Perforce Helix Core Server fixes critical remote code execution flaw
Take action: If you are using Perforce Helix Core Server, implement lockdown from internet if possible. It's quite probabloe you won't be able to do that since a lot of software teams are distributed and need access to their Perforce via the internet. If that's the case, patch it immediately.
Learn More
Microsoft security team has reported four vulnerabilities, including one critical RCE in the Perforce Helix Core Server, a key source code management platform extensively used in the video game industry, government, military, and technology.
The vulnerabilities discovered are detailed as follows:
- CVE-2023-45849 (CVSS score 10) : This vulnerability allows unauthenticated attackers to execute code remotely as LocalSystem through the user-bgtask RPC Command. The lack of authentication for a crucial function in the system provides attackers with the capability to execute code with elevated privileges, posing a significant security risk.
- CVE-2023-5759 (CVSS score 7.5): This vulnerability enables an unauthenticated Denial of Service (DoS) attack via exploitation of the RPC Header. The nature of the vulnerability allows attackers to abuse the RPC Header, leading to resource consumption that disproportionately impacts the server.
- CVE-2023-35767 (CVSS score 7.5): This vulnerability permits an unauthenticated DoS attack via the rmt-Shutdown RPC Command. The absence of required authentication for critical functions enables attackers to shut down systems remotely, leading to service disruptions.
- CVE-2023-45319 (CVSS score 7.5): This vulnerability allows for an unauthenticated DoS attack through the rmt-UpdtFovrCommit RPC Command. The vulnerability arises from the system not adequately checking or validating the return values from certain functions, which can be exploited to disrupt service.
The compromised security lead to significant consequences, such as the insertion of backdoors into software products, theft of source code and other intellectual property, and potential breaches into other critical enterprise infrastructure. Although Microsoft didn't find any active exploitation of these vulnerabilities in the wild, the possible impact is significant enough to prompt an urgent response.
Microsoft reported these vulnerabilities and collaborated with Perforce in developing and deploying necessary patches. Perforce released an updated version of their server (2023.1/2513900), which addressed the security issues.
