openarena-server: [CVE-2010-5077] traffic amplification via getstatus requests

Debian Bug report logs - #665656
openarena-server: [CVE-2010-5077] traffic amplification via getstatus requests

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Markus Koschany <apo@gambaru.de>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: openarena-server: is vulnerable for getstatus DRDoS attack

Date: Sun, 25 Mar 2012 01:10:13 +0100

Package: openarena-server
Version: 0.8.5-5+squeeze1
Severity: grave
Tags: security
Justification: user security hole

Dear Maintainer,

a few hours ago my openarena server was used for a distributed
reflected denial of service attack. I noticed unusual high outgoing
traffic on port 27960 (3MB/s) which was directed mainly towards
webservers in the beginning. The only solution was to shut down the
openarena-server or to create a new firewall rule. 

After some investigation into the problem i discovered that it is well
known with Quake3 based engines. See [1], [2] and [3] 

My server received many getstatus requests in a short amount of time
which were presumably faked by the real attacker.

The problem has also been discussed on the ioquake3 mailing list. [4]
One of the participants pointed out that a patch was introduced in 2010
which limits the rate of getstatus requests.[5] It might be a
potentially fix or at least mitigation for the attack.

I hope i could explain my problem understandably. That's all the
information i could gather so far.

An alternative way for preventing the DRDoS attack with iptables is described in [6]. 

[1] http://openarena.ws/board/index.php?topic=4391.0
[2] http://www.ioquake.org/forums/viewtopic.php?f=12&t=1694
[3] http://www.urbanterror.info/forums/topic/27825-drdos/
[4] http://lists.ioquake.org/pipermail/ioquake3-ioquake.org/2012-January/004778.html
[5] http://icculus.org/pipermail/quake3-commits/2010-January/001679.html
[6] http://www.altfire.com/main/news/index.php?news_id=586

Sincerely
Markus 


-- System Information:
Debian Release: 6.0.4
  APT prefers stable
  APT policy: (990, 'stable'), (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.0.17 (SMP w/1 CPU core)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages openarena-server depends on:
ii  libc6                   2.11.3-2         Embedded GNU C Library: Shared lib
ii  openarena-data          0.8.5-3          OpenArena game data
ii  zlib1g                  1:1.2.3.4.dfsg-3 compression library - runtime

openarena-server recommends no packages.

openarena-server suggests no packages.

-- no debconf information

Message #10 received at 665656@bugs.debian.org (full text, mbox, reply):

From: Simon McVittie <smcv@debian.org>

To: Markus Koschany <apo@gambaru.de>, 665656@bugs.debian.org, security@debian.org

Subject: Re: Bug#665656: openarena-server: is vulnerable for getstatus DRDoS attack

Date: Sun, 25 Mar 2012 13:20:20 +0100

# mitigated with ioquake3 upstream patch since we switched to
# the shared engine
fixed 665656 0.8.5-6
thanks

On 25/03/12 00:10, Markus Koschany wrote:
> Severity: grave
> Tags: security
> Justification: user security hole

Dear security team: what do you consider the severity of this bug to be?
Is it the sort of thing you issue DSAs for? (In this attack, the server
does not execute arbitrary code or reveal private data, but it can be
used for traffic-amplification as a DoS attack on someone else.)

Full text quoted in case this didn't already go to the security team.

> a few hours ago my openarena server was used for a distributed
> reflected denial of service attack. I noticed unusual high outgoing
> traffic on port 27960 (3MB/s) which was directed mainly towards
> webservers in the beginning. The only solution was to shut down the
> openarena-server or to create a new firewall rule. 
> 
> After some investigation into the problem i discovered that it is well
> known with Quake3 based engines. See [1], [2] and [3] 
> 
> My server received many getstatus requests in a short amount of time
> which were presumably faked by the real attacker.
> 
> The problem has also been discussed on the ioquake3 mailing list. [4]
> One of the participants pointed out that a patch was introduced in 2010
> which limits the rate of getstatus requests.[5] It might be a
> potentially fix or at least mitigation for the attack.

openarena in wheezy/sid uses a newer ioquake3 engine which already has
this patch, mitigating the attack. I think that's the best we're likely
to be able to do within the constraints of the Q3 network protocol.

