Valve fixed two 0-day vulnerabilities on Steam
Valve fixed two 0-day vulnerabilities in the Steam game client and regretted not listening to information security experts.
In early August, information security specialist Vasily Kravets published information about a vulnerability that allowed local privilege escalation in the Steam client, after which any user can execute commands on behalf of NT AUTHORITY \ SYSTEM. Vulnerability was checked in Windows 8 x64, Windows 8.1 x64 and Windows 10 x64.At the time of specialist’s report publication, the bug was still not fixed, although Kravets honestly informed Valve about the vulnerability through the HackerOne platform and waited 45 days after the problem report was accepted.
The fact is that at first the researcher had to prove to the HackerOne staff that he really has a vulnerability report, as Valve uses the Managed by HackerOne function, that is, the platform specialists first check the information about the problems. Already at this stage, Kravets received his first refusal due to the fact that the attack he proposed allegedly required the ability to locate files in arbitrary file system paths.
Since the specialist did not actually offer a single operation with the file system, he managed to double-check the report and was nevertheless handed over to Valve engineers. However, soon the report was again marked as unacceptable, since “the attack requires physical access to the user’s device.”
The researcher regretted that privilege escalation attacks were obviously simply not interesting to Valve. Worse, the specialist was forbidden to publish information about the problem, even considering that Valve was not going to fix it.
“It’s rather ironic to find that the launcher, which is actually designed to run third-party programs on your computer, allows them to quietly get maximum privileges”, – wrote Kravets.
Following public disclosure of the vulnerability, as well as futile efforts to fix it, and the community harshly criticized Valve and HackerOne. In response to this negative, Valve released a fix, refraining from commenting, but after a few hours, experts noticed that the company’s patch was ineffective and could be easily bypassed.
Worse, when the media drew attention to what was happening, it turned out that the well-known information security expert Matt Nelson also discovered this vulnerability and also tried to inform the company about it through HackerOne. However, in this case, Valve refused to fix the problem, and then the expert report was generally blocked when Nelson wanted to publicly disclose the error and warn users.
Earlier this week, Vasily Kravets published a detailed report on the second 0-day vulnerability in the Steam client, also related to local privilege escalation. Moreover, the researcher said that he was not able to report the Valve problem, because after the hype and the publication of the first report, he was simply banned in the bug bounty program of Valve on HackerOne.
Read also: Information security experts believe that cybercriminals win the “arms race”
At the same time, the IS community continued to criticize Valve, since the problems of privilege escalation and local privilege escalation are by no means trifling. Of course, such vulnerabilities are not used for the initial hacking of the computer and remote applications, but they are useful during post-operation and help attackers to establish full control over the target by gaining root / admin / system rights.
Refusing to fix these problems, Valve actually endangered about 100 million Windows users who have the Steam client installed on their computers.
On August 22, 2019, Valve finally reacted appropriately.
First, Valve added patches for the above vulnerabilities to the beta version of the Steam client, and so far there have been no reports of these patches bypassing from researchers.
Secondly, company representatives broke their long silence and in the commentary to ZDNet called everything that happened a huge misunderstanding:
“The rules of our HackerOne program were only to filter out reports that suggested instructing Steam to run previously installed malware on the user’s computer on behalf of this local user. Instead, a misinterpretation of the rules led to a screening out of a more serious attack that involved performing a local privilege escalation through Steam. We updated our program policies at HackerOne to explicitly indicate that such issues are being addressed and should be reported”, – Valve said.
The company’s buy bounty program policies have indeed already been updated accordingly.