	CVS Version Control \| Other Software \| All Downloads \| Buy Online \| Get Support Now \| Documentation Library

Last Modified: Thursday, March 30, 2015

Home > CVS > Security > CVSNT 2.x SSERVER and SYNC impacted by CVE-2015-0204

What is CVE?

CVE is a list of information security vulnerabilities and exposures that aims to provide common names for publicly known problems. The goal of CVE is to make it easier to share data across separate vulnerability capabilities (tools, repositories, and services) with this "common enumeration."

What is a "vulnerability"?

An information security vulnerability is a mistake in software that can be directly used by a hacker to gain access to a system or network. See the Terminology page for a complete explanation of how this term is used on the CVE Web site.

CVSNT 2.x SSERVER and SYNC impacted by CVE-2015-0204 and/or CVE-2015-1637

Common Vulnerabilities and Exposures - Factoring RSA Export Keys (FREAK)

Overview

March Hare Software CVSNT 2.x uses the openssl encryption library within the SSERVER and SYNC protocols which has a known security vulnerability CVE-2015-0204. March Hare Software CVSNT 2.5.05 on Windows optionally uses the Schannel encryption library within the SSERVER protocol which has a known security vulnerability CVE-2015-1637.

I. Description

If you are using the SSERVER protocol (eg: cvs -d :sserver:hostname:/myrepo co mymodule) or SYNC protocol (within the sync trigger for repository replication) then your system is susceptible to allowing remote SSL servers to conduct RSA-to-EXPORT_RSA downgrade attacks and facilitate brute-force decryption by offering a weak ephemeral RSA key in a noncompliant role. The sserver_protocol.dll, sync_protocol.dll, protocols/sync.dll or protocols/sserver.dll contains links with OpenSSL on all operating systems. On windows operating systems the CVS Suite (CVSNT) installer includes a vulnerable OPENSSL library named ssleay32_vc71.dll and libeay32_vc71.dll or named ssleay32.dll and libeay32.dll. If you are using the insecure PSERVER protocol (eg: cvs -d :pserver:user@hostname:/myrepo co mymodule), SSPI protocol (eg: cvs -d :sspi:hostname:/myrepo co mymodule), GSERVER protocol (eg: cvs -d :gserver:hostname:/myrepo co mymodule) or SSH protocol (eg: cvs -d :ssh:hostname:/myrepo co mymodule) then your system is NOT susceptible.

March Hare Software have analysed the code and found an exploit for this vulnerability or exposure is possible.

II. Impact

A non-privileged user may gain write access to any module/directory including CVSROOT, then by modifying an existing CVSROOT administrative script or introducing a new administrative script to CVSROOT an attacker may be able to execute arbitrary code on the server (regardless of server operating system) - including the ability to delete repository history, install a back door, or other additional exploit.

III. Solution

Apply an update or disable the affected protocol(s) or uninstall the affected protocol(s)

This issue (for SSERVER) is addressed in CVS Suite 2009 Build 5561 or Build 5786 or Build 5876 or Build 5940 or Build 6145 and higher and CVS Suite 2010 Build 5561 or Build 5786 or Build 5876 or Build 5940 or Build 6145 (the following builds do NOT include the fix: CVS Suite 2009 Build 6002 and 6052 and 6094, plus CVS Suite 2010 Build 6002 and 6052 and 6094), which modifies the ciphers that the server accepts. Customers with an active software maintenance contract will be able to download the update from the customer area of the march-hare.com web site.

On Mac, Linux and Unix - installing the Operating System Vendors OpenSSL patch for CVE-2015-0204 will resolve the issue. On Windows installing build 5561 or later will update the installed OpenSSL library.

All versions of CVSNT 2.x before 2.8.01.5561 and 2.8.02.5561 as well as 2.8.01.6002, 2.8.01.6052, 2.8.01.6094, 2.8.02.6002, 2.8.02.6052, 2.8.02.6094 are vulnerable if you are using the SSERVER or SYNC protocols. The only currently available workaround is to use an alternative secure protocol, eg: SSPI (with NTLM disabled in the Active Directory) or GSERVER.

Note: the fix included in 2.8.01.5561 and 2.8.02.5561 also addresses the known RC4 weak encryption problem, so called 'Bar Mitzvah'

Note: the SYNC protocol is currently in BETA. Build 5561 includes a fixed OpenSSL library on Windows which technically resolves this issue. A comprehensive update to the SYNC protocol will include cipher selection for the SYNC protocol. A future release of CVS Suite 2010 (2.8.02) will include these improvements to the SYNC protocol.

Systems Affected

Vendor	Status	Date Notified	Date Updated
March Hare Software	Vulnerable		2015-03-05
March Hare Software	Resolved		2015-03-30

References

http://customer.march-hare.com/webtools/bugzilla/ttshow_bug.cgi?id=6819&tt=1
http://customer.march-hare.com/webtools/bugzilla/ttshow_bug.cgi?id=6820&tt=1
http://march-hare.com/cvspro/security.htm

Credit

This document was written by March Hare Software.

Other Information

Date Public:	2015-03-05
Date First Published:	2015-03-05
Date Last Updated:	2015-03-30
CERT Advisory:
CVE-ID(s):	CVE-2015-0204
NVD-ID(s):
US-CERT Technical Alerts: