Microsoft’s security team researchers discovered numerous security vulnerabilities in the Perforce Helix Core Server platform. One of these includes a critical severity remote code execution flaw. Microsoft urges users to update their systems with the latest software versions to receive the relevant security fixes.
Microsoft Warns Users Of Severe Perforce Helix Core Server Vulnerabilities
In a recent post, Microsoft elaborated on the Perforce Helix Core Server vulnerabilities that its researchers discovered during a security review. An unauthenticated adversary could exploit the vulnerabilities to trigger denial of service on the target systems or execute arbitrary codes.
Briefly, they found the following four vulnerabilities riddling the platform.
- CVE-2023-45849 (CVSS 9.8): Unauthenticated DoS via rmt-UpdtFovrCommit RPC Command. The vulnerability allowed system-level access (LocalSystem) to unauthenticated remote attackers. Exploiting the flaw could let the attacker implant backdoors into the target software, exfiltrate Source codes, and steal other information.
- CVE-2023-5759 (CVSS 7.5): Unauthenticated DoS via RPC Header Abuse
- CVE-2023-35767 (CVSS 7.5): Unauthenticated DoS via rmt-Shutdown RPC Command
- CVE-2023-45319 (CVSS 7.5): Unauthenticated DoS via rmt-UpdtFovrCommit RPC Command
Microsoft has shared a detailed technical analysis of these vulnerabilities and how they discovered them in their post.
After discovering the vulnerabilities, Microsoft responsibly disclosed the flaws to the vendors in August 2023. Followbug report, the vendors started working on developing the relevant security fixes, deploying them all for the users with Perforce Server version 2023.1/2513900. Users must upgrade to this (or the latest) version to avoid potential threats.
Perforce Helix Core Server is a dedicated source code management platform, providing users with a central location to store codes, files, and digital assets. The platform boasts a huge user base from various sectors, such as government, military, gaming, and technology. Its clientele includes some prominent tech giants, including Microsoft.
Let us know your thoughts in the comments.