#VU48929 Input validation error in Game Networking Sockets
Vulnerability identifier: #VU48929
Vulnerability risk: Medium
CVSSv3.1: 6.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-20
Exploitation vector: Network
Exploit availability: Yes
Vulnerable software:
Game Networking Sockets
Client/Desktop applications /
Games
Vendor: Valve Software
Description
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of inlined statistic messages within the CConnectionTransportUDPBase::Received_Data() function. A remote attacker can pass specially crafted input to the gaming server and perform a denial of service (DoS) attack.
Mitigation
Install updates from vendor's website.
Vulnerable software versions
Game Networking Sockets: 1.0.0 - 1.1.0
External links
http://github.com/ValveSoftware/GameNetworkingSockets/commit/d944a10808891d202bb1d5e1998de6e0423af678
http://research.checkpoint.com/2020/game-on-finding-vulnerabilities-in-valves-steam-sockets/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
