Skip links

Before you go away for Xmas: You’ve patched that critical Perforce Server hole, right?

Four vulnerabilities in Perforce Helix Core Server, including one critical remote code execution bug, should be patched “immediately,” according to Microsoft, which spotted the flaws and disclosed them to the software vendor.

Perforce Server is a source code management platform used across gaming, government, military, and tech sectors. Microsoft operates GitHub, also a widely used source code management platform, among other services that compete against Perforce.

All four Perforce vulnerabilities can be fixed by updating to version 2023.1/2513900.

Redmond’s flaw finders reported the security holes in late August, and Perforce patched them in November, we’re told, so hopefully you’ve already updated your installations and can relax.

Although Microsoft says it has not seen any miscreants abusing any of these vulnerabilities in the wild, “exploitation of the most critical vulnerability could give unauthenticated attackers complete control over unpatched systems and connected infrastructure,” the Windows giant’s threat intel team noted in a report this month.

Here’s a look at all four, starting with the critical RCE. 

This one, tracked as CVE-2023-45849, was given a CVSS severity rating of 9.0 out of 10 by Perforce, 9.8 by the US government’s NIST, and the maximum 10 by Microsoft, which as we said, offers services that compete against Perforce.

That snark aside, the hole is pretty bad: it can be exploited by an unauthenticated, remote attacker to execute code as LocalSystem — a high privilege level that allows access to just about everything. If someone can reach your vulnerable deployment over the network or internet, they can hijack it as well as poison and steal your source.

“An attacker with system-level remote code execution access to a source code management platform can insert backdoors into software products, exfiltrate source code and other intellectual property, and pivot to other sensitive enterprise infrastructure,” Microsoft warned.

While conducing their own security review of Perforce Server, Redmond’s bug hunters discovered the software runs as LocalSystem due to the way the server handles the user-bgtask RPC command. 

As the security team noted, this is by design by Perforce, and the Perforce Server manual does tell users: “Run p4 protect immediately after installing Helix Server for the first time. Before the first call to p4 protect, every Helix Server user is a superuser and thus can access and change anything in the depot.” 

If admins don’t complement these post-installation measures, then “in this context, ‘every Helix Server user’ also includes unauthenticated anonymous remote users,” according to Microsoft.

If an administrator does not manually perform those post-installation steps, the default configuration will allow any user — including unauthenticated, remote attackers — to run commands, including PowerShell command lines with script blocks as LocalSystem.

So this is more of a design flaw than a programming blunder: if you followed the documentation, you might already be safe. We note that version 2023.2/2519561 also addresses this CVE, so perhaps make sure you have at least that version installed.

The other three vulnerabilities, CVE-2023-5759, CVE-2023-35767 and CVE-2023-45319, received CVSS ratings of 7.5. All of these flaws could allow denial-of-service attacks by remote, unauthenticated users. 

In addition to updating to version 2023.1/2513900 or later, it’s a good idea to check out Perforce’s recommendations on securing the server.

Additionally, Microsoft recommends all orgs take steps including basic security hygiene (ie, apply software patches, use network segmentation), which apply to Perforce Server or any other products.

Plus, specific to Perforce Server:

  • Use a VPN and/or an IP allow-list to limit who can communicate with your Perforce Server.
  • Issue TLS certificates to legitimate Perforce users and use a TLS termination proxy in front of Perforce Server to validate a client via TLS before allowing the user to connect to Perforce Server.
  • Log all access to your Perforce Server, both via your network appliances and via Perforce Server itself.
  • Configure alerts to notify IT administrators and your security team if the Perforce Server process crashes.

Perforce did not immediately respond to The Register‘s inquiries, but by all indications they endorse these mitigation measures, too. ®