18th April 2021, Kathmandu
Stress is rising on video games writer Valve after two units of safety researchers got here ahead with complaints that it has been sluggish at resolving safety flaws in its widespread Steam platform.
A seemingly important Steam supply engine vulnerability found by ‘Florian’, a member of reverse engineering group Secret Club, and the relationship from 2019 is alleged to stay unresolved – a lot to the consternation of the person concerned and his safety analysis colleagues.
Florian reported the flaw to Valve by means of a bug bounty program run by HackerOne, however regardless of a number of makes an attempt to chase the difficulty no motion has been taken, despite the fact that the safety flaw was “verified/triaged after a few months”, in keeping with the bug hunter.
Secret Membership aired its frustration in a Twitter update over the weekend: “Two years in the past, Secret Membership member @floesen_ reported a distant code execution (RCE) flaw affecting all supply engine video games.
“It can be triggered through a Steam invite,” the group added. “This has yet to be patched, and Valve is preventing us from publicly disclosing it.”
A tracker for the issue – CVE-2021-30481 – was been added to NIST’s National Vulnerability database on Monday (April 12).
“Valve Steam through 2021-04-10, when a Source engine game is installed, allows remote authenticated users to execute arbitrary code because of a buffer overflow that occurs for a Steam invite after one click,” the entry states. Launched in 2003, Steam is the world’s most popular video game distribution service, taking up to 75% of the global market share and attracting around 20 million gamers each day.
Chris Boyd, a security researcher with Malwarebytes and keen gamer who has spent years researching the security of various gaming platforms, had no direct knowledge of the vulnerabilities in play but did say he’s been able to get Valve/Steam to fix directly reported flaws in the past.
“I’ve reported several issues to Steam down the years and they were addressed very quickly, such as a method used by phishers to bypass Steam Guard protection,” Boyd told The Daily Swig.
“However, these were not reported via bug bounty programs and were likely not as complex to resolve as the current issues.”
“With so many titles using the source engine, it may take a while longer yet to test and address without potentially breaking essential functionality in some games,” he added.
