Vulnerability or Exposure Note 5871 (CVE-2010-1326)
March Hare Software CVSNT branch name ACL
OverviewMarch Hare Software CVSNT contains a branch name ACL vulnerability or exposure in the
/usr/bin/cvs file, which may allow a remote, unauthorised attacker to execute arbitrary code on any installed operating system.
I. DescriptionMarch Hare Software CVSNT provides support for Access Control Lists and Branches through the use of the
/usr/bin/cvs component. The
/usr/bin/cvs contains a vulnerability or exposure in the use of a branch name to authenticate an access control list, which affects CVSNT on all operating systems: CVSNT 2.0.58 and later (including all builds of 2.5.01, 2.5.02, 2.5.03 before build 3736 and 2.5.04 releases before build 2862; CVS Suite 2.5.03, CVS Suite 2008 before build 3736 and CVS Suite 2009 pre-releases before 3729.
Exploit code for this vulnerability or exposure has been tested by March Hare Software.
II. ImpactA non-privileged user may create a branch (or fake a branch on a client sandbox) with a specially crafted name to gain write access to any module/directory including CVSROOT. Then by modifying an existing CVSROOT administrative script or introducing a new administrative script to CVSROOT an attacker may be able to execute arbitrary code on the server (regardless of server operating system) - including the ability to delete repository history, install a back door, or other additional exploit.
III. SolutionApply an update
This issue is addressed in CVS Suite 2008 Build 3736 and CVS Suite 2009 Build 3729 (and higher), which modifies the way CVSNT handles branch names and Access Control Lists. Customers with an active software maintenance contract may download the update from the customer area of the march-hare.com web site.
CVSNT 2.5.04 build 2862 and later (including CVSNT 2.5.05) are not vulnerable because the ACL code was rewritten when XML processing was changed from expat to libxml2 2.6.2x (compatible libxml2 libraries are shipped with Red Hat Enterprise Linux 5 and Solaris 10). CVSNT source code for 2.5.05 and 2.5.04 may be downloaded from the download page of the march-hare.com web site.
Use a chroot jail with CVSNT on Linux/Unix
March Hare Software has published more information on chroot jail as a mitigation for this vulnerability or exposure.
|Vendor||Status||Date Notified||Date Updated|
|March Hare Software||Vulnerable||2010-03-16|
This document was written by March Hare Software.
|Date First Published:||2010-04-06|
|Date Last Updated:||2010-04-15|
|CERT Advisory:|| |
|US-CERT Technical Alerts:|| |