************************************************************************* *************************** SECURITY ADVISORY *************************** ************************************************************************* A security exposure has been discovered and fixed in the LISTSERV web interface (including LISTSERV Maestro, LISTSERV HPO, LISTSERV Lite, and LISTSERV Free Edition). L-Soft recommends that all affected users apply the patch immediately. ------------------------------- ABSTRACT -------------------------------- PRODUCTS AFFECTED: - LISTSERV version 14.3 (confirmed), including LISTSERV Lite and HPO. - LISTSERV version 1.8e (confirmed), including LISTSERV Lite and HPO. - LISTSERV version 1.8d (inferred), including LISTSERV Lite and HPO. - Older versions are not believed to be affected. - LISTSERV Free Edition is LISTSERV Lite with special licensing terms. What applies to LISTSERV Lite in this advisory applies also to LISTSERV Free Edition. - Support for version 1.8e (released May 22, 2002) was discontinued December 31, 2004. No patches are available for version 1.8e or older. OPERATING SYSTEMS AFFECTED: - Windows, unix (all vendors), OpenVMS AXP (confirmed). - VM sites are not affected. EXCEPTIONS/SPECIAL NOTES: - Customers not using the LISTSERV web interface are not vulnerable. - The LISTSERV Maestro web interface is not vulnerable; however, LISTSERV Maestro installations typically host both LISTSERV and LISTSERV Maestro web interfaces, and in such cases they are vulnerable. - The 10 January 2005 and later builds of LISTSERV version 14.3 are less vulnerable, but L-Soft recommends that they be upgraded anyway. - LISTSERV version 14.4 (beta) is not vulnerable. EXPOSURE: On a correctly configured LISTSERV installation running the LISTSERV web interface with normal CGI privileges, intruders may be able to gain non-privileged access to the system on which the web interface script is running. The executable in question is called 'WA.EXE' on Windows and VMS, and 'wa' on unix. In the remainder of this advisory, this script will be called "WA" regardless of operating system. The exposure may be more severe if WA is configured to run with privileges beyond those recommended by L-Soft or, for Windows, if the system partition is using the FAT or FAT32 file system. SOLUTION: - Apply 2005a level set. OR: - Update just WA from 2005a level set. The vulnerability cannot be circumvented, other than by disabling the web interface altogether. RISK RATING: HIGH - Date of first reported exploit: May 20, 2005. - Exploit widely known within hacker community since: no known incident. INCIDENT CHRONOLOGY: 2005-05-20 Initial report to L-Soft support 2005-05-20 More information requested 2005-05-21 Detailed information received 2005-05-21 Internal escalation 2005-05-22 Problem not reproduced 2005-05-23 Problem reproduced 2005-05-23 Emergency correction initiated 2005-05-24 Patch A1 ready 2005-05-24 A1 delivered to reporting site 2005-05-24 A1 passed standard internal tests, ready for deployment 2005-05-24 2005a kit generation starting 2005-05-24 2005a kits ready for deployment 2005-05-25 Reporting site confirms A1 removes exposure 2005-05-25 2005a deployed 2005-05-25 Security Advisory distributed to Maintenance customers 2005-05-25 Security Advisory distributed to LSTSRV-L 2005-05-25 Security Advisory distributed to LISTSERV-Developers 2005-05-25 Security Advisory distributed to LISTSERV-Lite 2005-05-25 Security Advisory distributed to Updates-LISTSERV ---------------------------- END OF ABSTRACT ---------------------------- THE 2005a LEVEL SET ------------------- The only change in the 2005a level set is an updated WA executable. There is no user-visible change or new functionality after applying the 2005a level set. L-Soft intends to deliver new functionality to customers through the upcoming 14.4 release, which is currently in beta. Future 14.3 level sets, if any, are not expected to include any new functionality. APPLYING THE 2005a LEVEL SET ---------------------------- This level set can be installed as a normal level set upgrade, which will require that LISTSERV be stopped during the upgrade, or you can opt to extract the updated WA executable from the kit and replace it on the fly, which is less disruptive, but also more complicated. If in doubt, perform a normal upgrade. If you perform an on-the-fly upgrade, you will have to update WA in two locations: your web server's CGI directory, and LISTSERV's own directory tree. If you do not update the CGI directory, the patch is not active. If you do not update the copy of WA in the LISTSERV directory and later use one of the L-Soft setup/installation tools to move your LISTSERV web directory, the tool may copy the unpatched version of WA to the new location and re-introduce the vulnerability. Regardless of which method you choose, be sure to verify that the patch is online by loading the following URL: - Windows, VMS: http://.../wa.exe?DEBUG-SHOW-VERSION - unix: http://.../wa?DEBUG-SHOW-VERSION The compilation date should read 24 May 2005 or later. DOWNLOADING THE 2005a LEVEL SET ------------------------------- To download the 2005a level set, go to L-Soft's web site and download an evaluation copy of LISTSERV Lite if this is what you are running, or LISTSERV Classic in all other cases (Classic, HPO, Maestro, etc). This evaluation kit will upgrade your existing LISTSERV installation. It will NOT turn it into an evaluation version. The kits can be found at: http://www.lsoft.com/download/listserv.asp http://www.lsoft.com/download/listservlite.asp MacOS beta sites will instead find the level set at the same location as the original beta installation kits. ACKNOWLEDGEMENTS ---------------- L-Soft would like to thank Peter Winter-Smith of Next Generation Security Software (www.ngssoftware.com) for reporting this problem and providing information and assistance well past regular business hours.