For a while now, GroupWise administrators have chuckled at their Exchange administrator counterparts every time a new Exchange virus alert appeared. While Exchange administrators scrambled and patched, GroupWise administrators sat back and just let GroupWise keep humming, safe in the knowledge that nothing would happen to them.

However, nobody’s safe from hacker attacks anymore, including GroupWise administrators. Novell released the Padlock Fix to address security issues in GroupWise 6 and the GroupWise 5.5 Enhancement Pack. To learn more about the Padlock Fix, including where to get it and how to install it, read on.

What does the Padlock Fix do?
The Padlock Fix patches an unknown but severe security hole in GroupWise 6 and 5.5 EP (Enhancement Pack). Novell discovered a severe security hole in GroupWise 6 and 5.5 EP but has yet to release the details of what the security hole is. The most Novell will say right now is that the hole can cause data to be lost and the company has mandated that GroupWise users apply the fix.

A lot of speculation exists on UseNet and Novell’s Support Forums about what the potential problem could be, but Novell feels that giving details about the hole might give ideas to potential hackers. I suspect the hole might have something to do with GroupWise interoperability with Outlook and Exchange because both GroupWise 6 and 5.5 EP have better links to Microsoft products than earlier versions. These earlier versions—such as GroupWise 4, 5.2, and even 5.5 without the Enhancement Pack—are not subject to the attack that the Padlock Fix repairs.

Novell’s refusal to give details stands in marked contrast to Microsoft’s handling of similar problems and fixes. Microsoft usually gives details about the problem and what the patch fixes. GroupWise administrators have just been told to apply the fix, not knowing the effects the fix may have on their systems. The only choice is to apply it or remain vulnerable to an unknown attack. That said, the lesser of two evils—especially if your GroupWise 6 or 5.5 EP server is connected to the Internet—is to apply the Padlock Fix and hope for the best.

The Padlock Fix replaces GroupWise NLMs on your server that run the GroupWise Engine. Additionally, it replaces a key DLL on the workstations that accesses GroupWise on your server.

You’ll need to apply the fix if you’re running GroupWise 6, GroupWise 5.5 Enhancement Pack Support Pack 2, or GroupWise 5.5 Enhancement Pack Support Pack 3. If you’ve applied Support Pack 3a to your GroupWise 5.5 Enhancement Pack server, you’re safe because Novell has included the fix in Support Pack 3a. Likewise, you don’t need the Padlock Fix if you’re running GroupWise 4.0, GroupWise 5.0, GroupWise 5.2, or GroupWise 5.5 without the Enhancement Pack.

Is it already installed?
If you’re a new administrator for an existing GroupWise installation, or just can’t remember if you’ve already installed the Padlock Fix or not, you should see if it’s already installed. Make sure you’re running the appropriate version of GroupWise.

Check your NetWare server’s SYSTEM folder for the files listed in Table A. Compare the file sizes and dates. If you’re running older versions, you need to update your server:

Table A
GroupWise 5.5 EP SP2 GWENN2.NLM 5,386,672 08/19/2000
GroupWise 5.5 EP SP3 GWENN2.NLM 4,668,416 05/25/2001
GroupWise 6.0 GWENN3.NLM 5,573,467 04/06/2001

You can also download and run the GroupWise Padlock Check utility. This is a small file, only 718 Kb, so it won’t take very long to run. Download it to a temporary directory on your administrative workstation and run the GWPDCHK.EXE file to extract the utility. After it extracts, run the LOCKCHK.EXE file to start the utility.

You’ll then see the GroupWise Padlock Checker screen appear. Enter the TCP/IP address of your GroupWise server in the Address field and click OK. The checker will ask you to supply a username and password. You’ll need to enter the password for the GroupWise Web Administrator and click OK. The Checker will examine your server and display a screen showing whether or not each server needs to be patched.

Getting the fix
For the GroupWise Padlock Fix to work, you must patch both GroupWise servers and clients. To obtain the GroupWise server patch, go to Novell’s GroupWise Server Padlock Fix Web site and click the Download link to download the server patch, GWPDLOCK.EXE, to your administrative workstation. You’ll find the server patch to be quite a bit larger than the client patch—29,520,686 bytes total.

The GWPDLOCK.EXE file contains patches for both clients and servers. However, your users can also download the client patch directly from Novell’s Web site. Tell your users to visit Novell’s GroupWise Client Padlock Fix Web site, click the Download link, and then tell Internet Explorer to Run The File From Current Location. PADLOCK.EXE itself is a very small file, only 169,001 bytes long, so it won’t take very long to download. When it downloads, it will run and then begin the patch process. As a part of the patching process, PADLOCK.EXE will download additional files from Novell.

