CVS Exploit Leads to Project Server Compromise

Users of Concurrent Versions System (CVS) software are being urged to patch their systems against an exploit used to hack the project's web site. CVS is a source code maintenance system used by many open source development projects, raising the prospect that the exploit may be used to spread compromised code to developers and end-users who download files from hacked servers.

That risk prompted an alert Friday from US-CERT, the agency coordinating U.S. cybersecurity awareness. The vulnerability in CVS, which allows a buffer overflow, was discovered May 2 by Stefan Esser of e-matters and made public, along with a patch, on May 19. While technically a "local" security hole that can only be exploited by authenticated users, most public CVS servers allow anonymous logins over the Internet. e-matters also identified a security hole in Subversion, a successor to CVS.

By May 21, a working exploit was circulated, and the CVSHome web site was offline. When the site returned to service, it included a warning. "The cvshome site is currently being thoroughly cleaned as a direct result of an exploitative code set that attacks a cvs security violation," the message read. "The publication of this code makes all sites running cvs with any remote protocol vulnerable." The intruders apparently used the new vulnerability to crack the server.

CVS is the dominant open source software for version control, which manages development efforts by tracking revisions. As such, it's a potentially lucrative target for hackers seeking to spread exploits through source downloads and synchronized updates and patches.

In the past year, several open source projects have been targeted by hackers. Last Dec. 2 Gentoo Linux said that a distribution server was compromised by attackers, but the intrusion was detected within an hour. On Nov. 21 the Debian project said four of its servers had been compromised. In each case, project managers expressed confidence that no code had been altered.

Last August, an FTP server used by the Free Software Foundation to distribute open source code was found to have been compromised for at least four months.

Netcraft offers a range of advanced security services, including The Netcraft Network Examination, an automated vulnerability test of Internet-connected networks which checks for new security vulnerabilities and configuration errors caused by system and network maintenance.