Game over? Vulnerabilities on Valve’s Steam put hundreds of thousands gamers at risk

Highlights:

• CP<R> found four major vulnerabilities in the popular Valve games networking library. All vulnerabilities were acknowledged and received CVE’s.
• If exploited, an attacker could take over hundreds of thousands of computers without needing gamers to click on a malicious email or link. Unlike other vulnerabilities, victims are unknowingly affected by simply logging onto the game.
• Additional actions attackers could carry out:
  • Remotely take over a 3^rd party game server to execute arbitrary code
  • Remotely crash the opponent’s game client
  • Crash the Valve game server, making it impossible for anyone to play
  • Steal credentials and private information
• As of September 2020, Steam reached a record peak of over 21 million concurrent users and over 95 million active monthly users

The video game industry grows every year, hitting new benchmarks as it reaches more people. The Game Generation, created by the Entertainment Software Association, claims that “a third of the world plays video games regularly.” In today’s reality, video games present a fun escape into galaxies of fantasy, sports and action, providing children and adults with hours and even days of virtual adventures.

As a result of the circumstances brought on by the COVID-19 outbreak, people are spending more time in their homes. With the world distancing physically and socially, its unsurprising that gaming usage has increased by 75 percent.

While examining global trends, it is clear that gaming has become a popular pastime:

• In 2019, 5 billion people around the world played video games.
• The global number of video game users is expected to grow to 2.7 billion in 2020
• The entire video gaming market is expected to be worth over USD200 billion by 2023.

Hackers seek their share of play

Gaming platforms are affected by security vulnerabilities in more ways than one. Gaming platforms have many sensitive areas to exploit and manipulate – either the users themselves or the platform could become potential victims.  There are implications for both of these scenarios.

Previously, we reported on a chain of vulnerabilities in EA Games that could have exploited millions of player accounts within the world’s second largest gaming company. The potential damage could have involved an attacker gaining access to a user’s credit card information and possessing the ability to fraudulently purchase in-game currency on behalf of the user. In addition, CPR discovered security vulnerabilities in the popular Epic Game Fortnite, which is played by nearly 80 million people worldwide.

With a meteoric rise in exposure, it is no surprise that popular gaming has attracted the attention of threat actors. Through this research, we examined a major networking library that underlies a sizable chunk of online gaming – Valve’s Game Networking Sockets (GNS).  Valve’s GNS, also known as “Steam Sockets”, is the core networking library used in a wide variety of games — including Valve’s own titles (CS:GO, Dota2, Team Fortress 2, and more) and several third-party titles (Bungie’s Destiny 2).

Hundreds of thousands of gamers at peril

Throughout our research, we found several vulnerabilities in the implementation of the GNS library. The library supports communication in peer-to-peer (P2P) mode – a web framework for real-time communication – and in centralized client server mode. The communication factor is key as it potentially allows an attacker to take control of a computer that is connected to a 3^rd party game server. If exploited, these vulnerabilities could enable a variety of possible attacks that would cause severe implications. For example, an attacker could remotely crash an opponent’s game client to force a win or even perform a “nuclear rage quit” and crash the Valve game server completely.

Potentially the most damaging is the fact that when users are playing a game created by 3rd-party developers, attackers can remotely take over the game’s server to execute arbitrary code. This would enable an attacker to take control of the gamer’s computer and steal his or her credentials, and obtain private information. in other words, they can take over the computer.

According to statistics from Steam, this vulnerability may have affected hundreds of thousands players daily. The Steam platform is the largest digital distribution platform for PC gaming. In 2019, the service had over 34,000 games with over 95 million monthly active users.

Unlike previous attacks where the user needs to press a link or download a file to execute malware, in this scenario, the victims are unknowingly affected. All they have to do is simply log into the game.

Conclusion

Check Point researchers notified “Valve” about the four different vulnerabilities discovered in this research (CVE-2020-6016 through CVE-2020-6019). Valve’s team fully patched the vulnerabilities quickly with great cooperation and full visibility.

We encourage all gamers using 3rd party games (non-Valve games) to check that their game clients received an update. Pay special attention to any game downloaded before September 4th 2020, as this is the date that the library was patched by Valve.

For technical details of the research, please visit: research.checkpoint.com