SECURITY ADVISORY

A security exposure has been discovered and fixed in the LISTSERV web interface (including LISTSERV Maestro, LISTSERV HPO, LISTSERV Lite, and LISTSERV Free Edition). L-Soft recommends that all affected users apply the patch immediately.

ABSTRACT

PRODUCTS AFFECTED:

• LISTSERV version 14.3 (confirmed), including LISTSERV Lite and HPO.
• LISTSERV version 1.8e (confirmed), including LISTSERV Lite and HPO.
• LISTSERV version 1.8d (inferred), including LISTSERV Lite and HPO.
• Older versions are not believed to be affected.
• LISTSERV Free Edition is LISTSERV Lite with special licensing terms. What applies to LISTSERV Lite in this advisory applies also to LISTSERV Free Edition.
• Support for version 1.8e (released May 22, 2002) was discontinued December 31, 2004. No patches are available for version 1.8e or older.

OPERATING SYSTEMS AFFECTED:

• Windows, unix (all vendors), OpenVMS AXP (confirmed).
• VM sites are not affected.

EXCEPTIONS/SPECIAL NOTES:

• Customers not using the LISTSERV web interface are not vulnerable.
• The LISTSERV Maestro web interface is not vulnerable; however, LISTSERV Maestro installations typically host both LISTSERV and LISTSERV Maestro web interfaces, and in such cases they are vulnerable.
• The 10 January 2005 and later builds of LISTSERV version 14.3 are less vulnerable, but L-Soft recommends that they be upgraded anyway.
• LISTSERV version 14.4 (beta) is not vulnerable.

EXPOSURE:

On a correctly configured LISTSERV installation running the LISTSERV web interface with normal CGI privileges, intruders may be able to gain non-privileged access to the system on which the web interface script is running. The executable in question is called 'WA.EXE' on Windows and VMS, and 'wa' on unix. In the remainder of this advisory, this script will be called "WA" regardless of operating system.

The exposure may be more severe if WA is configured to run with privileges beyond those recommended by L-Soft or, for Windows, if the system partition is using the FAT or FAT32 file system.

SOLUTION:

• Apply 2005a level set.

OR:

• Update just WA from 2005a level set.

The vulnerability cannot be circumvented, other than by disabling the web interface altogether.

RISK RATING: HIGH

• Date of first reported exploit: May 20, 2005.
• Exploit widely known within hacker community since: no known incident.

INCIDENT CHRONOLOGY:

2005-05-20 Initial report to L-Soft support
2005-05-20 More information requested
2005-05-21 Detailed information received
2005-05-21 Internal escalation
2005-05-22 Problem not reproduced
2005-05-23 Problem reproduced
2005-05-23 Emergency correction initiated
2005-05-24 Patch A1 ready
2005-05-24 A1 delivered to reporting site
2005-05-24 A1 passed standard internal tests, ready for deployment
2005-05-24 2005a kit generation starting
2005-05-24 2005a kits ready for deployment
2005-05-25 Reporting site confirms A1 removes exposure
2005-05-25 2005a deployed
2005-05-25 Security Advisory distributed to Maintenance customers
2005-05-25 Security Advisory distributed to LSTSRV-L
2005-05-25 Security Advisory distributed to LISTSERV-Developers
2005-05-25 Security Advisory distributed to LISTSERV-Lite
2005-05-25 Security Advisory distributed to Updates-LISTSERV

THE 2005a LEVEL SET

The only change in the 2005a level set is an updated WA executable.

There is no user-visible change or new functionality after applying the 2005a level set.

L-Soft intends to deliver new functionality to customers through the upcoming 14.4 release, which is currently in beta. Future 14.3 level sets, if any, are not expected to include any new functionality.

APPLYING THE 2005a LEVEL SET

This level set can be installed as a normal level set upgrade, which will require that LISTSERV be stopped during the upgrade, or you can opt to extract the updated WA executable from the kit and replace it on the fly, which is less disruptive, but also more complicated. If in doubt, perform a normal upgrade.

If you perform an on-the-fly upgrade, you will have to update WA in two locations: your web server's CGI directory, and LISTSERV's own directory tree. If you do not update the CGI directory, the patch is not active. If you do not update the copy of WA in the LISTSERV directory and later use one of the L-Soft setup/installation tools to move your LISTSERV web directory, the tool may copy the unpatched version of WA to the new location and re-introduce the vulnerability.

Regardless of which method you choose, be sure to verify that the patch is online by loading the following URL:

• Windows, VMS: http://.../wa.exe?DEBUG-SHOW-VERSION
• unix: http://.../wa?DEBUG-SHOW-VERSION

The compilation date should read 24 May 2005 or later.

DOWNLOADING THE 2005a LEVEL SET

To download the 2005a level set, go to L-Soft's web site and download an evaluation copy of LISTSERV Lite if this is what you are running, or LISTSERV Classic in all other cases (Classic, HPO, Maestro, etc). This evaluation kit will upgrade your existing LISTSERV installation. It will NOT turn it into an evaluation version.

The kits can be found at:

www.lsoft.com/download/listserv.asp
www.lsoft.com/download/listservlite.asp

MacOS beta sites will instead find the level set at the same location as the original beta installation kits.

ACKNOWLEDGEMENTS

L-Soft would like to thank Peter Winter-Smith of Next Generation Security Software (www.ngssoftware.com) for reporting this problem and providing information and assistance well past regular business hours.

LISTSERV is a registered trademark licensed to L-Soft international, Inc.
All other trademarks, both marked and not marked, are the property of their respective owners.
See Guidelines for Proper Usage of the LISTSERV Trademark for more details.