delays. 3. The recent I LOVE YOU emergency makes it desirable to accelerate the deployment of 2000a, which includes a new feature that can help fight this kind of virus. 4. Being a level set, the patch is easier to fetch and install. There is no risk of downloading a version of the patch for the wrong code base. The only drawback is that you are required to apply unrelated changes to secure your system. L-Soft has been using the 2000a level set in production since March and estimates that about 350 million messages have been successfully delivered through this code base. The 2000a level set includes all known fixes up to March 3, 2000, and the following between-release enhancements: - Support for a new keyword, "Attachments=", allowing attachments to be filtered from mailing lists. Documentation for this new feature will be released shortly, along with practical guidelines for filtering the I LOVE YOU virus and its derivatives. - Support for multi-line substitutions in mail-merge jobs (previously available from L-Soft support through a special patch). - Miscellaneous performance improvements and new performance-related features for LISTSERV HPO. Documentation will follow shortly. APPLYING THE 2000a LEVEL SET ---------------------------- Level sets are standard installation kits that replace the previous installation kits on L-Soft's FTP and web servers. They can be used to install a new copy of LISTSERV or upgrade an existing installation. A level set is similar to a Windows NT CD-ROM with the latest service pack pre-applied. To download the 2000a level set, simply go to L-Soft's web site (or to FTP.LSOFT.COM) and download an evaluation copy of LISTSERV or LISTSERV Lite, then follow the installation instructions for your operating system. The kits can be found at: http://www.lsoft.com/download/default.asp?item=listserveval http://www.lsoft.com/products/default.asp?item=listserv_lite#download LICENSE KEY FOR THE 2000a LEVEL SET ----------------------------------- The level set is a no-cost upgrade to customers licensed for version 1.8d and will work with your existing 1.8d license key. The level set will NOT work with a 1.8c, 1.8b or older license key. SPECIAL NOTES ------------- 1. Make sure to update ALL LISTSERV executables, including WA, lsv_amin, lcmd, etc. 2. The 2000a level set for VM/ESA will be made available at a later date. VM/ESA sites are not affected by the security vulnerability and do not need to apply 2000a to secure their systems, so its delivery was not rushed. The VM/ESA version uses a different software update mechanism, which requires additional development work to release a level set. 3. The 2000a level set is only available for operating systems currently supported by L-Soft. When browsing FTP.LSOFT.COM, you may find installation kits for other operating systems, such as Ultrix or SunOS 4.x, but these kits will be based on older versions and/or code bases. L-Soft no longer has development machines for unsupported operating systems and is not in a position to compile the 2000a level set for these systems.