The Concurrent Versions System (CVS) is a major open source project resource that helps developers build and update project source code in a collaborative fashion and provides version-control management. Now, it has been found to have a critical vulnerability that can allow attackers to secretly modify source code.

In advisory CA-2003-02, “Double-Free Bug in CVS Server,” CERT warns that any of the source code maintained in CVS repositories could potentially contain malicious code, including backdoors and Trojan programs.

CNET’s reports that this vulnerability was discovered in early January 2003 by E-Matters’ Stefan Esser, who worked with key repositories before disclosing the threat publicly.

The initial report of this vulnerability, which allows remote compromise of CVS servers, was made on Jan. 20, 2003. In that report, Esser also warned of two badly documented commands, Update-prog and Checkin-prog, which allow any user to execute arbitrary commands on the server. These are not well known and, he said, can’t be turned off by the administrator.

Applicability—CVS Versions 1.11.4 and earlier
This problem is known to affect CVS versions shipped by Conectiva, Cray, Debian, IBM, MandrakeSoft, and Red Hat, but others are also probably vulnerable. Solaris is not affected by this issue because CVS isn’t included with that operating system; however, Sun Linux 5.0.3 and earlier do include a vulnerable CVS package.

HP reports that its software is not vulnerable. Apple Computer reports that its products are not vulnerable, as does Openwall. As of this writing, SCO, NEC, FreeBSD, and some other vendors had yet to determine if their software was vulnerable.

A complete, updated list of known vulnerable platforms is posted on CERT/CC Vulnerability Note VU#650937.

Risk level—critical
It doesn’t get much more critical than allowing an attacker to modify source code and secretly plant Trojans, backdoors, and other rogue code—and those are the kind of activities that can result from this flaw.

Mitigating factors
The only mitigating factor is that that the person who discovered the problem worked with vendors to fix it before disclosing it publicly.

Fix—patch or disable CVS services
CERT recommends disabling anonymous CVS server access, configuring CVS servers to run in restricted environments, and hosting CVS servers on secured systems that have no other purpose. The various workarounds do not provide complete protection. They only limit the possible damage that an attacker could cause.

Red Hat has patches available for its Advanced Server and Red Hat Linux. AIX installations may include CVS from the Linux Affinity Toolbox. (Here’s a fix.) Debian has patches for some versions; see its security site for more information.

Conectiva has patches available. For other distributions, see the CERT advisory, which includes FTP links to patches.

Final word
This is an example of the dangers posed by open source development and should serve to remind users that simply because software was developed under the auspices of open source—which can have many benefits—doesn’t mean that it’s inherently more secure than proprietary software.