I have a general distrust for Mcafee, as the maker of the world’s most poorly performing virus scanner / security suite. However, when I came across a Wired article about security holes in the Perforce version control system, I was lured in with interest. I don’t use Perforce, but the catchy headline of stealing Google source code via their source control system seemed intriguing.
After reading, the article, I knew I was going to be disappointed when got as far as:
This was in direct contradiction of dire warnings just above from Mcafee about SCMs being wide open for exploit. The attackers got in via an Internet Explorer vulnerability, not a Perforce one.
I read the Mcafee paper anyway, and found that the researchers had discovered a number of legitimate security weakness in Perforce to put its makers to shame:
- P4Web authentication can be bypassed by replay attack
- P4Web access levels implemented via hidden controls and can be bypassed by URL manipulation
- Session token not used for change password feature
It also mixes in some general security concerns that apply to every othr source control system in the world, or every other Windows service that exists, such as running with too high privileges, or the source code being stored in plaintext.
The complaint about the source code being stored unencrypted on the user’s local system seems particularly absurd. Given that the attacker has compromised the system and gained access (elevated privileges or not), it doesn’t matter how encrypted the files are, the attacker already has access to them so long as the user has authenticated and can decrypt them.
Mcafee goes on to make a number of recommendations, the most sensible, if impractical, one being to disable P4Web. But, the whitepaper leaves me wondering what its real purpose was. They gloss over the “zero-day exploit” in Internet Explorer to focus on vulnerabilities in Perforce that would not have otherwise been exposed beneath the corporate firewall.
Once a developer workstation is compromised and a pipe is available to the external internet, there’s really no stopping the attacker from obtaining the confidential source code, no matter how secure the SCM is. That is, unless, perhaps, the developer simply does no work on the source code. And that’s always an option if you want to be truly secure.