Two-year-old RCE flaws still unpatched, bounty hunters claim
UPDATED Pressure is growing on games publisher Valve after two sets of security researchers came forward with complaints that it has been slow at resolving security flaws in its popular Steam platform.
A seemingly critical Steam source engine vulnerability discovered by ‘Florian’, a member of reverse engineering group Secret Club, and dating from 2019 is said to remain unresolved – much to the consternation of the individual involved and his security research colleagues.
Florian reported the flaw to Valve through a bug bounty program run by HackerOne, but despite multiple attempts to chase the issue no action has been taken, even though the security flaw was “verified/triaged after a couple of months”, according to the bug hunter.
Secret Club aired its frustration in a Twitter update over the weekend: “Two years ago, Secret Club member @floesen_ reported a remote code execution (RCE) flaw affecting all source engine games.
“It can be triggered through a Steam invite,” the group added. “This has yet to be patched, and Valve is preventing us from publicly disclosing it.”
A tracker for the issue – CVE-2021-30481 – was been added to NIST’s National Vulnerability database on Monday (April 12).
“Valve Steam through 2021-04-10, when a Source engine game is installed, allows remote authenticated users to execute arbitrary code because of a buffer overflow that occurs for a Steam invite after one click,” the entry states.
Letting off Steam
Separately this week, another security researcher, Bien Pham, voiced his concerns that a flaw he reported in Steam also poses a remote code execution risk.
This, too, he says, has been “ignored by Valve for a year”.
“RCE can be achieved by connecting to a malicious server, then the chain will be completed when game is restarted,” Singapore-based Pham said on a message on Twitter.
In response to follow-up questions from The Daily Swig, Pham confirmed the second flaw remained unresolved but declined to go into details, beyond describing it as a “logic bug”.
The researcher – who added he was “pretty sure” the flaw was different from that discovered by Florian – said there was no evidence of any exploitation of the vulnerability, but nonetheless criticised Valve for its apparent inaction.
“The reason why Valve delayed their response for a long time, I think because of [HackerOne] policy allows vendors to hold the report indefinitely. And Valve, they rely on security through obscurity,” Pham said.
The Daily Swig contacted Valve’s PR team for comment via a form on the gaming publisher’s website.
No word back as yet, but we’ll update this story as and when more information comes to hand. in response to questions from The Daily Swig, HackerOne offered the following comment.
“It’s our policy not to comment on customer programs without their consent," HackerObe said. "However, we can say that we take issues of both responsiveness and disclosure seriously and will work closely with our partners at Valve to address this situation.”
Launched in 2003, Steam is the world’s most popular video game distribution service, taking up to 75% of the global market share and attracting around 20 million gamers each day.
Chris Boyd, a security researcher with Malwarebytes and keen gamer who has spent years researching the security of various gaming platforms, had no direct knowledge of the vulnerabilities in play, but did say he’s been able to get Valve/Steam to fix directly reported flaws in the past.
“I’ve reported several issues to Steam down the years and they were addressed very quickly, such as a method used by phishers to bypass Steam Guard protection,” Boyd told The Daily Swig.
“However, these were not reported via bug bounty programs and were likely not as complex to resolve as the current issues.”
“With so many titles using the source engine, it may take a while longer yet to test and address without potentially breaking essential functionality in some games,” he added.
This story was updated to add comment from HackerOne