next message in archive
no next message in thread
previous message in archive
previous message in thread
Index of Subjects
Index of Subjects
On Fri, Jun 27, 1997 at 01:14:22PM -0300, James Fifield wrote:
> This may be relevant. Should we set up a CVS connection between ccn and csuite we should
> look into this.
This is relevant because we are running pserver on csuite. We should
upgrade the version of CVS on csuite to 1.9.10.
Landon
>
> --
> James Fifield
> <fifield@ug.cs.dal.ca>
>
> CSuite Technical Staff
>
> ------------- Begin Forwarded Message -------------
>
> >From NETSPACE.ORG!owner-bugtraq Fri Jun 27 12:56:16 1997
> Approved-By: aleph1@UNDERGROUND.ORG
> Mime-Version: 1.0
> Date: Fri, 27 Jun 1997 11:59:02 -0300
> From: Aleph One <aleph1@DFW.NET>
> Subject: Security hole affects many cvs pserver installations
> To: BUGTRAQ@NETSPACE.ORG
>
> Cyclic Software has received reports of a security hole that affects
> many CVS servers using the pserver authentication method. We
> recommend that sites take appropriate actions depending on their
> situation and security needs.
>
> I. Description
>
> Under some circumstances an attacker can supply an alternate
> CVSROOT/passwd file, which a CVS pserver server will use to give the
> attacker access to any user on the system.
>
> Vulnerable versions of CVS include 1.7, 1.8, 1.9 and 1.9.8.
>
> Version 1.9.10 is not vulnerable provided that the advice in section
> IV "Additional Solution" is followed.
>
> Those not running a pserver server are safe from this problem. If
> you aren't sure whether you are running pserver, look at
> /etc/inetd.conf for mentions of CVS. Pserver typically runs on port
> 2401 ("cvspserver").
>
> Note that on some systems the inetd configuration file may have a
> different name or be in a different location. Please consult your
> documentation if the configuration file is not found in
> /etc/inetd.conf.
>
> This attack requires an intruder to be able to make a network
> connection to a vulnerable CVS server. This means that some sites,
> depending on their security configurations and policies, may not have
> an urgent need to take action.
>
> II. Impact
>
> If the machine running the CVS server also has running a service which
> allows for file upload (for example, anonymous FTP if configured to do
> so), then anyone who has the ability to upload files can gain full
> access to the server system. If there is no service which allows file
> upload, then users who already have some access to the server system
> can gain access as any other user, including privileged users.
>
> III. Solution(s)
>
> Upgrade the CVS server to CVS 1.9.10. There is no need to upgrade
> CVS clients. When you upgrade you will need to add --allow-root to
> inetd.conf as described in the CVS 1.9.10 distribution.
>
> Note that CVS 1.9.10 is an interim release. It has not received as
> much testing as a released version such as CVS 1.9, so people who are
> not vulnerable to this security hole may wish to stay with CVS 1.9.
> CVS 1.9.10 is available for free download from
> http://download.cyclic.com or ftp://download.cyclic.com.
>
> IV. Additional Solution
>
> Even if you upgrade to CVS 1.9.10, there is still an issue with the
> repository permissions (as long as you continue to use pserver). You
> probably want to change the permissions on the $CVSROOT and
> $CVSROOT/CVSROOT directories and the $CVSROOT/CVSROOT/passwd file as
> follows:
>
> Note that because the `$CVSROOT/CVSROOT' directory contains
> `passwd' and other files which are used to check security, you
> must control the permissions on this directory as tightly as the
> permissions on `/etc'. The same applies to the `$CVSROOT'
> directory itself and any directory above it in the tree. Anyone
> who has write access to such a directory will have the ability to
> become any user on the system. Note that these permissions are
> typically tighter than you would use if you are not using pserver.
>
> V. Workarounds
>
> Using some authentication mechanism other than pserver avoids the
> problem completely. In particular, running CVS over a remote
> execution program such as rsh, kerberized rsh, or ssh involves no
> network security implications beyond those involved in running the
> remote execution program in the first place.
>
> VI. For future information
>
> For future updates on CVS security, consult http://www.cyclic.com. In
> particular, there is a security page at
> http://www.cyclic.com/cyclic-pages/security.html.
> ------------- End Forwarded Message -------------
--
==================================================================
Landon Boyd landon@chebucto.ns.ca
Computer Science Co-op, http://chebucto.ns.ca/~landon
Dalhousie University 902-455-4099(hm)
==================================================================
next message in archive
no next message in thread
previous message in archive
previous message in thread
Index of Subjects