GOG Galaxy Games, a popular video game digital distribution platform that enables users to purchase new games and launch them from their desktop, is riddled with vulnerabilities, according to researchers at Cisco Talos.
The researchers assert that the GOG Galaxy video game launcher contains six flaws that could allow a malicious actor to carry out a variety of attacks – including two critical vulnerabilities enabling an attacker to execute arbitrary code with system privileges.
“Users are encouraged to update to the latest version of GOG Galaxy Games here as soon as possible in order to avoid these vulnerabilities,” said Talos researchers in a Tuesday post. “As they all come from different functions, there is no one, clear workaround and they can only be fixed through this patch.”
GOG, short for “Good Old Games,” has emerged as a popular alternative for Steam by offering older games not typically available on digital PC marketplaces. GOG Galaxy, version 220.127.116.11, is impacted. A patch is available and users are encouraged to update as soon as possible.
The two most serious vulnerabilities are an exploitable local privilege escalation vulnerability (CVE-2018-4048) in the file system permissions of GOG Galaxy’s “temp” directory, and a exploitable local privilege elevation vulnerability (CVE-2018-4049) in the file system permissions of GOG Galaxy’s “games” directory. Both have a CVSS score of 9.3.
The flaw (CVE-2018-4048) exists in the file system permissions of GOG Galaxy’s “temp” directory, which is where games that users are downloading go until they have been fully downloaded. The issue is that GOG Galaxy extracts the executables for the automatic update function in a directory by default, allowing anyone on the system to have full control.
This enables all users to read, write or modify arbitrary files related to the GOG Galaxy Updater Service.
“An attacker can overwrite executables of the Desktop Galaxy Updater to exploit this vulnerability and execute arbitrary code with SYSTEM privileges,” according to Cisco. “The executables include sensitive data, such as a root CA [root certificate authority], as well as executables that will be run with SYSTEM privileges once they are installed, allowing an attacker to overwrite them prior to installation to achieve arbitrary code execution with SYSTEM privileges.”
Meanwhile CVE-2018-4049 exists in the file system permissions of GOG Galaxy’s “Games” directory. An attacker can overwrite executables of installed games to exploit this vulnerability and execute arbitrary code with elevated privileges.
By default, GOG Galaxy installs games in a directory that allows anyone on the system to have “full control” – allowing all users to read, write or modify arbitrary files in the “Games” directory.
“If the installed games include a privileged installer component, such as a DirectX installer, Visual Studio redistributable, or some other run-once installer that executes with Administrator permissions, the attack can result in Administrative access,” said Cisco. “Users can also elevate to other user accounts by overwriting arbitrary executables.”
Richard Johnson with Cisco Talos first notified the vendor of both flaws on Nov. 20, and public disclosure was Tuesday. While a patch is available, users of GOG Galaxy can also replace the “Full Control” permission with “Read and Execute” for the “Everyone” group in the GOG Galaxy “Temp” directory. That ensures that all file system objects behind that path inherit from the parent directory in both cases.
The product also contains two high-severity flaws and two medium-severity flaws.
The two high-severity flaws are an exploitable local privilege escalation vulnerability (CVE-2018-4050) in the privileged helper tool of GOG Galaxy’s Games (version 1.2.47 for macOS), and an exploitable local privilege escalation vulnerability (CVE-2018-4051) in the privileged helper tool of GOG Galaxy’s Games (version 1.2.47 for macOS). Both have a CVSS score of 7.1 and could lead to execution of arbitrary code with elevated privileges.
The two medium severity vulnerabilities are a local information leak vulnerability (CVE-2018-4052) allowing information disclosure, and a denial-of-service vulnerability (CVE-2018-4053).
GOG Galaxy did not respond to a request for comment from Threatpost about whether the flaws had been exploited.
It’s been a busy week for gamers in the world of security. Also this week, Nvidia, which makes gaming-friendly graphics processing units (GPUs), patched a high-severity vulnerability in its GeForce Experience software, which could lead to code execution or denial-of-service of products if exploited.