- Perforce says it found an authentication bypass flaw affecting all versions of all software
- The flaw could grant malicious actors admin privileges on target endpoints
- A patch is being worked on, so be on your guard
Perforce recently discovered a major vulnerability affecting its entire software portfolio which could allow threat actors to gain full admin access without authentication. It urged its users to apply available mitigations while it works on releasing a patch.
The company said that a team of white-hat hackers found a vulnerability “affecting all versions of the platform” and posing a “severe risk to organizations worldwide, as it allows an attacker to gain full administrative access to the system without authentication.”
The bug is an authentication bypass vulnerability, affecting all versions of all Perforce software, it was said. The company reported it to global security databases, and currently awaits a CVE.
Authentication bypass
“This vulnerability compromises the core authentication protocol within Perforce software, allowing an attacker to bypass security mechanisms and take full control of the administration interface,” the company explained. This means that a threat actor could run system-wide admin commands, tamper with the data, escalate user privileges, run malware, and more.
Since the software is used in government, defense, and finance industries, and a patch has not yet been released, Perforce urges users to implement temporary security controls, including restricting admin access to trusted internal networks only, monitoring network traffic for unusual authentication attempts, and implementing additional firewall rules.
Furthermore, users should audit system logs for indicators of compromise, disable external access to Perforce servers where possible, and keep tabs on vendor announcements and security patches.
“Given the high risk associated with this vulnerability, security professionals, IT administrators, and businesses using Perforce.com software must act swiftly to secure their systems,” the press release concluded. “Perforce.com has been officially notified, and the security community expects an urgent response with mitigation measures and an emergency patch.”
Perforce is a version control system (VCS) designed for large-scale software development, enabling teams to manage and track changes to source code, digital assets, and configurations efficiently. Its flagship product is called Helix Core, a high-performance version control system designed for managing large codebases and digital assets, commonly used in game development, semiconductor design, and enterprise software development.
Leave a comment