Common Vulnerabilities and Exposures - Factoring RSA Export Keys (FREAK)
OverviewMarch Hare Software CVSNT 2.x uses the openssl encryption library within the SSERVER and SYNC protocols which has a known security vulnerability CVE-2015-0204. March Hare Software CVSNT 2.5.05 on Windows optionally uses the Schannel encryption library within the SSERVER protocol which has a known security vulnerability CVE-2015-1637.
I. DescriptionIf you are using the SSERVER protocol (eg:
cvs -d :sserver:hostname:/myrepo co mymodule) or SYNC protocol (within the sync trigger for repository replication) then your system is susceptible to allowing remote SSL servers to conduct RSA-to-EXPORT_RSA downgrade attacks and facilitate brute-force decryption by offering a weak ephemeral RSA key in a noncompliant role. The
protocols/sserver.dll contains links with OpenSSL on all operating systems. On windows operating systems the CVS Suite (CVSNT) installer includes a vulnerable OPENSSL library named
libeay32_vc71.dll or named
libeay32.dll. If you are using the insecure PSERVER protocol (eg:
cvs -d :pserver:user@hostname:/myrepo co mymodule), SSPI protocol (eg:
cvs -d :sspi:hostname:/myrepo co mymodule), GSERVER protocol (eg:
cvs -d :gserver:hostname:/myrepo co mymodule) or SSH protocol (eg:
cvs -d :ssh:hostname:/myrepo co mymodule) then your system is NOT susceptible.
March Hare Software have analysed the code and found an exploit for this vulnerability or exposure is possible.
II. ImpactA non-privileged user may gain write access to any module/directory including CVSROOT, then by modifying an existing CVSROOT administrative script or introducing a new administrative script to CVSROOT an attacker may be able to execute arbitrary code on the server (regardless of server operating system) - including the ability to delete repository history, install a back door, or other additional exploit.
III. SolutionApply an update or disable the affected protocol(s) or uninstall the affected protocol(s)
This issue (for SSERVER) is addressed in CVS Suite 2009 Build 5561 or Build 5786 or Build 5876 or Build 5940 or Build 6145 and higher and CVS Suite 2010 Build 5561 or Build 5786 or Build 5876 or Build 5940 or Build 6145 (the following builds do NOT include the fix: CVS Suite 2009 Build 6002 and 6052 and 6094, plus CVS Suite 2010 Build 6002 and 6052 and 6094), which modifies the ciphers that the server accepts. Customers with an active software maintenance contract will be able to download the update from the customer area of the march-hare.com web site.
On Mac, Linux and Unix - installing the Operating System Vendors OpenSSL patch for CVE-2015-0204 will resolve the issue. On Windows installing build 5561 or later will update the installed OpenSSL library.
All versions of CVSNT 2.x before 2.8.01.5561 and 2.8.02.5561 as well as 2.8.01.6002, 2.8.01.6052, 2.8.01.6094, 2.8.02.6002, 2.8.02.6052, 2.8.02.6094 are vulnerable if you are using the SSERVER or SYNC protocols. The only currently available workaround is to use an alternative secure protocol, eg: SSPI (with NTLM disabled in the Active Directory) or GSERVER.
Note: the fix included in 2.8.01.5561 and 2.8.02.5561 also addresses the known RC4 weak encryption problem, so called 'Bar Mitzvah'
Note: the SYNC protocol is currently in BETA. Build 5561 includes a fixed OpenSSL library on Windows which technically resolves this issue. A comprehensive update to the SYNC protocol will include cipher selection for the SYNC protocol. A future release of CVS Suite 2010 (2.8.02) will include these improvements to the SYNC protocol.
|Vendor||Status||Date Notified||Date Updated|
|March Hare Software||Vulnerable||2015-03-05|
|March Hare Software||Resolved||2015-03-30|
This document was written by March Hare Software.
|Date First Published:||2015-03-05|
|Date Last Updated:||2015-03-30|
|CERT Advisory:|| |
|US-CERT Technical Alerts:|| |