DOS vulnerability (?)

[Daniel-Cortez]

Hello.

In 2014 @8artek0v0 reported a DOS vulnerability to the RakNet developer(s), which was supposed to be fixed in facebookarchive@e97c4bb. However, it wasn't fixed completely, as described here: facebookarchive#102

Is this vulnerability somehow addressed in SLikeNet?

[Luke1410]

Let me get back to you on this. I'll prioritize the facebookarchive#102 issue now.

[Luke1410]

Nope the "vulnerability" has not been completely resolved, yet. The special case as described in the referenced RakNet issue facebookarchive#102 is something I'll fix directly, since it's an obvious fix (please let me know if you'd like it being integrated immediately in the GitHub repository - otherwise I'll commit it once we added an appropriate test case to verify it's working as intended).

To resolve the described vulnerability in the issue, it'll require a bit more work (incl. extending our tests which currently don't detect the vulnerability). I'll prioritize this task now as the next issue to resolve after some of the pending issues/pull requests throughout RakNet.

[Daniel-Cortez]

Thanks.
While I'm not actially using SLikeNet myself (it was a friend who was going to migrate one of their projects from RakNet to SLikeNet and asked me to report this vulnerability), I still think it would be better to have the fix in the repo as soon as it's done.

[Luke1410]

We just committed the obvious fix for the uint24_t max case resulting in an endless loop (available in the SVN repository and the GitHub repository). The remaining issue(s) are on the list of things to resolve for the next version. Internal case number SLNET-194 / SLNET-204.

[Luke1410]

Just to give a quick heads up: We are now working on this issue. We made several changes to the area and are currently testing/reviewing them to ensure this completely resolves this DOS attack vector.

[Luke1410]

We are going to release an unplanned hotfix of SLikeNet due to this exploit (SLikeNet 0.1.2) and will also provide a pull request to RakNet (for those who are staying with RakNet). We are currently targeting a release on 2018-05-06. If you need an urgent fix, feel free to contact us by mail at support@slikesoft.com.

This exploit has the following CVSS score:
base score: 7.5
temporal score: 7.2 (7.5 until SLikeNet 0.1.2 is released)
overall score: 7.2 (7.5 until SLikeNet 0.1.2 is released)
CVSS v3 vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H/RL:O/RC:C

Since SLikeNet/RakNet are libraries, there's no CVSS environmental score (since that score heavily depends on how/where the library is utilized).

[Luke1410]

SLikeNet 0.1.2 which resolves the issues (SLNET-194, SLNET-204) is available now at https://www.slikenet.com/ or here on GitHub at https://github.com/SLikeSoft/SLikeNet/releases/v.0.1.2 .