> I hope i could explain my problem understandably. That's all the
> information i could gather so far.
> 
> An alternative way for preventing the DRDoS attack with iptables is described in [6]. 
> 
> [1] http://openarena.ws/board/index.php?topic=4391.0
> [2] http://www.ioquake.org/forums/viewtopic.php?f=12&t=1694
> [3] http://www.urbanterror.info/forums/topic/27825-drdos/
> [4] http://lists.ioquake.org/pipermail/ioquake3-ioquake.org/2012-January/004778.html
> [5] http://icculus.org/pipermail/quake3-commits/2010-January/001679.html
> [6] http://www.altfire.com/main/news/index.php?news_id=586

Message #17 received at 665656@bugs.debian.org (full text, mbox, reply):

From: Florian Weimer <fw@deneb.enyo.de>

To: Simon McVittie <smcv@debian.org>

Cc: Markus Koschany <apo@gambaru.de>, 665656@bugs.debian.org, security@debian.org

Subject: Re: Bug#665656: openarena-server: is vulnerable for getstatus DRDoS attack

Date: Sun, 25 Mar 2012 20:09:01 +0200

* Simon McVittie:

> Dear security team: what do you consider the severity of this bug to be?
> Is it the sort of thing you issue DSAs for?

So the problem seems to be traffic amplification by a factor or 250.
(around 2000 bytes in, 500,000 bytes out).  Is this correct?

Is there any experience which strongly suggests that deploying the
patch actually helps victims?  Then we should issue a DSA.

Message #22 received at 665656@bugs.debian.org (full text, mbox, reply):

From: Simon McVittie <smcv@debian.org>

To: Florian Weimer <fw@deneb.enyo.de>

Cc: Markus Koschany <apo@gambaru.de>, 665656@bugs.debian.org, security@debian.org

Subject: Re: Bug#665656: openarena-server: is vulnerable for getstatus DRDoS attack

Date: Sun, 25 Mar 2012 23:51:35 +0100

Some proposed updates using the patch from ioquake3 are in my home
directory on alioth:
<http://alioth.debian.org/~smcv/>. Patch for review:
<http://anonscm.debian.org/gitweb/?p=pkg-games/openarena.git;a=commitdiff;h=caeb284533211bb0f76872279106a49306290168>

Markus, if you install devscripts and debian-keyring, you should be able
to download the packages from Alioth with dget, and verify the
signatures on them by running dscverify on the .changes file (they're
signed with my GPG key, which is in the Debian keyring). URLs:

i386:
dget
http://alioth.debian.org/~smcv/openarena_0.8.5-5+squeeze2~try1_i386.changes
amd64 and source:
dget
http://alioth.debian.org/~smcv/openarena_0.8.5-5+squeeze2~try1_amd64.changes

Verified on i386 to lock out rapid getstatus requests after an initial
"burst" of 10; if I'm reading the implementation correctly, after the
initial "burst" they limit getstatus to 1 per second per IP address or
10 per second across all addresses, and rcon to 1 per second. One
getstatus per second should be about 1 KB/sec outbound.

On 25/03/12 19:09, Florian Weimer wrote:
> So the problem seems to be traffic amplification by a factor or 250.
> (around 2000 bytes in, 500,000 bytes out).  Is this correct?

According to wireshark, using various commands on an unconfigured
squeeze "listen server" (1 player in the game, playing on the server
machine) has these amplification factors (I'm counting the size of the
IP packet, so excluding Ethernet headers):

command    in/bytes   out/bytes   amp.
--------------------------------------
getstatus  41         802         20x   (more on a config'd server?)
getinfo    39         172         4.4x
rcon       36         73          2x
getchallenge 44       61          < 2x
connect    39         71          < 2x  (minimal connect message)

The ioquake3 patch rate-limits getstatus because it has the largest
amplification (and the most scope for more amplification on a more
elaborately-configured server), and rcon (because its first argument is
a password to remote-control the game if that feature is enabled, and we
don't want to make it trivial to brute-force).

I'd be surprised to get a factor of 250: a minimal getstatus command
seems to be 41 bytes including IP headers, so 2000 bytes of input would
get you about 49 commands, which means each response would have to be
10204 bytes, nearly 10K, to provide that much output...

One of the ioquake3 developers noted in January that getinfo should have
rate-limiting too, but it's a considerably smaller amplification -
getinfo returns a small number of whitelisted variables, whereas
getstatus returns a set of variables that the server admin can
configure, AIUI - so nothing has been done about this by ioquake3
upstream yet.

Regards,
    S

Message #27 received at 665656@bugs.debian.org (full text, mbox, reply):

From: Markus Koschany <apo@gambaru.de>

To: Simon McVittie <smcv@debian.org>

Cc: Florian Weimer <fw@deneb.enyo.de>, Markus Koschany <apo@gambaru.de>, 665656@bugs.debian.org, security@debian.org

Subject: Re: Bug#665656: openarena-server: is vulnerable for getstatus DRDoS attack

Date: Mon, 26 Mar 2012 06:15:35 +0200

[Message part 1 (text/plain, inline)]

On 26.03.2012 00:51, Simon McVittie wrote:
> Markus, if you install devscripts and debian-keyring, you should be able
> to download the packages from Alioth with dget, and verify the
> signatures on them by running dscverify on the .changes file (they're
> signed with my GPG key, which is in the Debian keyring).

