COMMAND

    CVS pserver

SYSTEMS AFFECTED

    Vulnerable versions of CVS include 1.7, 1.8, 1.9 and 1.9.8.

PROBLEM

    Cyclic  Software  has  received  reports  of  a security hole that
    affects many CVS servers using the pserver authentication method.

    Under  some  circumstances  an  attacker  can  supply an alternate
    CVSROOT/passwd file, which a CVS  pserver server will use to  give
    the attacker access to any user on the system.

    If  you  aren't  sure  whether  you  are  running pserver, look at
    /etc/inetd.conf for mentions  of CVS.   Pserver typically runs  on
    port 2401  ("cvspserver").   Note that  on some  systems the inetd
    configuration file may have a different name or be in a  different
    location.  Please consult your documentation if the  configuration
    file is not found in /etc/inetd.conf.

    This attack  requires an  intruder to  be able  to make  a network
    connection  to  a  vulnerable  CVS  server.   This means that some
    sites, depending  on their  security configurations  and policies,
    may not have an urgent need to take action.

    If the machine running the  CVS server also has running  a service
    which  allows  for  file  upload  (for  example,  anonymous FTP if
    configured to do  so), then anyone  who has the  ability to upload
    files can gain full access to  the server system.  If there  is no
    service  which  allows  file  upload,  then users who already have
    some access  to the  server system  can gain  access as  any other
    user, including privileged users.

SOLUTION

    Version 1.9.10 is  not vulnerable provided  that the advice  below
    is followed.  So, upgrade the CVS server to CVS 1.9.10.  There  is
    no need to upgrade  CVS clients.  When  you upgrade you will  need
    to add --allow-root to inetd.conf  as described in the CVS  1.9.10
    distribution.

    Note that CVS 1.9.10 is an  interim release.  It has not  received
    as much testing as a released  version such as CVS 1.9, so  people
    who are  not vulnerable  to this  security hole  may wish  to stay
    with CVS 1.9.  CVS 1.9.10 is available for free download from:

        http://download.cyclic.com or ftp://download.cyclic.com.

    Even if you upgrade  to CVS 1.9.10, there  is still an issue  with
    the  repository  permissions  (as  long  as  you  continue  to use
    pserver).   You probably  want to  change the  permissions on  the
    $CVSROOT    and    $CVSROOT/CVSROOT     directories    and     the
    $CVSROOT/CVSROOT/passwd file as follows:

        Note that  because the  `$CVSROOT/CVSROOT' directory  contains
        `passwd' and other files which are used to check security, you
        must control the permissions  on this directory as  tightly as
        the permissions on `/etc'.  The same applies to the `$CVSROOT'
        directory  itself  and  any  directory  above  it in the tree.
        Anyone who has write access to such a directory will have  the
        ability to  become any  user on  the system.   Note that these
        permissions are typically  tighter than you  would use if  you
        are not using pserver.

    Also,  using  some  authentication  mechanism  other  than pserver
    avoids the problem completely.  In particular, running CVS over  a
    remote  execution  program  such  as  rsh,  kerberized rsh, or ssh
    involves no  network security  implications beyond  those involved
    in running the remote execution program in the first place.