June 17, 2004

An in-depth evaluation of CVS, a common open source tool, has uncovered more critical security holes in software used by developers to track and manage important changes in computer programming code. Not less than six vulnerabilities were discovered in the Concurrent Versions System (CVS), which is used to track and manage code on a number of leading open source software development projects.

CVS is also used by companies and organizations developing proprietary software.

The holes could enable remote attackers to launch denial of service attacks or run malicious code on systems hosting vulnerable versions of CVS, according to an alert published by e-matters GmbH.

Word of the new vulnerabilities comes just two weeks after another security hole in the software was used to hack the CVS project Web site. That compromise prompted an investigation of the CVS computer code, which revealed the latest holes, according to e-matters.

While some of the new vulnerabilities require a valid CVS user or administrator login to use, others can be exploited remotely and with few privileges on the vulnerable system, said David Endler, director of digital vaccine at TippingPoint Technologies Inc., which makes network intrusion prevention systems.

In particular, a vulnerability in a CVS function called "double-free()" was used to exploit a number of systems running the Linux operating systems, according to the e-matters alert.

"I wouldn't be surprised to see an exploit for the double-free vulnerability within the next few days," Endler said.

The CVS project released a software update fixing the holes, including the three discovered by e-matters researcher Stefan Esser.

There is no evidence that the new holes have resulted in attacks. However, once security holes are announced, a race begins between organizations that need to patch their systems and hackers eager to take advantage of the vulnerability, Endler said. That is especially true of open source code projects, where the raw code that underlies products is in the public domain, he said.

The news of vulnerabilities in the CVS product has raised concerns about the security of open source projects, many of which have been breached by hackers in recent years.

In October 2002, for example, a Trojan horse program was discovered in some distributions of the open source Sendmail e-mail software. In August, 2003 the Free Software Foundation, sponsors of the GNU free software project, said that a key server housing the group's Linux software was broken into by a malicious hacker.

Open source development projects rely on the assumption that the platforms people use to collaborate on the development are secure.

Vulnerabilities in the CVS product and hacking of CVS project resources invariably cause people to wonder whether the products developed using CVS might also have unknowingly been compromised by hackers, Endler said.

Source: IT World Canada

Save Internet Security.ca's URL to the list of your favorite web sites in your Web browser by clicking here.

Become an authorized reseller of Proxy Sentinel™ and Firewall Sentinel™. Do like the rest of our authorized resellers and have your clients benefit the important security features of our products and solutions, while increasing your sales at the same time. Click here for all the details.

        

You can link to the Internet Security web site as much as you like. Read our section on how your company can participate in our reciprocal link exchange program and increase your rankings in the major search engines such as
Google and all the others.