Microsoft: Multiple Perforce Server Flaws Allow for Network Takeover

We Keep you Connected

Microsoft: Multiple Perforce Server Flaws Allow for Network Takeover

The most critical of the bugs gives attackers privileged access to the local Windows system, paving the way for unauthenticated RCE and installing backdoors.
December 19, 2023
Microsoft has identified four vulnerabilities in the Perforce source-code management platform, the most critical of which gives attackers access to a highly privileged Windows OS account to potentially take over the system via remote code execution (RCE) and even perform supply chain attacks.
Overall, the flaws discovered in the Perforce Helix Core Server, aka Perforce Server, allow threat actors potentially to engage in a range of malicious activity, including remote code execution (RCE) and denial-of-service (DoS) attacks, according to a blog post by threat intelligence firm SOCRadar.
Perforce Server is widely used to manage the software development life cycle (SDLC) across diverse industries, including gaming, government, military, technology, and retail. Microsoft discovered the flaws late summer during a security review of its game development studios, subsequently reporting them to Perforce Software.
The most critical of the flaws that Microsoft found is an arbitrary code execution flaw tracked as CVE-2023-45849 and rated 9.8 on the CVSS. The vulnerability — which stems from the mishandling of the user-bgtask RPC command by the server — grants unauthenticated attackers the ability to execute code from LocalSystem, a highly privileged Windows OS account designated for system functions.
"In its default configuration, Perforce Server allows unauthenticated attackers to remotely execute various commands, including PowerShell scripts, as LocalSystem," according to the post. "This account level facilitates access to local resources, system files, and the modification of registry settings."
By exploiting the flaw, attackers can install backdoors, access sensitive information, change system settings, and potentially take complete control of a system running a vulnerable Perforce Server version. They also could pivot to connected information or even the software supply chain given Perforce's role in management of the software development life cycle, SOCRadar warned.
The other three vulnerabilities — tracked as CVE-2023-35767, CVE-2023-45319, and CVE-2023-5759 — all earned a score of 7.5 on the CVSS and pave the way for denial-of-service (DoS) attacks, with the first two enabling an unauthenticated attacker to induce DoS through remote commands, and the last allowing for exploitation via RPC header.
Specifically, CVE-2023-35767 allows for DoS via the shutdown function, CVE-2023-45319 via the commit function, and CVE-2023-5759 via the buffer, according to their listings in the NIST National Vulnerability Database.
Microsoft's Principal Security Architect Jason Geffner is credited with discovering the four flaws, which the company reported to Perforce in late August, spurring an investigation by the vendor. In early November, Perforce Software released an update to Perforce Server, version 2023.1/2513900, effectively patching the vulnerabilities.
While there is currently no evidence that attackers in the wild have targeted any of the flaws, Microsoft and SOCRadar recommend that any affected organizations immediately update to the patched version of Perforce Server, as well as remain vigilant to any exploitation.
Microsoft also made a number of other security recommendations to protect organizations running Perforce Server in their environments. The company advised that organizations regularly monitor and apply patches not just for Perforce but also for third-party software. They also should use a VPN and/or an IP allow-list to restrict communication with Perforce Server.
Other mitigation actions include issuing TLS certificates to verified Perforce users and deploying a TLS termination proxy in front of the Perforce Server to validate client TLS certificates before allowing connections. Organizations also should log all access to instances of Perforce, both through network appliances and the server itself.
According to Microsoft, further mitigations include configuring alert systems to promptly notify IT administrators and the security team in case of process crashes, and employing network segmentation to limit the potential for attackers to pivot within the network.

Elizabeth Montalbano, Contributing Writer

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

You May Also Like
2024 API Security Trends & Predictions
What’s In Your Cloud?
Everything You Need to Know About DNS Attacks
Black Hat Asia – April 16-19 – Learn More
Black Hat Spring Trainings – March 12-15 – Learn More
Cyber Resiliency 2023: How to Keep IT Operations Running, No Matter What
The State of Supply Chain Threats
What Ransomware Groups Look for in Enterprise Victims
How to Use Threat Intelligence to Mitigate Third-Party Risk
Concerns Mount Over Ransomware, Zero-Day Bugs, and AI-Enabled Malware
Securing the Remote Worker: How to Mitigate Off-Site Cyberattacks
Modernize your Security Operations with Human-Machine Intelligence
Selling Breaches: The Transfer of Enterprise Network Access on Criminal Forums
The Impact of XDR in the Modern SOC
5 Reasons To Move your PKI Deployment to the Cloud
Supply Chain Cyber Risk Management Whitepaper
Black Hat Asia – April 16-19 – Learn More
Black Hat Spring Trainings – March 12-15 – Learn More
Cyber Resiliency 2023: How to Keep IT Operations Running, No Matter What
Copyright © 2023 Informa PLC Informa UK Limited is a company registered in England and Wales with company number 1072954 whose registered office is 5 Howick Place, London, SW1P 1WG.