Valve's Game Networking Sockets prior to version v1.2.0 improperly handles unreliable segments with negative offsets in function SNP_ReceiveUnreliableSegment(), leading to a Heap-Based Buffer Underflow and a free() of memory not from the heap, resulting in a memory corruption and probably even a remote code execution.
{"thn": [{"lastseen": "2022-05-09T12:38:42", "description": "[](<https://thehackernews.com/images/-oUqXhZWyChQ/X9Hnd1imOAI/AAAAAAAABNs/6cqd-uVC_AA3taGM20D2ET2l7GPYxgq1wCLcBGAsYHQ/s0/game-hacking.jpg>)\n\nCritical flaws in a core networking library powering Valve's online gaming functionality could have allowed malicious actors to remotely crash games and even take control over affected third-party game servers.\n\n\"An attacker could remotely crash an opponent's game client to force a win or even perform a 'nuclear rage quit' and crash the Valve game server to end the game completely,\" Check Point Research's Eyal Itkin noted in an analysis [published](<https://research.checkpoint.com/2020/game-on-finding-vulnerabilities-in-valves-steam-sockets/>) today. \"Potentially even more damaging, attackers could remotely take over third-party developer game servers to execute arbitrary code.\"\n\nValve is a popular US-based video game developer and publisher behind the game software distribution platform Steam and several titles such as Half-Life, Counter-Strike, Portal, Day of Defeat, Team Fortress, Left 4 Dead, and Dota.\n\nThe four flaws (CVE-2020-6016 through CVE-2020-6019) were uncovered in Valve's Game Networking Sockets ([GNS](<https://github.com/ValveSoftware/GameNetworkingSockets>)) or Steam Sockets library, an open-sourced networking library that provides a \"basic [transport layer](<https://en.wikipedia.org/wiki/Transport_layer>) for games,\" enabling a mix of UDP and TCP features with support for encryption, greater reliability, and peer-to-peer (P2P) communications.\n\nSteam Sockets is also offered as part of the [Steamworks SDK](<https://partner.steamgames.com/doc/sdk>) for third-party game developers, with the vulnerabilities found on both Steam servers and on its clients installed on gamers' systems.\n\nThe attack hinges on a specific flaw in the packet reassembly mechanism (CVE-2020-6016) and a quirk in C++'s implementation of [iterators](<https://www.geeksforgeeks.org/iterators-c-stl/>) to send a bunch of malicious packets to a target game server and trigger a heap-based [buffer underflow](<https://cwe.mitre.org/data/definitions/124.html>), ultimately causing the server to abort or crash.\n\nFollowing responsible disclosure to Valve on September 2, 2020, the binary updates containing the fixes were shipped to Valve's game clients and servers on September 17.\n\nBut according to Check Point, certain third-party game developers are yet to patch their clients as of December 2.\n\n\"Video games have reached an all-time-high during the coronavirus pandemic,\" Itkin said. \"With millions of people currently playing online games, even the slightest security issue can be a serious concern for gaming companies and gamers' privacy. Through the vulnerabilities we found, an attacker could have taken over hundreds of thousands of gamer computers every day, with the victims being completely blind to it.\"\n\n\"Popular online platforms are good harvesting grounds for attackers. Whenever you have millions of users logging into the same place, the power of a strong and reliable exploit raises exponentially.\"\n\nCheck Point said that gamers playing Valve's games through Steam are already protected by the fix, although gamers of third-party games should ensure their game clients received an update in recent months to mitigate the risk associated with the flaw.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-12-10T11:00:00", "type": "thn", "title": "Valve's Steam Server Bugs Could've Let Hackers Hijack Online Games", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-6016", "CVE-2020-6019"], "modified": "2020-12-10T16:37:00", "id": "THN:834E0A867D4C5B1C5A09F6FF3D9133A2", "href": "https://thehackernews.com/2020/12/valves-steam-server-bugs-couldve-let.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "threatpost": [{"lastseen": "2020-12-10T14:11:35", "description": "Game developer Valve has fixed critical four bugs in its popular Steam online game platform. If exploited, the flaws could allow a remote attacker to crash an opponent\u2019s game client, take over the computer \u2013 and hijack all computers connected to a third-party game server.\n\nSteam is utilized by more than 25 million users, and serves as a platform for a number of wildly popular video games, including [Counter Strike: Global Offensive](<https://threatpost.com/valve-confirms-csgo-team-fortress-2-source-code-leak/155092/>), Dota2 and [Half Life](<https://threatpost.com/valve-source-engine-fortnite-servers-crippled-by-gafgyt-variant/149719/>). The vulnerabilities, which were disclosed on Thursday, were discovered in the network library of Steam, which is known as Steam Sockets. This library is part of a toolkit for third-party game developers.