Valve was unable to fix an RCE vulnerability in the Source engine for a long time

Valve RCE vulnerability

A security research group known as the Secret Club claims that Valve’s Source engine games are vulnerable to an RCE vulnerability.

One researcher says that Valve engineers were informed about this issue about two years ago, but the bug is still pending and can be exploited in the newest version of Counter Strike: Global Offensive (CS: GO). Other games that use the Source engine include Half-Life, Half-Life 2, Garry’s Mod, Team Fortress, Left 4 Dead, and the Portal.

Secret Club members are upset that they are not able to publish the technical details of the vulnerability, as it still affects some of the company’s games. Although the 90 days given in such cases to fix the error have gone long ago, experts adhere to strict ethical principles and do not share the details of the problem, because the disclosure of information would put millions of users at risk.

A reverse engineering student known as Florian told reporters that he had notified Valve of the issue through HackerOne two years ago. The engine vulnerability is related to memory corruption and is present in many Valve games.

The exception is games built on Source 2, like Titanfall.Florian said.

Florian last received responses from Valve about six months ago, when the company paid him a fee and said that it was working on a bug fix and had already solved it in one particular game on the Source engine (name of the game is not disclosed).

The situation is aggravated by the fact that the problem affects CS: GO, the last update of which was released on March 31 of this year. The fact is that the game attracts about 27 million unique players every month, and the vulnerability can be used to run arbitrary code on the user’s machine. And as of April 10, 2021, CS: GO was still vulnerable.

The video below demonstrates how an attacker can exploit a bug and execute code on a target computer by simply inviting the victim to a Steam game.

Florian confirms that the defect was indeed fixed in one of the games, but he also does not reveal the name of this game:

We deliberately left this out because we don’t want people to look for the patch in the game binaries, which would make it much easier to create an exploit for all other unpatched games.

Carl Schou, one of the key members of the Secret Club, told Bleeping Computer that an attacker could use a vulnerability to steal sensitive information from a victim, including credentials or bank information.

The Secret Club has already posted several videos from several researchers demonstrating the exploitation of RCE in CS: GO. For example, the video below shows the exploitation of a vulnerability while connecting to a malicious community server.

Valve has not yet commented on the statements of specialists and the situation with patches.

You might also be interested in the fact that Tencent and Chinese police conducted a joint operation against game cheat developers.

By Vladimir Krasnogolovy

Vladimir is a technical specialist who loves giving qualified advices and tips on GridinSoft's products. He's available 24/7 to assist you in any question regarding internet security.

View all of Vladimir Krasnogolovy's posts.

Leave a comment

Your email address will not be published. Required fields are marked *