CVE-2023-45849: A Max Severity Flaw in Perforce Helix Core Server

A team of vigilant researchers at Microsoft uncovered a critical Remote Code Execution (RCE) vulnerability in Perforce Helix Core Server, a widely used source code management platform in industries including video games, government, military, technology, and retail. They unearthed four vulnerabilities, but one stands out like a neon sign in the cyber shadows: CVE-2023-45849, a critical RCE (Remote Code Execution) bug with a maximum score of 10.0 on the CVSS severity scale. This means a single exploit could grant attackers unfettered control over your systems, pilfering intellectual property, planting malware, or launching crippling attacks.

The discovered vulnerabilities are summarized in the below:

1. CVE-2023-45849 (CVSS 10): An arbitrary code execution which results in privilege escalation was discovered in Helix Core versions prior to 2023.2.
2.  CVE-2023-35767 (CVSS 7.5): In Helix Core versions prior to 2023.2, an unauthenticated remote Denial of Service (DoS) via the shutdown function was identified.
3. CVE-2023-45319 (CVSS 7.5): In Helix Core versions prior to 2023.2, an unauthenticated remote Denial of Service (DoS) via the commit function was identified.
4. CVE-2023-5759 (CVSS 7.5): In Helix Core versions prior to 2023.2, an unauthenticated remote Denial of Service (DoS) via the buffer was identified.

While there’s no evidence of these vulnerabilities being exploited in the wild, their potential impact is alarming, as it could grant attackers complete control over unpatched systems and their connected infrastructure.

Microsoft’s team conducted an application security review of the Perforce Server and discovered the vulnerabilities. Notably, Microsoft’s internet-facing servers were never vulnerable to this critical flaw, ensuring that no consumer, customer, or partner data was compromised.

Following the principles of responsible disclosure, Microsoft reported these vulnerabilities to Perforce, who acknowledged and promptly began remediation efforts.

Perforce Server customers are strongly advised to update to version 2023.1/2513900, which mitigates these vulnerabilities. This proactive step is crucial in safeguarding against potential exploitation. In addition, Microsoft recommends a series of defense-in-depth tactics, including regular monitoring and patch application, use of VPN and IP allow-lists, TLS certificate issuance, and network segmentation. These measures form a robust defense framework, significantly reducing the risk of exploitation.

For a detailed exploration of this critical security issue, you can read the full article on the Microsoft Security Blog: Patching Perforce perforations: Critical RCE vulnerability discovered in Perforce Helix Core Server.