Rule: -- Sid: 2317 -- Summary: This event is generated when an attempt is made to exploit a known vulnerability in the Concurrent Versions System (CVS). -- Impact: Serious. Manipulation of the host file system is possible. -- Detailed Information: Concurrent Versions System (CVS) is used to track the history of source code files when developing software. Some versions of CVS contain a vulnerability that may allow an attacker to create directories or files in the host filesystem external to the cvsroot. This is achieved via a malformed module request. -- Affected Systems: CVS versions prior to 1.11.10 -- Attack Scenarios: An attacker may send a specially crafted request to a cvs server and create files and directories of their choosing in the hosts root filesystem. The attacker may then access these files at will to further compromise the system. -- Ease of Attack: Simple. No exploit software is required. -- False Positives: None known. -- False Negatives: If compression is being used in data communications between the CVS server and clients, this rule will not generate an event. -- Corrective Action: Apply the appropriate vendor supplied patches. Upgrade to the latest non-affected version of the software. -- Contributors: Sourcefire Research Team Brian Caswell <bmc@sourcefire.com> Nigel Houghton <nigel.houghton@sourcefire.com> -- Additional References: CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0977 --