Hi Simon,

thank you for your quick response and your detailed report. Both are
much appreciated. I have downloaded the amd64 package with dget and have
compared the actual openarena server in squeeze with the patched version
by monitoring the network traffic with iftop.

Although my dedicated openarena server with 4 bots has been offline for
more than 24h, the attacks resumed immediately. Once again the traffic
was directed towards web servers. This time i saw nearly 2MB/s outgoing
traffic to one target.

After i had installed your patched version the traffic dropped to 8kb/s.
In my opinion the patch is a vast improvement and mitigates the attack
efficiently. But i can't explain why there is such a difference between
your numbers and my observation though.

However i would be happy if you could upload the patched version to the
official repositories.

Regards
Markus

[signature.asc (application/pgp-signature, attachment)]

Message #32 received at 665656@bugs.debian.org (full text, mbox, reply):

From: Florian Weimer <fw@deneb.enyo.de>

To: Simon McVittie <smcv@debian.org>

Cc: Markus Koschany <apo@gambaru.de>, 665656@bugs.debian.org, security@debian.org

Subject: Re: Bug#665656: openarena-server: is vulnerable for getstatus DRDoS attack

Date: Mon, 26 Mar 2012 07:35:36 +0200

* Simon McVittie:

> Some proposed updates using the patch from ioquake3 are in my home
> directory on alioth:
> <http://alioth.debian.org/~smcv/>. Patch for review:
> <http://anonscm.debian.org/gitweb/?p=pkg-games/openarena.git;a=commitdiff;h=caeb284533211bb0f76872279106a49306290168>

Thanks for working on this.

Please set the distribution to squeeze-security, adjust the version
number, build with -sa, and upload to security-master.

Message #37 received at 665656@bugs.debian.org (full text, mbox, reply):

From: Simon McVittie <smcv@debian.org>

To: Florian Weimer <fw@deneb.enyo.de>, 665656@bugs.debian.org

Cc: Markus Koschany <apo@gambaru.de>, security@debian.org

Subject: Re: Bug#665656: openarena-server: is vulnerable for getstatus DRDoS attack

Date: Mon, 26 Mar 2012 11:23:07 +0100

On 26/03/12 06:35, Florian Weimer wrote:
> Please set the distribution to squeeze-security, adjust the version
> number, build with -sa, and upload to security-master.

Uploaded, thanks. If you obtain a CVE number for this, please make sure
any advisory prominently mentions ioquake3 r1762 and/or this bug number.

Tremulous (contrib) seems to be vulnerable to the same thing... I'll
open a bug.

Here's some text for a general advisory, and some shorter text suitable
for a DSA:

--------------

It has been discovered that spoofed "getstatus" UDP requests are being
used by attackers[0][1][2][3] to direct status responses from multiple
Quake 3-based servers to a victim, as a traffic amplification mechanism
for a denial of service attack on that victim.

Open-source games derived from the Quake 3 engine are typically based on
ioquake3 [4], a popular fork of that engine. This vulnerability was
fixed in ioquake3 svn revision 1762 (January 2010) [5] by applying a
rate-limit to the getstatus request. Like several other known and fixed
vulnerabilities, it is not fixed in the latest official ioquake3 release
(1.36, April 2009).

If a CVE ID is allocated for this vulnerability, please reference
ioquake3 r1762 prominently in any advisory.

Fixed versions of various open-source games based on Quake III Arena,
mostly based on visual inspection of their source code:

* ioquake3 svn >= r1762
* OpenArena >= 0.8.8
* OpenArena engine snapshot >= 0.8.x-20
* World of Padman >= 1.5.4
* Tremulous svn trunk >= r1953
* Tremulous svn, gpp branch >= r1955
* Smokin' Guns >= 1.1b4
* Smokin' Guns svn 1.1 branch >= r472

Vulnerable older versions include:

* ioquake3 engine 1.36
* OpenArena 0.8.5
* World of Padman 1.5
* Tremulous 1.1.0
* Tremulous Gameplay Preview 1 (GPP1)
* Smokin' Guns svn trunk at the time of writing (r181)

Proprietary games based on the Quake III Arena engine (Quake III Arena
when played using its official engine, Star Wars: Jedi Outcast and Jedi
Academy, Star Trek: Elite Force 1 & 2, etc.) are also likely to be
vulnerable.