Before you patch clients, however, patch your servers.

Applying the Padlocks
If you’re running GroupWise 5.5 Enhancement Pack, you must apply Support Pack 2 or Support Pack 3 before you can apply the Padlock Fix. If you’ve haven’t applied either Support Pack, you can save time by downloading and applying Support Pack 3a for GroupWise 5.5 because Support Pack 3a includes the Padlock Fix. If you’ve already applied Support Pack 2 or 3, you can apply the Padlock Fix by itself and be safe. You don’t need any preinstallation preparations for GroupWise 6 servers.

Extract the Padlock Fix files by running the GWPDLOCK.EXE file from your administrative workstation’s command line. When you do, GWPDLOCK.EXE will create several subdirectories and extract the Padlock patch files.

You’ll notice that GWPDLOCK.EXE creates a directory for each different version of GroupWise to which the patch applies. It does this because each version has a slightly different set of files that need to be applied. Patch files are as follows:

  • GroupWise 6 on NetWare: GWENN3.NLM is located in the GW6 directory.
  • GroupWise 6 on Windows NT/2000: GWENV1A.DLL is located in the GW6 directory.
  • GroupWise 5.5 EP3: GWENN2.NLM is located in the GW55EP3 directory.
  • GroupWise 5.5 EP3 on Windows NT/2000: GWENV1A.DLL is located in the GW55EP3 directory.
  • GroupWise 5.5 EP2: GWENN2.NLM is located in the GW55EP3 directory.
  • GroupWise 5.5 EP2 on Windows NT/2000: GWENV1A.DLL is located in the GW55EP2 directory.

Procedurally, it doesn’t matter what version of GroupWise you’re using. The basics are the same: If you’re running a NetWare server, go to the SYS:\SYSTEM folder on your NetWare server and find the appropriate NLM for the version of GroupWise you’re running. Copy that NLM to a temporary directory for backup purposes. Next, copy the NLM for your version of GroupWise from the directory created by GWPDLOCK.EXE into the SYS:\SYSTEM folder. At the server console, you’ll need to unload and reload three NLMs: GWPOA.NLM, GWMTA.NLM, and GWINTER.NLM. After you reload the NLMs, the patch is applied and you’re safe. You’ll also need to copy the file to your GroupWise software distribution directory if you want to make sure that future GroupWise servers in your organization also install the patch.

If you’re running GroupWise on a Windows NT/2000 server, you’ll copy the appropriate DLL file to your server’s GroupWise directories. However, this time, rather that unloading and reloading NLMs, you’ll need to reboot your Windows server. This will ensure that the appropriate executables restart with the patched file.

Patching GroupWise clients
Patching your servers is only half the battle. You must also patch your GroupWise clients. As I mentioned, the client patch comes in a separate download called PADLOCK.EXE. Installing the patch is actually very easy. If your users have Internet access, you can just send them an e-mail with the link to the Client Padlock Fix Web page. All your users have to do is run the PADLOCK.EXE utility and hang on for the ride. It may take a while to download, but after it does, it installs automatically.

The complication can occur if your users don’t have Internet access. In that case, you have several options to distribute this fix to the client workstations on your network. You can create a temporary directory on your server’s hard drive that all users have rights to access. Then, depending on the version of GroupWise you’re running, copy the client patch files to that directory. Client patch files include the following:

  • GroupWise 5.5 EP2 and EP3—PADLOCK5.EXE
  • GroupWise 6—PADLOCK6.EXE

After copying the files, you can send an e-mail to your users telling them to run that file. If you use ZENworks, you can also automatically force this file to run the next time your users log in to the network.

You can also create a logon script that copies the appropriate client DLL file to the user’s hard drive. This way is the most difficult, however, if you’re running a heterogeneous mix of Windows 9x, NT, and 2000 Professional workstations because the target location will vary from client operating system to client operating system. Again, ZENworks can be helpful in distributing the DLL file.

Running the Padlock files on the workstation is very easy. When the appropriate Padlock executable runs, the first thing the user sees is a license agreement screen. After the user clicks Accept, the fix installs very quickly. So quickly in fact, the user may not be aware that anything has happened. The fix will display another screen that says that the installation is complete. All the users have to do is click OK to finish and they’re patched.

Conclusion
Whether you agree with Novell’s decision to be secretive about the GroupWise security hole or not, apparently the hole is severe enough that you should patch your servers immediately. Fortunately, the patch isn’t too difficult to obtain or install. To keep your GroupWise 5.5 EP and GroupWise 6 servers safe and sound, go out and grab the Padlock Fix and install it. It’s better to be safe than sorry.