Security FAQs:
CVE-2012-0804 discovered in CVS
CVE-2010-3846 discovered in CVS
Vulnerability or Exposure Note 5871 (CVE-2010-1326) in CVSNT
CVE-2009-3736 discovered in libltdl (libtool)
CAN-2005-2096 discovered in zlib
CAN-2005-2693 discovered in CVSBUG
CAN-2005-2491 discovered in the PCRE library
Misconfigured CVSNT Servers on Unix and Linux do not enforce limited repositories
CAN-2005-0753 discovered in CVS
CAN-2004-0396 discovered in CVS
CAN-2004-0778 discovered in CVS
Is CVSNT more secure than CVS?
Can CVS/CVSNT client users execute arbitrary programs on the server?
What can I do to maximise the security of my CVS installation?
Why are security protocols/authentication mechanisms important?
What are the drawbacks to using server authentication?
What security protocols/authentication mechanisms do March Hare Software recommend?
What is a "chroot jail" and how do I set one up?
Is CVSNT affected by the recent security vulnerability CVE-2012-0804 discovered in CVS?
No CVSNT is not affected by CVE-2012-0804. Versions of CVS 2.x are not affected by this issue.
Is CVSNT affected by the recent security vulnerability CVE-2010-3846 discovered in CVS?
No CVSNT is not affected by CVE-2010-3846. Versions of CVS 2.x are not affected by this issue.
Vulnerability or Exposure Note 5871 (CVE-2010-1326)
Please refer to Vulnerability or Exposure Note 5871 for detailed information.
CVS Suite 2008 [CVSNT 2.5.03.3736] (released after 16th March 2010), CVS Suite 2009 [CVSNT 2.8.01.3729] (released after 11th March 2010), CVSNT 2.5.04.2862 (released after 26th October 2007) and later including CVSNT 2.5.05 are not affected by this issue.
Is CVSNT affected by the recent security vulnerability CVE-2009-3736 discovered in libltdl (libtool)?
CVSNT is not affected by CVE-2009-3736. CVSNT uses libtool on Linux/Unix (Solaris and HPUX) and Mac OS X to hide the complexity of loading dynamic runtime libraries - it is NOT used on MS Windows. The vulnerability is limited to software that uses libltdl to load libraries that have an associated .la file with a non-empty old_library field and is only a problem if a static archive was built. On Unix/Linux and Mac OS X, CVSNT is only run privileged (and therefore needs to be secure) when started from inetd, xinetd or cvsmanager - in these cases the user LD_LIBRARY_PATH and/or current directory cannot be compromised without already having root privileges.
Is CVSNT affected by the recent security vulnerability CAN-2005-2096 discovered in the zlib?
CVSNT on some systems/platforms is affected by CAN-2005-2096. If on your platform CVSNT is linked to a shared version of zlib then you should contact your operating system vendor to ensure the zlib has been updated to resolve this issue. Statically linked Versions of CVSNT 2.5.03 (released after 23rd June 2006) are not affected by this issue.
Is CVSNT affected by the recent security vulnerability CAN-2005-2693 discovered in the CVSBUG?
No CVSNT is not affected by CAN-2005-2693. Versions of CVSNT 2.x (released on 4th April 2003) are not affected by this issue.
Is CVSNT affected by the recent security vulnerability CAN-2005-2491 discovered in the PCRE library?
Yes CVSNT is affected by CAN-2005-2491. Versions of CVSNT 2.5.02 build 2088 and later (released on 12th September 2005) are not affected by this issue. To exploit this vulnerability the attacker would already require access to the CVSROOT. CVSNT is designed so that any person with access to CVSROOT should be assumed to have permission to run arbitrary code on the server, therefore the risk of damage caused by this vulnerability is classified as low for CVSNT server users. Running CVSNT in a chroot jail will prevent any attack affecting other software running on the same server.
Misconfigured CVSNT Servers on Unix and Linux do not enforce limited repositories
CVSNT is designed to restrict access to defined repositories on a server. If CVSNT is misconfigured on a Linux or Unix server then this fucnction may be disabled. The configuration file /etc/cvsnt/PServer should be readable by all users to ensure that the CVSNT server can read the list of available repositories. Versions of CVSNT 2.5.02 (released on 22nd August 2005) are not affected by this issue.
Is CVSNT affected by the recent security vulnerability CAN-2005-0753 discovered in CVS?
