Four Critical Flaws Found in Steam Could Allow Attackers to Hijack Computers
Four critical flaws, CVE-2020-6016, CVE-2020-6017, CVE-2020-6018 and CVE-2020-6019, were found to be exploitable in the popular Steam online gaming platform. If exploited, these flaws could allow a remote attacker to crash an opponent’s game client, take control over the victim’s computer and hijack all computers connected to a third-party game server.
Researchers disclosed the flaws in September, with Valve (the company behind Steam) rolling out fixes after three weeks to different Steam games. In order to apply the patches, Steam gamers were required to install the update before they could launch a game.
The four flaws exist in Steam Sockets prior to version v1.2.0. The first three CVEs score 9.8 out of 10 on the CVSS scale, making them critical in severity, while the fourth ranks 7.5 out of 10, making it high severity.
CVE-2020-6016 exists because Steam Sockets improperly handles “unreliable segments” in the function SNP_ReceiveUnreliableSegment(). This can lead to a heap-based buffer underflow, where the input data is, or appears to be, shorter than the reserved space. The danger of CVE-2020-6017 is due to SNP_ReceiveUnreliableSegment() improperly handling long unreliable segments when configured to support plain-text messages, leading to a heap-based buffer overflow. The bug tied to CVE-2020-6018 meanwhile is due to the improper handling of long encrypted messages in the function AES_GCM_DecryptContext::Decrypt(), leading to a stack-based buffer overflow. And lastly, the flaw relating to CVE-2020-6019 stems from the function CConnectionTransportUDPBase::Received_Data() improperly handling inlined statistic messages.
In order to exploit the flaws, an attacker would need to connect to a target game server. Then, they could launch the exploit by sending bursts of malicious packets to opponent gamers or target servers. No interaction is needed from the target gamer or server. At this point, the attacker would deploy the same vulnerability, as both the game clients and game servers are vulnerable, forcing the server to take over all connected clients. This then sets the stage for a multitude of attack scenarios.
One such scenario would include sabotaging online games, in which an attacker is able to crash the server at any time they please, forcing the game to stop for all gamers at once.
Steam is utilized by more than 25 million users and serves as a platform for several popular video game franchises. The above vulnerabilities were discovered in the network library of Steam, known as Steam Sockets, which is part of a toolkit for third-party game developers. All users of Steam should apply any pending updates to either the Steam platform or to their individual games.
Sources: