News - Advisory0

SECURITY ADVISORY 0 5 May 2000

A security exposure has been discovered and fixed in LISTSERV® and LISTSERV®-Lite. L-Soft recommends that ALL affected users apply the 2000a level set immediately.

ABSTRACT

PRODUCTS AFFECTED:

LISTSERV version 1.8d (confirmed), including LISTSERV Lite and Free Edition.
LISTSERV version 1.8c (inferred), including LISTSERV Lite betas and Free Edition.
LISTSERV version 1.8b and older are NOT affected.
Note that support for version 1.8c (released January, 1997) was discontinued as of March 1, 1999, when version 1.8d was released. No patches are or will be available for version 1.8c.

OPERATING SYSTEMS AFFECTED:

Windows NT 3.5x, 4.0, 2000 (confirmed)
unix (all vendors) (confirmed)
OpenVMS AXP (confirmed).
Windows 95/98, OpenVMS VAX (inferred).
VM/ESA sites are NOT affected.

THE EXPOSURE:

Intruders may be able to gain non-interactive access to the system on which LISTSERV is running. On a properly configured LISTSERV installation, this access will be non-privileged. However it may be possible for the intruder to gain root access if one of the following is true:

LISTSERV executables were granted privileges over and above those that are required and/or recommended for the particular operating system.
The operating system is not secure (for instance, key system files have world write access because the system is installed on a FAT partition).

SOLUTION:

You must apply the 2000a level set (see below). The problem cannot be circumvented.
[Windows NT/2000] Make sure your boot/system drive is formatted for NTFS with suitable access control lists.
Reminder: L-Soft does not recommend running LISTSERV on Windows 95/98 because the OS and file system are fundamentally unsecure.

RISK RATING: HIGH

Date the vulnerability appeared in code stream: January, 1996.
Date of first reported exploit: April 29, 2000.
Exploit widely known within hacker community since: May 4, 2000.

INCIDENT CHRONOLOGY:

2000-04-28 Initial report, exposure 1 (one site)
2000-04-28 Exposure 1 determined to be innocuous; no emergency action
2000-04-29 Initial report, exposure 2 (one site)
2000-04-29 Emergency action initiated
2000-04-29 Patch A1 ready (exposures 1 and 2)
2000-04-29 A1 delivered to reporting site
2000-04-30 A1 passed standard internal tests, ready for deployment
2000-04-30 Exposure 3 discovered by L-Soft; deployment of A1 cancelled
2000-05-01 Patch A2 ready (exposures 1, 2 and 3)
NOTE: A2 required rewrite of core routines, schedule full live test before deployment!
2000-05-01 A2 delivered to reporting site
2000-05-02 A2 fails internal tests
2000-05-02 Patch A3 ready (exposures 1, 2 and 3)
2000-05-02 A3 delivered to reporting site
2000-05-02 A3 passed standard internal tests, ready for live test
2000-05-02 A3 live test starting [this is a 24hr test]
2000-05-02 A3 merged with 2000a level set
2000-05-02 2000a kit generation starting
2000-05-03 2000a kits ready for deployment
2000-05-03 A3 passes live test, ready for deployment
2000-05-03 Deployment postponed to 05/04 due to time of day
2000-05-04 Deployment postponed to 05/05 due to I LOVE YOU virus emergency
2000-05-05 2000a deployed

END OF ABSTRACT

THE 2000a LEVEL SET

The security patch was developed on top of the 2000a level set code base, which was about to be released to customers. Merging the patch with 2000a and expediting the release of the level set had the following advantages:

The patch did not need to be retrofitted to the 1999 code bases, which shortened development time significantly given the size of the fix for exposure 3.
L-Soft can perform live tests on the 2000a code base in house, but would have had to enlist customer assistance for a 1999a live test, which would have introduced additional delays.
The recent "I LOVE YOU" email virus emergency makes it desirable to accelerate the deployment of 2000a, which includes a new feature that can help fight this kind of virus.
Being a level set, the patch is easier to fetch and install. There is no risk of downloading a version of the patch for the wrong code base.

The only drawback is that you are required to apply unrelated changes to secure your system. L-Soft has been using the 2000a level set in production since March, 2000 and estimates that about 350 million messages have been successfully delivered through this code base.

The 2000a level set includes all known fixes up to March 3, 2000, and the following between-release enhancements:

Support for a new keyword, "Attachments=", allowing attachments to be filtered from mailing list traffic. Documentation for this new feature will be released shortly, along with practical guidelines for filtering the I LOVE YOU virus and its derivatives.
Support for multi-line substitutions in mail-merge jobs (previously available from L-Soft Support through a special patch).
Miscellaneous performance improvements and new performance-related features for LISTSERV HPO. Documentation will follow shortly.

Read the Release Notes for detailed instructions on using these enhancements.

APPLYING THE 2000a LEVEL SET

Level sets are standard installation kits that have replaced the previous installation kits on L-Soft's FTP and web servers. They can be used to install a new copy of LISTSERV or upgrade an existing installation. A level set is similar to a Windows NT CD-ROM with the latest service pack pre-applied.

To download the 2000a level set, simply go to L-Soft's web site (or to FTP.LSOFT.COM) and download an evaluation copy of LISTSERV or LISTSERV Lite, then follow the included installation instructions (which include Update instructions) for your operating system. The kits can be found at:

for LISTSERV (all platforms except VM/ESA):
http://www.lsoft.com/download/listserv.asp

for LISTSERV-Lite (all platforms):
http://www.lsoft.com/download/listservlite.asp

Installation instructions for all platforms are always available from our Documentation web site.

Remember that in ALL installations or updates you must MANUALLY copy the wa* or wa.exe executable from the LISTSERV Main directory to whereever you place your cgi-bin scripts on your webserver directory tree.

LICENSE KEY FOR THE 2000a LEVEL SET

The level set is a no-cost upgrade to customers licensed for version 1.8d and will work with your existing 1.8d license key.

The level set will NOT work with a 1.8c, 1.8b or older license key.

SPECIAL NOTES

Make sure to update ALL LISTSERV executables, including WA, lsv_amin, lcmd, etc.
Unix users MUST be sure to download the common.tar.Z file as well!
The 2000a level set for VM/ESA will be made available at a later date. VM/ESA sites are not affected by the security vulnerability and do not need to apply 2000a to secure their systems, so its delivery was not rushed. The VM/ESA version uses a different software update mechanism, which requires additional development work to release a level set.
The 2000a level set is ONLY available for operating systems currently supported by L-Soft. When browsing FTP.LSOFT.COM, you may find installation kits for other operating systems, such as Ultrix or SunOS 4.x, but these kits are based on older versions and/or code bases. L-Soft no longer has development machines for unsupported operating systems and is not in a position to compile the 2000a level set for these systems. This means no patch is or will be available for such systems.

VERIFYING A SUCCESSFUL INSTALLATION

At the end of your installation or update, Restart LISTSERV and send the command SHOW LICENSE to make sure the installation was successful.

If the output of the Build Date: value from the LISTSERV command SHOW LICENSE
is 3 MARCH 2000 or later,
AND the file date of the wa* or wa.exe executable is 2 MAY 2000 or later.

Note that BOTH of the above conditions must be met.

LISTSERV is a registered trademark licensed to L-Soft international, Inc.
All other trademarks, both marked and not marked, are the property of their respective owners.
See Guidelines for Proper Usage of the LISTSERV Trademark for more details.