Perforce Server is a source code management platform used across gaming, government, military, and tech sectors.
Microsoft operates GitHub, also a widely used source code management platform, among other services that compete against Perforce.
All four Perforce vulnerabilities can be fixed by updating to version 2023.1/2513900.
Redmond's flaw finders reported the security holes in late August, and Perforce patched them in November, we're told, so hopefully you've already updated your installations and can relax.
Here's a look at all four, starting with the critical RCE. This one, tracked as CVE-2023-45849, was given a CVSS severity rating of 9.0 out of 10 by Perforce, 9.8 by the US government's NIST, and the maximum 10 by Microsoft, which as we said, offers services that compete against Perforce.
That snark aside, the hole is pretty bad: it can be exploited by an unauthenticated, remote attacker to execute code as LocalSystem - a high privilege level that allows access to just about everything.
If someone can reach your vulnerable deployment over the network or internet, they can hijack it as well as poison and steal your source.
While conducing their own security review of Perforce Server, Redmond's bug hunters discovered the software runs as LocalSystem due to the way the server handles the user-bgtask RPC command.
If an administrator does not manually perform those post-installation steps, the default configuration will allow any user - including unauthenticated, remote attackers - to run commands, including PowerShell command lines with script blocks as LocalSystem.
So this is more of a design flaw than a programming blunder: if you followed the documentation, you might already be safe.
We note that version 2023.2/2519561 also addresses this CVE, so perhaps make sure you have at least that version installed.
The other three vulnerabilities, CVE-2023-5759, CVE-2023-35767 and CVE-2023-45319, received CVSS ratings of 7.5.
All of these flaws could allow denial-of-service attacks by remote, unauthenticated users.
In addition to updating to version 2023.1/2513900 or later, it's a good idea to check out Perforce's recommendations on securing the server.
Microsoft recommends all orgs take steps including basic security hygiene, which apply to Perforce Server or any other products.
Perforce did not immediately respond to The Register's inquiries, but by all indications they endorse these mitigation measures, too.
This Cyber News was published on go.theregister.com. Publication date: Tue, 19 Dec 2023 20:13:04 +0000