Valve closes ten-year-old vulnerability in Steam
Steam turned out to contain a vulnerability that had been in all software clients for at least ten years. Until July last year, the vulnerability was relatively easy to exploit and it was possible to execute code remotely.
The nature of the problem lay with Valve’s Steam protocol, writes Tom Court of security company Contextis. That protocol did not check the length of a first data packet of a fragmented datagram. That opens the door to a buffer overflow specific to the Steam client library that builds fragmented datagrams from received udp packets.
In July last year, Valve added address space layout randomization protection to the client. Since then, the vulnerability has not simply been exploited, but exploitation leads to crashes. However, the leak has been in place since at least 2008, Contextis claims, and abuse was still possible after July 2017 with additional information about the memory location of the Steam app.
The company notified Valve of the find on February 20 of this year, and 12 hours later, the company had fixed the issue in the beta client. The fix was implemented in the stable client on March 22. “It was a simple bug that was relatively easy to exploit due to the lack of modern security,” Court wrote.