No CVSNT is not affected by CAN-2005-0753. Versions of CVSNT 2.x (released on 4th April 2003)are not affected by this issue.
Is CVSNT affected by the recent security vulnerability CAN-2004-0396 discovered in CVS?
CVSNT is not affected by CAN-2004-0396. Versions of CVSNT 2.x (released on 4th April 2003) are not affected by this issue.
Is CVSNT affected by the recent security vulnerability CAN-2004-0778 discovered in CVS?
CVSNT is affected by CAN-2004-0778. Versions of CVSNT 2.0.51 build D and later are not affected by this issue. On Unix (Solaris, HPUX, Red Hat, Mac OS X etc) this problem does not arise if CVS is protected in a "chroot jail" as recommended by March Hare Software (see below). On Windows systems the vulnerability is of limited value since it only allows the hacker to identify that a file exists, not execute it or read it. Since most windows systems contain the same files in the same location having such a "back door" is of limited use.
Is CVSNT more secure than CVS?
CVSNT is not immune from security vulnerabilities - however we have mitigated the risks
to CVSNT users by designing it to operate in a secure and robust way. The evidence is that
CVSNT is not affected by CAN-2004-0396.
CVSNT 2.0.51b includes the ability to lock down the server (in a "chroot jail") so it always operates as a nonprivileged user.
As well as dropping privileges the whole process is then sandboxed into a small area and cannot go any further.
Can CVS/CVSNT client users execute arbitrary programs on the server?
It should be assumed that anyone with commit access to the CVSROOT directory in the repository is capable of running any arbitrary executable. CVSNT server allows you to specify permissions on each directory to prevent this access. Additional security tools such as chroot and run-as-user also help guard against arbitrary code execution by clients.
What can I do to maximise the security of my CVS installation?
We recommend our CVS Professional Support services which will keep you informed of security issues and have an installation programme designed to ensure that CVSNT is correctly configured at your site.
Why are security protocols/authentication mechanisms important?
The authentication mechanism is separate to the rest of the CVSNT and until you can log on you cannot use any of the more sophisticated hacking techniques to damage files and folders.
Authentication can be further removed to the operating system of the server itself. For maximum security March Hare recommend allowing the server operating system to handle security: SSPI (kerberos only w/NTLM
disabled), and ssh (using a Unix server and high strength RSA keys).
What are the drawbacks to using server authentication?
Some administrators can be concerned that allowing the server operating system to authenticate users can pose a security threat in itself. The expectation being that if a hacker can bypass the operating system security then they have "free reign".
This can be mitigated by setting expiration times on the security tickets (eg: Microsoft Active Directory has a kerberos ticket lifetime that can be locked down so it doesn't automatically renew), and the CVSNT passwd file can be used to restrict authenticated users to a subset of the possible users on the server.
What security protocols/authentication mechanisms do March Hare Software recommend?
We recommend that pserver is disabled (CVSNT allows protocols to be disabled without the need to re-compile). For specific client and server protocols please see the tables below:
Server Platform Security Recommendation | Protocol | CVSNT | CVS |
Server |
| Windows | sserver1 | YES | NO |
| Mac OS X | ssh | YES | NO3 |
| Unix | ssh | YES | NO3 |
Client Platform Security Recommendation | Protocol | CVSNT | CVS |
Client (Server) |
| Windows (Windows) | sserver1 | YES | NO |
| Windows (non-Windows) | ssh | YES | NO3 |
| Mac OS X or Unix (Windows) | sserver or gserver2 | YES | NO |
| Mac OS X or Unix (Non-Windows) | ssh | YES | NO3 |
Notes
1: SSPI is also considered secure provided that Active Directory is set to enable kerberos authentication only (ie NTLM disabled)
2: Where Gserver is available it provides equivalent security to ssh
3: CVS can be configured to use SSH, however additional tools and configuration are required (CVSNT includes an SSH protocol to make this simpler)
What is a "chroot jail" and how do I set one up?
A "chroot jail" is a security mechanism for Unix based operating environments such as Red Hat Linux, Solaris, HPUX and Mac OS X. It is a place to install CVSNT so that no other files can be accessed either accidentally or by a hacker.
Set the Chroot variable in /etc/cvsnt/PServer and it'll chroot
after doing the authentication - you no longer need to put any libraries
in the chroot which is much safer (it just needs a /tmp to put the
temporary files in).
|