Proprietary games being run under the ioquake3 engine (Quake III Arena
when using ioquake3, Urban Terror when using ioUrbanTerror, etc.) may be
vulnerable or not vulnerable, depending on the version of ioquake3 used.

[0]
http://lists.ioquake.org/pipermail/ioquake3-ioquake.org/2012-January/004778.html
[1] http://openarena.ws/board/index.php?topic=4391.0
[2] http://www.urbanterror.info/forums/topic/27825-drdos/
[3] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=665656
[4] http://ioquake3.org/
[5] http://icculus.org/pipermail/quake3-commits/2010-January/001679.html

-----------

It has been discovered that spoofed "getstatus" UDP requests are used by
attackers to direct status responses from multiple Quake 3-based servers
(such as OpenArena) to a victim, as a traffic amplification mechanism
for a denial of service attack on that victim.

For the stable distribution (squeeze), this problem has been fixed in
version 0.8.5-5+squeeze2.

For the testing and unstable distributions (wheezy/sid), this problem is
fixed in all released versions of the ioquake3 package, which are used
by version 0.8.5-6 or later of the openarena package.

Message #42 received at 665656@bugs.debian.org (full text, mbox, reply):

From: Simon McVittie <smcv@debian.org>

To: Florian Weimer <fw@deneb.enyo.de>, 665656@bugs.debian.org

Cc: Markus Koschany <apo@gambaru.de>, security@debian.org

Subject: Re: Bug#665656: openarena-server: is vulnerable for getstatus DRDoS attack

Date: Mon, 26 Mar 2012 11:29:44 +0100

On 26/03/12 11:23, Simon McVittie wrote:
> Here's some text for a general advisory

I've passed this on to Bugtraq to give it more visibility.

    S

Message #47 received at 665656@bugs.debian.org (full text, mbox, reply):

From: Simon McVittie <smcv@debian.org>

To: Simon McVittie <smcv@debian.org>, 665656@bugs.debian.org, security@debian.org, 665842@bugs.debian.org

Subject: Re: Bug#665656: openarena-server: is vulnerable for getstatus DRDoS attack

Date: Mon, 26 Mar 2012 20:48:05 +0100

retitle 665656 openarena-server: [CVE-2010-5077] traffic amplification
via getstatus requests
retitle 665842 tremulous: [CVE-2010-5077] traffic amplification via
getstatus requests
thanks

On 26/03/12 11:23, Simon McVittie wrote:
> It has been discovered that spoofed "getstatus" UDP requests are being
> used by attackers[0][1][2][3] to direct status responses from multiple
> Quake 3-based servers to a victim, as a traffic amplification mechanism
> for a denial of service attack on that victim.
> 
> Open-source games derived from the Quake 3 engine are typically based on
> ioquake3 [4], a popular fork of that engine. This vulnerability was
> fixed in ioquake3 svn revision 1762 (January 2010) [5] by applying a
> rate-limit to the getstatus request. Like several other known and fixed
> vulnerabilities, it is not fixed in the latest official ioquake3 release
> (1.36, April 2009).
> 
> If a CVE ID is allocated for this vulnerability, please reference
> ioquake3 r1762 prominently in any advisory.

CVE-2010-5077 has now been allocated for this.

Message #56 received at 665656-close@bugs.debian.org (full text, mbox, reply):

From: Simon McVittie <smcv@debian.org>

To: 665656-close@bugs.debian.org

Subject: Bug#665656: fixed in openarena 0.8.5-5+squeeze2

Date: Tue, 27 Mar 2012 19:32:10 +0000

Source: openarena
Source-Version: 0.8.5-5+squeeze2

We believe that the bug you reported is fixed in the latest version of
openarena, which is due to be installed in the Debian FTP archive:

openarena-server_0.8.5-5+squeeze2_i386.deb
  to main/o/openarena/openarena-server_0.8.5-5+squeeze2_i386.deb
openarena_0.8.5-5+squeeze2.debian.tar.gz
  to main/o/openarena/openarena_0.8.5-5+squeeze2.debian.tar.gz
openarena_0.8.5-5+squeeze2.dsc
  to main/o/openarena/openarena_0.8.5-5+squeeze2.dsc
openarena_0.8.5-5+squeeze2_i386.deb
  to main/o/openarena/openarena_0.8.5-5+squeeze2_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 665656@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Simon McVittie <smcv@debian.org> (supplier of updated openarena package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sun, 25 Mar 2012 19:34:53 +0100
Source: openarena
Binary: openarena openarena-server
Architecture: source i386
Version: 0.8.5-5+squeeze2
Distribution: stable-security
Urgency: low
Maintainer: Debian Games Team <pkg-games-devel@lists.alioth.debian.org>
Changed-By: Simon McVittie <smcv@debian.org>
Description: 
 openarena  - fast-paced 3D first-person shooter
 openarena-server - server and game logic for the game OpenArena
Closes: 665656
Changes: 
 openarena (0.8.5-5+squeeze2) stable-security; urgency=low
 .
   * Apply ioquake3 r1762 to rate-limit getstatus and rcon connectionless
     packets, to avoid their use for traffic amplification. (Closes: #665656)
Checksums-Sha1: 
 7046d95c04526b472ff0608dc3293110d4167664 2099 openarena_0.8.5-5+squeeze2.dsc
 00f4cb42f3548d3a8af0e8fe5c69da5263fd4e88 2653889 openarena_0.8.5.orig.tar.bz2
 ca15b82b2633c8ec5c9f096d8f871b5bea474d31 247425 openarena_0.8.5-5+squeeze2.debian.tar.gz
 18415db20d382dc9b4d1ac538e96e124a2a4a366 744262 openarena_0.8.5-5+squeeze2_i386.deb
 b04914f7cc179f37f5bd851ebc70145e645b42c6 2312412 openarena-server_0.8.5-5+squeeze2_i386.deb
Checksums-Sha256: 
 eb80b2220f6318ce34e99ae4786e0ac3d190e22c97cc5113713714e2054f70d2 2099 openarena_0.8.5-5+squeeze2.dsc
 3e9ccd58f1a95d4a103f4729ed6a6c88174503cfea1b4c13bf723ec8916a17e5 2653889 openarena_0.8.5.orig.tar.bz2
 ef7fdfb30628b30588e4b14d0a868cfdd61a2422b2799c09756ceccfc8eb4d73 247425 openarena_0.8.5-5+squeeze2.debian.tar.gz
 6b83ca2463f2976e7e0c6d44273507321c1af9e87cce519c83b9a6cd339ef7e1 744262 openarena_0.8.5-5+squeeze2_i386.deb
 f98591de8eed66352b45d92034c75500991294faabe4fa026c168993a205bda7 2312412 openarena-server_0.8.5-5+squeeze2_i386.deb
Files: 
 689473cd2be80adcfbabcf1ec32d208d 2099 games optional openarena_0.8.5-5+squeeze2.dsc
 04881c50a17e0ee3ffdbb9416e8f1259 2653889 games optional openarena_0.8.5.orig.tar.bz2
 20529074fe6dd924a18eb82aafffaa53 247425 games optional openarena_0.8.5-5+squeeze2.debian.tar.gz
 e0a622957f15c98f5de65333505bb767 744262 games optional openarena_0.8.5-5+squeeze2_i386.deb
 02885dc243f013fde743d1454bc00a00 2312412 games optional openarena-server_0.8.5-5+squeeze2_i386.deb

-----BEGIN PGP SIGNATURE-----

iQIVAwUBT3AxJ03o/ypjx8yQAQhqaxAAghqHg3dr9Q7VGxxXqta14Vcsq6jTs9W6
tijevfFJrK6k0SPwemb5yisscMxKf0WciiRt+YkNH7YuU5bT9BetH5DYgXnIssDl
r5EChQPs2qB3a33/0KINmhRqGdQX867p+p60M2DtuYXs0QdSc/4GAMjztlYaz2s6
yXEknwrmms+4z3sVhE+mdAkYeE9xTRVyRoCMTcKEcd8naooHYhD9ejJsGXKG2q97
gOkDZambC3XnTD4fWb01ii+C9HDG+t18x9zvlp/kWDdCvjG/xIZLBFgyUJ5fwALT
Nu8u6XyE8QZjEIXqt61Naye6keqRfWsKnLd2tI+mnirG387+k9Ou9o1JmhYmuLv8
aim8R7R/szmGXvdcIZxSGT9gIu4Inz6qXxoBqrYnzSWlydCAI2utNzSxcu+1wKch
iWNr3tjvzrNUhcIhS4EThWSD4rX+oyKRzmXXuIS45MRuRRHZ+Ep2/OtkA9tv36Qe
Fohrjwqinq/mrp3FVmeVKAY52rP06GYulKT0JuKAiPfG/w4AHl5JafJT74yQMSlx
MeTwxkuSfL1ueQ3SL0vto5uOQ/R8WaTYbceE7IlFx3g5TvxlQ0uh/hRxUrUNfaBP
TM5P0heCahxr7fhZZTTtTwwaxPHFNNpMSTR4KstWKMThcbkXXPevfQc1A3tVbTpy
mA2g9JI+ExA=
=25RM
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.