Microsoft: Multiple Perforce Server Flaws Allow for Network Takeover

  /     /     /  
Publicated : 23/11/2024   Category : security


Microsoft: Multiple Perforce Server Flaws Allow for Network Takeover


The most critical of the bugs gives attackers privileged access to the local Windows system, paving the way for unauthenticated RCE and installing backdoors.



Microsoft has identified four vulnerabilities in the
Perforce source-code management platform,
the most critical of which gives attackers access to a highly privileged Windows OS account to potentially take over the system via remote code execution (RCE) and even perform
supply chain attacks
.
Overall, the flaws discovered in the Perforce Helix Core Server, aka Perforce Server, allow threat actors potentially to engage in a range of malicious activity, including remote code execution (RCE) and denial-of-service (DoS) attacks, according to
a blog post
by threat intelligence firm SOCRadar.
Perforce Server is widely used to manage the software development life cycle (SDLC) across diverse industries, including gaming, government, military, technology, and retail. Microsoft discovered the flaws late summer during a security review of its game development studios, subsequently reporting them to Perforce Software.
The most critical of the flaws that Microsoft found is an arbitrary code execution flaw tracked as
CVE-2023-45849
and rated 9.8 on the CVSS. The vulnerability — which stems from the mishandling of the user-bgtask RPC command by the server — grants unauthenticated attackers the ability to execute code from LocalSystem, a highly privileged Windows OS account designated for system functions.
In its default configuration, Perforce Server allows unauthenticated attackers to remotely execute various commands, including PowerShell scripts, as LocalSystem, according to the post. This account level facilitates access to local resources, system files, and the modification of registry settings.
By exploiting the flaw, attackers can install backdoors, access sensitive information, change system settings, and potentially take complete control of a system running a vulnerable Perforce Server version. They also could pivot to connected information or even the
software supply chain
given Perforces role in management of the software development life cycle, SOCRadar warned.
The other three vulnerabilities — tracked as
CVE-2023-35767
,
CVE-2023-45319
, and
CVE-2023-5759
— all earned a score of 7.5 on the CVSS and pave the way for denial-of-service (DoS) attacks, with the first two enabling an unauthenticated attacker to induce DoS through remote commands, and the last allowing for exploitation via RPC header.
Specifically, CVE-2023-35767 allows for DoS via the shutdown function, CVE-2023-45319 via the commit function, and CVE-2023-5759 via the buffer, according to their listings in the NIST National Vulnerability Database.
Microsofts Principal Security Architect Jason Geffner is credited with discovering the four flaws, which the company reported to Perforce in late August, spurring an investigation by the vendor. In early November, Perforce Software released an update to Perforce Server,
version 2023.1/2513900
, effectively patching the vulnerabilities.
While there is currently no evidence that attackers in the wild have targeted any of the flaws, Microsoft and SOCRadar recommend that any affected organizations immediately update to the patched version of Perforce Server, as well as remain vigilant to any exploitation.
Microsoft also made a number of other security recommendations to protect organizations running Perforce Server in their environments. The company advised that organizations regularly monitor and apply patches not just for Perforce but also for
third-party software
. They also should use a VPN and/or an IP allow-list to restrict communication with Perforce Server.
Other mitigation actions include issuing
TLS certificates
to verified Perforce users and deploying a TLS termination proxy in front of the Perforce Server to validate client TLS certificates before allowing connections. Organizations also should log all access to instances of Perforce, both through network appliances and the server itself.
According to Microsoft, further mitigations include configuring alert systems to promptly notify IT administrators and the security team in case of process crashes, and employing network segmentation to limit the potential for attackers to pivot within the network.

Last News

▸ Travel agency fined £150,000 for breaking Data Protection Act. ◂
Discovered: 23/12/2024
Category: security

▸ 7 arrested, 3 more charged in StubHub cyber fraud ring. ◂
Discovered: 23/12/2024
Category: security

▸ Nigerian scammers now turning into mediocre malware pushers. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Microsoft: Multiple Perforce Server Flaws Allow for Network Takeover