SkipNavigation
Home | FAQ | Contact | Privacy Policy
US-CERT
American Flag
  Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information


 
 View Notes By
  Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric
 Other Documents
  Technical Alerts

Technical Bulletins

Alerts

Security Tips
 

Vulnerability Note VU#650937

Concurrent Versions System (CVS) server improperly deallocates memory

Overview

A "double-free" vulnerability in the Concurrent Versions System (CVS) server could allow a remote attacker to execute arbitrary code or commands or cause a denial of service on a vulnerable system.

I. Description

CVS is a source code maintenance system that is widely used by open-source software development projects.

The CVS server component contains a "double-free" vulnerability that can be triggered by a set of specially crafted directory change requests. While processing these requests, an error checking routine may attempt to free() the same memory reference more than once. Deallocating the already freed memory can lead to heap corruption, which may be leveraged by an attacker to execute arbitrary code. The CVS server process is commonly started by the Internet services daemon (inetd) and run with root privileges.

CVS clients are not affected.

II. Impact

Depending on configuration, operating system, and platform architecture, a remote attacker with anonymous read-only access to a vulnerable CVS server could execute arbitrary code, read sensitive information, or cause a denial of service. There is a significant secondary impact in that source code maintained in CVS repositories could be modified to include trojan horses, backdoors, or other malicious code.

III. Solution

Patch or Upgrade

    Apply the appropriate patch or upgrade as specified by your vendor. This vulnerability is resolved in CVS 1.11.5.
Disable CVS Server
    Until patches are available and can be applied, consider disabling the CVS server.
Disable Anonymous CVS Access
    Disable anonymous access to the CVS server.
Block or Restrict Access
    Block or restrict access to the CVS server from untrusted hosts and networks. The CVS server typically listens on 2401/tcp, but may use another port or protocol.
Limit CVS Server Privileges
  • Configure CVS server to run in a restricted (chroot) environment.
  • Run CVS servers with the minimum set of privileges required on the host file system.
  • Provide separate systems for development (write) and public/anonymous (read-only) CVS access.
  • Host public/anonymous CVS servers on single-purpose, secured systems.
Note that none of these workarounds will prevent exploitation of this vulnerability. These workarounds will only limit the scope and impact of possible attacks. Other features inherent in CVS may give anonymous users the ability to gain shell access.

Systems Affected
VendorStatusDate Updated
Apple Computer Inc.Vulnerable20-Aug-2003
ConectivaVulnerable21-Jan-2003
Cray Inc.Vulnerable21-Jan-2003
CVS HomeVulnerable22-Jan-2003
CVSNTVulnerable14-Feb-2003
Data GeneralUnknown21-Jan-2003
DebianVulnerable22-Jan-2003
FreeBSDVulnerable4-Feb-2003
FujitsuNot Vulnerable3-Feb-2003
Gentoo LinuxVulnerable3-Feb-2003
Guardian Digital Inc. Unknown21-Jan-2003
Hewlett-Packard CompanyUnknown14-Feb-2003
HitachiNot Vulnerable4-Feb-2003
IBMVulnerable22-Jan-2003
Ingrian NetworksNot Vulnerable14-Feb-2003
MandrakeSoftVulnerable21-Jan-2003
MontaVista SoftwareUnknown21-Jan-2003
NEC CorporationNot Vulnerable4-Feb-2003
NetBSDVulnerable4-Feb-2003
NokiaUnknown21-Jan-2003
OpenBSDVulnerable4-Apr-2003
OpenPKGVulnerable3-Feb-2003
Openwall GNU/*/LinuxNot Vulnerable4-Feb-2003
Red Hat Inc.Vulnerable3-Feb-2003
SequentUnknown21-Jan-2003
SGIUnknown21-Jan-2003
SlackwareVulnerable3-Feb-2003
Sony CorporationUnknown21-Jan-2003
Sun Microsystems Inc.Vulnerable19-Aug-2003
SuSE Inc.Vulnerable14-Feb-2003
The SCO GroupVulnerable3-Feb-2003
UnisysUnknown21-Jan-2003
Wind River Systems Inc.Unknown21-Jan-2003
WirexVulnerable8-Apr-2003

References


http://security.e-matters.de/advisories/012003.html
http://ccvs.cvshome.org/servlets/NewsItemView?newsID=51
http://www.cvshome.org/docs/manual/cvs_1.html
http://www.netsys.com/library/papers/chrooted-ssh-cvs-server.txt
http://openbsd.sunsite.ualberta.ca/papers/anoncvs-paper.ps

Credit

This vulnerability was publicly reported by Stefan Esser of e-matters.

This document was written by Art Manion.

Other Information

Date Public01/20/2003
Date First Published01/21/2003 11:34:25 AM
Date Last Updated08/20/2003
CERT AdvisoryCA-2003-02
CVE NameCAN-2003-0015
US-CERT Technical Alerts 
Metric40.10
Document Revision33

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

 
Page Corner Image
Copyright 2003 Carnegie Mellon University
Disclaimers and copyright information
Get Adobe Reader Get Adobe Reader