Microsoft: Multiple Perforce Server Flaws Allow for Network Takeover

The most critical of the bugs gives attackers privileged access to the local Windows system, paving the way for unauthenticated RCE and installing backdoors.

Person in a hooded sweatshirt holding a tablet
Source: Igor Stevanovic via Alamy Stock Photo

Microsoft has identified four vulnerabilities in the Perforce source-code management platform, the most critical of which gives attackers access to a highly privileged Windows OS account to potentially take over the system via remote code execution (RCE) and even perform supply chain attacks.

Overall, the flaws discovered in the Perforce Helix Core Server, aka Perforce Server, allow threat actors potentially to engage in a range of malicious activity, including remote code execution (RCE) and denial-of-service (DoS) attacks, according to a blog post by threat intelligence firm SOCRadar.

Perforce Server is widely used to manage the software development life cycle (SDLC) across diverse industries, including gaming, government, military, technology, and retail. Microsoft discovered the flaws late summer during a security review of its game development studios, subsequently reporting them to Perforce Software.

The most critical of the flaws that Microsoft found is an arbitrary code execution flaw tracked as CVE-2023-45849 and rated 9.8 on the CVSS. The vulnerability — which stems from the mishandling of the user-bgtask RPC command by the server — grants unauthenticated attackers the ability to execute code from LocalSystem, a highly privileged Windows OS account designated for system functions.

"In its default configuration, Perforce Server allows unauthenticated attackers to remotely execute various commands, including PowerShell scripts, as LocalSystem," according to the post. "This account level facilitates access to local resources, system files, and the modification of registry settings."

By exploiting the flaw, attackers can install backdoors, access sensitive information, change system settings, and potentially take complete control of a system running a vulnerable Perforce Server version. They also could pivot to connected information or even the software supply chain given Perforce's role in management of the software development life cycle, SOCRadar warned.

High-Severity Perforce Bugs: DoS & Beyond

The other three vulnerabilities — tracked as CVE-2023-35767, CVE-2023-45319, and CVE-2023-5759 — all earned a score of 7.5 on the CVSS and pave the way for denial-of-service (DoS) attacks, with the first two enabling an unauthenticated attacker to induce DoS through remote commands, and the last allowing for exploitation via RPC header.

Specifically, CVE-2023-35767 allows for DoS via the shutdown function, CVE-2023-45319 via the commit function, and CVE-2023-5759 via the buffer, according to their listings in the NIST National Vulnerability Database.

Microsoft's Principal Security Architect Jason Geffner is credited with discovering the four flaws, which the company reported to Perforce in late August, spurring an investigation by the vendor. In early November, Perforce Software released an update to Perforce Server, version 2023.1/2513900, effectively patching the vulnerabilities.

While there is currently no evidence that attackers in the wild have targeted any of the flaws, Microsoft and SOCRadar recommend that any affected organizations immediately update to the patched version of Perforce Server, as well as remain vigilant to any exploitation.

Microsoft also made a number of other security recommendations to protect organizations running Perforce Server in their environments. The company advised that organizations regularly monitor and apply patches not just for Perforce but also for third-party software. They also should use a VPN and/or an IP allow-list to restrict communication with Perforce Server.

Other mitigation actions include issuing TLS certificates to verified Perforce users and deploying a TLS termination proxy in front of the Perforce Server to validate client TLS certificates before allowing connections. Organizations also should log all access to instances of Perforce, both through network appliances and the server itself.

According to Microsoft, further mitigations include configuring alert systems to promptly notify IT administrators and the security team in case of process crashes, and employing network segmentation to limit the potential for attackers to pivot within the network.

About the Author(s)

Elizabeth Montalbano, Contributing Writer

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights