Originally published at: http://grangerhub.org/blog/tremulous-v1-3-0-alpha-0-4-includes-an-important-vulnerability-fix/
Following an update today from the ioquake3 upstream [1]; a remote code execution vulnerability has been patched in Tremulous and the fix is included in GrangerHub’s latest Tremulous release v1.3.0-alpha.0.4. This vulnerability is known to exist in all prior versions of Tremulous as well as in TremFusion, and likely in all other old modded Tremulous clients. It is also known to exist in all prior versions of ioquake3. GrangerHub’s latest Tremulous release can be downloaded from our Tremulous release page: https://github.com/GrangerHub/tremulous/releases .
References: [1] https://ioquake3.org/2017/03/13/important-security-update-please-update-ioquake3-immediately/
This topic is now a banner. It will appear at the top of every page until it is dismissed by the user.
What is the vulnerability?
Why is this fix so important?
Even the quake 3 article gives little information on the update. “that prevents malicious actions from multiplayer servers” Base nading? Desala? Dconing? Hacking? Hijacking?
It could be any of these, or worse?
Or it could be nothing but pompous posturing.
Client Side RCE via malicious pk3’s
Is this for players or just the server machine?
If it can affect players, wouldn’t the majority be protected by anti malware software, firewalls, and NXbit hardware? (This is mostly only a concern for outdated like fuck machines and operating systems)?
This vulnerability is in the clients, it makes it possible for a malicious game server to distribute a malicious pk3 that would cause the client that loads it to run malicious code, this is a risk (to some extent) regardless of which operating system and any anti-malware software you might have.
As of now I am not aware of any instances of such pk3s occurring in Trem that exploits this vulnerability, but the point is that such malicious pk3s can be created, and all publicly available clients without this fix are at risk. The risk is greater now for older clients since ioquake3 publicly announced the existence of this vulnerability (with their release of their fix).
Well, now that we’ve broadcasted this vulnerability to every hacker in the trem community, I guess we’ve got no choice but to switch to 1.3, right?
NTY. Setting cl_allowdownload 0 for gpub, test server, and derbunker right about now.
:L
from an average player’s perspective, in practice, it is not important at all. because ppl have been using critically vulnerable clients for many years, and relied on servers not trying to fuck up the computers of clients — not a single case of abuse is known to the public. for example, everyone trusts, that the currently populated server, Der Bunker, is not going to exploit this or any of the other infinite amount of vulnerabilities.
from a security enthusiast’s point of view, this fix important because it prevents yet another known way that servers can fuck up the computers of clients.