Open Source Showstopper
Flaw in open source version control and collaboration system could enable root compromise
A critical vulnerability was disclosed last week in the Concurrent Versions System (CVS), a version control and distributed collaboration system used to manage most open source software (OSS) development projects.
In an advisory (http://www.cert.org/advisories/CA-2003-02.html) released last week, the Computer Emergency Response Team (CERT) Coordination Center at Carnegie Mellon University acknowledged that a CVS vulnerability could “allow an unauthenticated, remote attacker with read-only access to execute arbitrary code, alter program operation, read sensitive information, or cause a denial of service” on a compromised CVS server.
CVS is pervasive throughout the OSS world: Not only are the various BSD variants—along with most distributions of Linux developed—managed by CVS, but work on CVS itself is maintained by means of CVS. CVS is available for many platforms, including AIX, HP-UX, Solaris, Irix, all distributions of Linux, and Windows.
The scope of the vulnerability is extreme, and, if exploited, the potential for disaster severe. Says CERT: “An attacker who is able to compromise a CVS server could modify source-code repositories to contain Trojan horses, backdoors, or other malicious code.”
The vulnerability was discovered in early January by a programmer in the European Union, Stefan Esser, who first contacted the vendor, along with several administrators of large public CVS repositories, before posting an advisory (http://security.e-matters.de/advisories/012003.html) to his company Web site last week. A new version (http://ccvs.cvshome.org/servlets/ProjectDownloadList) of CVS is now available as well.
The CERT advisory provides a summary (http://www.cert.org/advisories/CA-2003-02.html#vendors) of vendors whose software could be affected by the CVS vulnerability. In some cases, vendors have provided patches; in others, patches are forthcoming. If you use CVS and your vendor hasn’t yet made available a patch—or if you simply want to harden your CVS configuration—CERT issued the following guidelines:
-- Disable anonymous CVS server access completely.
-- Block or restrict access to CVS servers from untrusted hosts and networks. Anonymous access to CVS servers using :cvspserver: is typically provided on port 2401/tcp.
-- Configure CVS servers to run in restricted (chroot) environments.
-- Host CVS servers on single-purpose, secured systems.
CERT cautions, however, that the above “workarounds and configurations are not complete solutions and will not prevent exploitation of this vulnerability. Other features inherent in CVS may give anonymous users the ability to gain shell access.”
Stephen Swoyer is a Nashville, TN-based freelance journalist who writes about technology.