\n\n\u201cVideo games have reached an all-time-high during the coronavirus pandemic,\u201d Eyal Itkin, security researcher at Check Point, said in a Thursday analysis. \u201cWith millions of people currently playing online games, even the slightest security issue can be a serious concern for gaming companies and gamer privacy. Through the vulnerabilities we found, an attacker could have taken over hundreds of thousands of gamer computers every day, with the victims being completely blind to it.\u201d\n\n[](<https://threatpost.com/webinars/whats-next-for-ransomware/?utm_source=ART&utm_medium=ART&utm_campaign=Dec_webinar/>)\n\nClick to register.\n\nResearchers disclosed the flaws to Valve in September; the vendor rolled out fixes after three weeks to different Steam games. Researchers said that in order to apply the patches, Steam gamers were required to install the update before they could launch a game.\n\nThe four flaws (CVE-2020-6016, CVE-2020-6017, CVE-2020-6018 and CVE-2020-6019) exist in Steam Sockets prior to version v1.2.0. The first three CVEs score 9.8 out of 10 on the CVSS scale, making them critical in severity, while the fourth ranks 7.5 out of 10, making it high-severity.\n\nCVE-2020-6016 exists because Steam Sockets improperly handles \u201cunreliable segments\u201d in the function SNP_ReceiveUnreliableSegment(). This can lead to a heap-based buffer underflow, where the input data is (or appears to be) shorter than the reserved space.\n\nThe flaw tied to CVE-2020-6017 is due to SNP_ReceiveUnreliableSegment() improperly handling long unreliable segments when configured to support plain-text messages, leading to a heap-based buffer overflow (where the input data is longer than the reserved space).\n\nThe bug tied to CVE-2020-6018 meanwhile is due to the improper handling of long encrypted messages in the function AES_GCM_DecryptContext::Decrypt(), leading to a stack-based buffer overflow.\n\nAnd finally, the flaw relating to CVE-2020-6019 stems from the function CConnectionTransportUDPBase::Received_Data() improperly handling inlined statistic messages.\n\nIn order to exploit the flaws, an attacker would need to connect to a target game server. Then, the attacker could launch the exploit by sending bursts of malicious packets to opponent gamers or target servers. No interaction is needed from the target gamer or server.\n\n\u201cFrom this point, the attacker could deploy the same vulnerability, as both the game clients and game servers are vulnerable, to force the server to take over all connected clients, without any of them noticing,\u201d said researchers.\n\nThat could open up various attack scenarios. One such scenario would include sabotaging online games, in which an attacker is able to crash the server at any time they please, forcing the game to stop for all gamers at once.\n\nResearchers suggest that Valve gamers should make sure that they don\u2019t have a notification about a pending update that they should install, though they should already protected through the fix. And, they should check that their games have indeed updated.\n\n\u201cGamers of third-party games should check that their game clients received an update in recent months,\u201d they said. \u201cIf not, they will need to contact the game developers to check when will an update be released.\u201d\n\nSteam has dealt with security issues before. In 2019, a researcher dropped a zero-day vulnerability that [affected the Steam game client](<https://threatpost.com/gamers-zero-day-steam-client-affects-windows/147225/>) for Windows, after Valve said it wouldn\u2019t fix it. Valve then published a patch, that the same researcher said can be bypassed and dropped [a second zero day](<https://threatpost.com/researcher-discloses-second-steam-zero-day-after-valve-bug-bounty-ban/147593/>).\n\n**_Put Ransomware on the Run: Save your spot for \u201cWhat\u2019s Next for Ransomware,\u201d a _**[**_FREE Threatpost webinar_**](<https://threatpost.com/webinars/whats-next-for-ransomware/?utm_source=ART&utm_medium=ART&utm_campaign=Dec_webinar>)**_ on Dec. 16 at 2 p.m. ET. Find out what\u2019s coming in the ransomware world and how to fight back. _**\n\n**_Get the latest from John (Austin) Merritt, Cyber Threat Intelligence Analyst at Digital Shadows, and Israel Barak, CISO at Cybereason, on new kinds of attacks. Topics will include the most dangerous ransomware threat actors, their evolving TTPs and what your organization needs to do to get ahead of the next, inevitable ransomware attack. _**[**_Register here_**](<https://threatpost.com/webinars/whats-next-for-ransomware/?utm_source=ART&utm_medium=ART&utm_campaign=Dec_webinar>)**_ for the Wed., Dec. 16 for this LIVE webinar._**\n", "cvss3": {}, "published": "2020-12-10T11:00:46", "type": "threatpost", "title": "Critical Steam Flaws Could Let Gamers Crash Opponents\u2019 Computers", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-27130", "CVE-2020-6016", "CVE-2020-6017", "CVE-2020-6018", "CVE-2020-6019"], "modified": "2020-12-10T11:00:46", "id": "THREATPOST:278458B8B7AD1BAD24FB2C2C5F0B1441", "href": "https://threatpost.com/critical-steam-flaws-crash-opponents-computers/162100/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}
CVE-2020-6016
