Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE: Remote denial-of-service fixed in 0.6.5 #1536

Closed
apoleon opened this issue Oct 20, 2018 · 5 comments

Comments

Projects
None yet
2 participants
@apoleon
Copy link

commented Oct 20, 2018

Hi,

apparently version 0.6.5 and version 0.7.0 fix a remote denial-of-service vulnerability in Teeworlds. Did you request a CVE for this security issue? It appears that all versions prior 0.6.5 are affected. Is this correct?

Are these the fixing commits?

4c00063
439483c

@heinrich5991

This comment has been minimized.

Copy link
Contributor

commented Oct 20, 2018

No CVE was requested as far as I know.

The fixing commits for 0.6 are:

a263185
aababc6
f5fa1a9

(not the ones you specified) plus some dependencies (md5 support).

The vulnerability is the following: Since there was no challenge-response involved in the connection build up, you could send the connection packets from a spoofed IP address and occupy a server slot or even use it for a reflection attack using map download packets.

The reflection problem still exists in 0.6.5 for the server info packets. I don't know about the state of the server info packets in 0.7.0, but I think a 1:1 reflection is still possible.

@apoleon

This comment has been minimized.

Copy link
Author

commented Oct 20, 2018

Thank you for your clarification. I have just requested a CVE id for this issue. I will update this bug report as soon as I receive more information. FTR, this is also Debian bug https://bugs.debian.org/911487

@apoleon

This comment has been minimized.

Copy link
Author

commented Oct 20, 2018

This issue was assigned CVE-2018-18541.

@heinrich5991

This comment has been minimized.

Copy link
Contributor

commented Oct 20, 2018

Thanks for requesting a CVE.

Are there guidelines for when to request one? How does one go about requesting a CVE?

@apoleon

This comment has been minimized.

Copy link
Author

commented Oct 20, 2018

It is usually up to you or everyone else to decide whether a specific programming error can be deemed a security vulnerability. You can request a CVE at https://cveform.mitre.org/. As a rule of thumb I would always request a CVE when you think that a bug might affect the integrity of a user's system (arbitrary file write, buffer overflows, reading unrelated memory that should never be read, bypassing access controls, etc.), deceiving a user (e.g. XSS attacks) or making a system/application unusable (denial-of-service) like in this case. This question has also been answered here: https://cve.mitre.org/about/faqs.html#what_is_vulnerability.

I only noticed this bug because my own server was attacked only a week ago. It could be mitigated by changing the server port of teeworlds but obviously this wasn't a real solution. The requested CVE id makes sure that all major vendors and distributors will know about this issue. Most of them will now upgrade to your latest upstream release but some might prefer to backport the fixing commits. In any case this raises awareness and will ensure that this issue will be fixed more quickly.

Thanks for providing the links to your fixing commits. I believe this bug report can be closed now. It will then just serve as a reference for others.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.