Security hole affects many CVS pserver installations

Cyclic Software has received reports of a security hole that affects many CVS servers using the pserver authentication method. We recommend that sites take appropriate actions depending on their situation and security needs.

I. Description

Under some circumstances an attacker can supply an alternate CVSROOT/passwd file, which a CVS pserver server will use to give the attacker access to any user on the system.

Vulnerable versions of CVS include 1.7, 1.8, 1.9 and 1.9.8.

Version 1.9.10 is not vulnerable provided that the advice in section IV "Additional Solution" is followed.

Those not running a pserver server are safe from this problem. If you aren't sure whether you are running pserver, look at /etc/inetd.conf for mentions of CVS. Pserver typically runs on port 2401 ("cvspserver").

Note that on some systems the inetd configuration file may have a different name or be in a different location. Please consult your documentation if the configuration file is not found in /etc/inetd.conf.

This attack requires an intruder to be able to make a network connection to a vulnerable CVS server. This means that some sites, depending on their security configurations and policies, may not have an urgent need to take action.

II. Impact

If the machine running the CVS server also has running a service which allows for file upload (for example, anonymous FTP if configured to do so), then anyone who has the ability to upload files can gain full access to the server system. If there is no service which allows file upload, then users who already have some access to the server system can gain access as any other user, including privileged users.

III. Solution(s)

Upgrade the CVS server to CVS 1.9.10. There is no need to upgrade CVS clients. When you upgrade you will need to add --allow-root to inetd.conf as described in the CVS 1.9.10 distribution.

Note that CVS 1.9.10 is an interim release. It has not received as much testing as a released version such as CVS 1.9, so people who are not vulnerable to this security hole may wish to stay with CVS 1.9. CVS 1.9.10 is available for free download from http://download.cyclic.com or ftp://download.cyclic.com.

IV. Additional Solution

Even if you upgrade to CVS 1.9.10, there is still an issue with the repository permissions (as long as you continue to use pserver). You probably want to change the permissions on the $CVSROOT and $CVSROOT/CVSROOT directories and the $CVSROOT/CVSROOT/passwd file as follows:

Note that because the `$CVSROOT/CVSROOT' directory contains `passwd' and other files which are used to check security, you must control the permissions on this directory as tightly as the permissions on `/etc'. The same applies to the `$CVSROOT' directory itself and any directory above it in the tree. Anyone who has write access to such a directory will have the ability to become any user on the system. Note that these permissions are typically tighter than you would use if you are not using pserver.

V. Workarounds

Using some authentication mechanism other than pserver avoids the problem completely. In particular, running CVS over a remote execution program such as rsh, kerberized rsh, or ssh involves no network security implications beyond those involved in running the remote execution program in the first place.

VI. For future information

For future updates on CVS security, consult http://www.cyclic.com. In particular, there is a security page at http://www.cyclic.com/cyclic-pages/security.html.