Security News > 2023 > December > Before you go away for Xmas: You've patched that critical Perforce Server hole, right?
Four vulnerabilities in Perforce Helix Core Server, including one critical remote code execution bug, should be patched "Immediately," according to Microsoft, which spotted the flaws and disclosed them to the software vendor.
Redmond's flaw finders reported the security holes in late August, and Perforce patched them in November, we're told, so hopefully you've already updated your installations and can relax.
Here's a look at all four, starting with the critical RCE. This one, tracked as CVE-2023-45849, was given a CVSS severity rating of 9.0 out of 10 by Perforce, 9.8 by the US government's NIST, and the maximum 10 by Microsoft, which as we said, offers services that compete against Perforce.
While conducing their own security review of Perforce Server, Redmond's bug hunters discovered the software runs as LocalSystem due to the way the server handles the user-bgtask RPC command.
As the security team noted, this is by design by Perforce, and the Perforce Server manual does tell users: "Run p4 protect immediately after installing Helix Server for the first time. Before the first call to p4 protect, every Helix Server user is a superuser and thus can access and change anything in the depot."
Microsoft recommends all orgs take steps including basic security hygiene, which apply to Perforce Server or any other products.
News URL
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-11-08 | CVE-2023-45849 | Code Injection vulnerability in Perforce Helix Core An arbitrary code execution which results in privilege escalation was discovered in Helix Core versions prior to 2023.2. | 9.8 |