A security research group known as the Secret Club claims that Valve’s Source engine games are vulnerable to an RCE vulnerability.
One researcher says that Valve engineers were informed about this issue about two years ago, but the bug is still pending and can be exploited in the newest version of Counter Strike: Global Offensive (CS: GO). Other games that use the Source engine include Half-Life, Half-Life 2, Garry’s Mod, Team Fortress, Left 4 Dead, and the Portal.
Secret Club members are upset that they are not able to publish the technical details of the vulnerability, as it still affects some of the company’s games. Although the 90 days given in such cases to fix the error have gone long ago, experts adhere to strict ethical principles and do not share the details of the problem, because the disclosure of information would put millions of users at risk.
A reverse engineering student known as Florian told reporters that he had notified Valve of the issue through HackerOne two years ago. The engine vulnerability is related to memory corruption and is present in many Valve games.
Florian last received responses from Valve about six months ago, when the company paid him a fee and said that it was working on a bug fix and had already solved it in one particular game on the Source engine (name of the game is not disclosed).
The situation is aggravated by the fact that the problem affects CS: GO, the last update of which was released on March 31 of this year. The fact is that the game attracts about 27 million unique players every month, and the vulnerability can be used to run arbitrary code on the user’s machine. And as of April 10, 2021, CS: GO was still vulnerable.
The video below demonstrates how an attacker can exploit a bug and execute code on a target computer by simply inviting the victim to a Steam game.
Florian confirms that the defect was indeed fixed in one of the games, but he also does not reveal the name of this game:
Carl Schou, one of the key members of the Secret Club, told Bleeping Computer that an attacker could use a vulnerability to steal sensitive information from a victim, including credentials or bank information.
The Secret Club has already posted several videos from several researchers demonstrating the exploitation of RCE in CS: GO. For example, the video below shows the exploitation of a vulnerability while connecting to a malicious community server.
Valve has not yet commented on the statements of specialists and the situation with patches.
You might also be interested in the fact that Tencent and Chinese police conducted a joint operation against game cheat developers.