Microsoft disclosed and contributed to the remediation of four vulnerabilities impacting Perforce Helix Core Server, a source code management platform used particularly in the videogame industry. The affected product finds also wide employment across many other sensitive sectors, including govenrment, military, technology and retail.
The vulnerabilities are the following:
CVE-2023-45849 (CVSS 10): Unauthenticated remote code execution as LocalSystem via user-bgtask remote procedure call (RPC) command, enabling to run remote background commands on the server instance. This is the most concerning of all the vulnerabilities as it may enable a potential malicious attacker to take control over the vulnerable instance.
CVE-2023-5759 (CVSS 7.5): Unauthenticated denial of service via RPC header abuse, enabling an amplification of resource consumption.
CVE-2023-35767 (CVSS 7.5): Unauthenticated denial of service via sending a remote shutdown command via RPC.
CVE-2023-45319 (CVSS 7.5): Unauthenticated denial of service via remote UpdtForvrCommit RPC command.
There is presently no report of exploitation in the wild. However, a research carried by Microsoft in November 2023 found that over a thousand sever instances were configured with a default configuration, i.e. listening on TCP port 1666. Administrators may want to implement a custom configuration in order to hide their instances from scanners.