Security News Valve Patches Security Bug That Existed in Steam Client for the Past Ten Years (Vulnerability exploitable remotely via network packets, RCE)

[LASER_oneXM]

Content source

https://www.bleepingcomputer.com/news/security/valve-patches-security-bug-that-existed-in-steam-client-for-the-past-ten-years/

Valve developers have recently patched a severe security flaw that affected all versions of the Steam gaming client released in the past ten years.


According to Tom Court, a security researcher with Context Information Security, the one who discovered the flaw, the vulnerability would have allowed an attacker to execute malicious code on any of Steam's 15 million gaming clients.

Vulnerability exploitable remotely via network packets

In the jargon of security researchers, this is a remote code execution (RCE) flaw because exploitation was possible via network requests, without needing access to the victim's computer.

Court says an attacker was only required to send malformed UDP packets to a target's Steam client, which would have triggered the bug and allowed him to run malicious code on the target's PC.

The root cause of this vulnerability is a buffer overflow in one of Steam's many internal libraries —and more specifically in Steam's code that dealt with fragmented UDP datagram reassembly.

Bug accidentally half-patched last July

The Context security researcher says exploitation of this flaw would have been trivial up until July 2017, when Valve added ASLR protection to the Steam desktop client.

The added security feature made exploitation more difficult, causing only a crash of the Steam client in subsequent editions.

 

[ForgottenSeer 58943]

FYI - the CIA and NSA knew about this, and utilized it.

Remember, when Snowden docs came out, they mentioned Steam as their 'inlet' to a system. When Vault-7 was released, steam was mentioned again if I remember. It was thought way back then they had Steam backdoored. So I guess we know the truth now, or at least part of the truth. I wonder if Valve was at least somewhat complacent in this?

NSA's Hacker-in-Chief: We Don't Need Zero-Days To Get Inside Your Network
Even a laptop running Valve's Steam gaming service can make a nice point of entry for Joyce's NSA buddies, he says. "Why go after the professionally administered enterprise network when people are bringing their home laptops, where their kids were going out and downloading Steam games the night before?"



So yes, this was just another exploit hoarded by US Intelligence, along with a long list of other ones I guess.. The former head of the NSA and CIA recently was quoted as saying 'The golden age of electronic spying is coming to an end'.. With the meltdown patches, increasing scrutiny from security researchers and firms, increasing use of encryption. Etc...

 

[TairikuOkami]

In order for an attacker’s UDP packets to be accepted by the client, they must observe an outbound (client->server) datagram being sent in order to learn the client/server IDs of the connection along with the sequence number. The attacker must then spoof the UDP packet source/destination IPs and ports, along with the client/server IDs and increment the observed sequence number by one.

This seems, that it would have to be a targeted attack rather than just sending malformed UDP packets to random steam clients.