Game developer Valve has fixed critical four bugs in its popular Steam online game platform. If exploited, the flaws could allow a remote attacker to crash an opponent’s game client, take over the computer – and hijack all computers connected to a third-party game server.
Steam is utilized by more than 25 million users, and serves as a platform for a number of wildly popular video games, including Counter Strike: Global Offensive, Dota2 and Half Life. The vulnerabilities, which were disclosed on Thursday, were discovered in the network library of Steam, which is known as Steam Sockets. This library is part of a toolkit for third-party game developers.
“Video games have reached an all-time-high during the coronavirus pandemic,” Eyal Itkin, security researcher at Check Point, said in a Thursday analysis. “With millions of people currently playing online games, even the slightest security issue can be a serious concern for gaming companies and gamer privacy. Through the vulnerabilities we found, an attacker could have taken over hundreds of thousands of gamer computers every day, with the victims being completely blind to it.”
Researchers disclosed the flaws to Valve in September; the vendor rolled out fixes after three weeks to different Steam games. Researchers said that in order to apply the patches, Steam gamers were required to install the update before they could launch a game.
The four flaws (CVE-2020-6016, CVE-2020-6017, CVE-2020-6018 and CVE-2020-6019) exist in Steam Sockets prior to version v1.2.0. The first three CVEs score 9.8 out of 10 on the CVSS scale, making them critical in severity, while the fourth ranks 7.5 out of 10, making it high-severity.
CVE-2020-6016 exists because Steam Sockets improperly handles “unreliable segments” in the function SNP_ReceiveUnreliableSegment(). This can lead to a heap-based buffer underflow, where the input data is (or appears to be) shorter than the reserved space.
The flaw tied to CVE-2020-6017 is due to SNP_ReceiveUnreliableSegment() improperly handling long unreliable segments when configured to support plain-text messages, leading to a heap-based buffer overflow (where the input data is longer than the reserved space).
The bug tied to CVE-2020-6018 meanwhile is due to the improper handling of long encrypted messages in the function AES_GCM_DecryptContext::Decrypt(), leading to a stack-based buffer overflow.
And finally, the flaw relating to CVE-2020-6019 stems from the function CConnectionTransportUDPBase::Received_Data() improperly handling inlined statistic messages.
In order to exploit the flaws, an attacker would need to connect to a target game server. Then, the attacker could launch the exploit by sending bursts of malicious packets to opponent gamers or target servers. No interaction is needed from the target gamer or server.
“From this point, the attacker could deploy the same vulnerability, as both the game clients and game servers are vulnerable, to force the server to take over all connected clients, without any of them noticing,” said researchers.
That could open up various attack scenarios. One such scenario would include sabotaging online games, in which an attacker is able to crash the server at any time they please, forcing the game to stop for all gamers at once.
Researchers suggest that Valve gamers should make sure that they don’t have a notification about a pending update that they should install, though they should already protected through the fix. And, they should check that their games have indeed updated.
“Gamers of third-party games should check that their game clients received an update in recent months,” they said. “If not, they will need to contact the game developers to check when will an update be released.”
Steam has dealt with security issues before. In 2019, a researcher dropped a zero-day vulnerability that affected the Steam game client for Windows, after Valve said it wouldn’t fix it. Valve then published a patch, that the same researcher said can be bypassed and dropped a second zero day.
Put Ransomware on the Run: Save your spot for “What’s Next for Ransomware,” a FREE Threatpost webinar on Dec. 16 at 2 p.m. ET. Find out what’s coming in the ransomware world and how to fight back.
Get the latest from John (Austin) Merritt, Cyber Threat Intelligence Analyst at Digital Shadows, and Israel Barak, CISO at Cybereason, on new kinds of attacks. Topics will include the most dangerous ransomware threat actors, their evolving TTPs and what your organization needs to do to get ahead of the next, inevitable ransomware attack. Register here for the Wed., Dec. 16 for this LIVE webinar.