Security News > 2023 > December > Before you go away for Xmas: You've patched that critical Perforce Server hole, right?

Before you go away for Xmas: You've patched that critical Perforce Server hole, right?
2023-12-19 19:57

Four vulnerabilities in Perforce Helix Core Server, including one critical remote code execution bug, should be patched "Immediately," according to Microsoft, which spotted the flaws and disclosed them to the software vendor.

Redmond's flaw finders reported the security holes in late August, and Perforce patched them in November, we're told, so hopefully you've already updated your installations and can relax.

Here's a look at all four, starting with the critical RCE. This one, tracked as CVE-2023-45849, was given a CVSS severity rating of 9.0 out of 10 by Perforce, 9.8 by the US government's NIST, and the maximum 10 by Microsoft, which as we said, offers services that compete against Perforce.

While conducing their own security review of Perforce Server, Redmond's bug hunters discovered the software runs as LocalSystem due to the way the server handles the user-bgtask RPC command.

As the security team noted, this is by design by Perforce, and the Perforce Server manual does tell users: "Run p4 protect immediately after installing Helix Server for the first time. Before the first call to p4 protect, every Helix Server user is a superuser and thus can access and change anything in the depot."

Microsoft recommends all orgs take steps including basic security hygiene, which apply to Perforce Server or any other products.


News URL

https://go.theregister.com/feed/www.theregister.com/2023/12/19/microsoft_warns_patch_critical_perforce/

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2023-11-08 CVE-2023-45849 Code Injection vulnerability in Perforce Helix Core
An arbitrary code execution which results in privilege escalation was discovered in Helix Core versions prior to 2023.2.
network
low complexity
perforce CWE-94
critical
9.8

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Perforce 8 1 4 5 3 13